Edit tour

Linux Analysis Report
10000.elf

Overview

General Information

Sample name:	10000.elf
Analysis ID:	1547391
MD5:	8a51a05df6f69f2a6fc4c4e376b65f70
SHA1:	1b68e2894d97363dcd9f2d7e42724dfc58e0a260
SHA256:	7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994
Tags:	elfuser-abuse_ch
Infos:

Detection

BillGates

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BillGates

Drops files in suspicious directories

Opens /proc/net/* files useful for finding connected devices and routers

Sample tries to persist itself using System V runlevels

Writes identical ELF files to multiple locations

Changes permissions of common UNIX (system) binary directories

Detected TCP or UDP traffic on non-standard ports

Drops files with innocent-looking names

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Reads CPU information from /proc indicative of miner or evasive malware

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample tries to set the executable flag

Sleeps for long times indicative of sandbox evasion

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547391
Start date and time:	2024-11-02 10:05:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	10000.elf
Detection:	MAL
Classification:	mal96.spre.troj.evad.linELF@0/18@1/0

Warnings

VT rate limit hit for: 10000.elf

Runtime Messages

Command:	/tmp/10000.elf
PID:	6223
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

10000.elf (PID: 6223, Parent: 6144, MD5: 8a51a05df6f69f2a6fc4c4e376b65f70) Arguments: /tmp/10000.elf

10000.elf New Fork (PID: 6224, Parent: 6223)

10000.elf New Fork (PID: 6227, Parent: 6224)

sh (PID: 6227, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"

sh New Fork (PID: 6228, Parent: 6227)

ln (PID: 6228, Parent: 6227, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt

10000.elf New Fork (PID: 6229, Parent: 6224)

sh (PID: 6229, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"

sh New Fork (PID: 6230, Parent: 6229)

ln (PID: 6230, Parent: 6229, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt

10000.elf New Fork (PID: 6231, Parent: 6224)

sh (PID: 6231, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"

sh New Fork (PID: 6232, Parent: 6231)

ln (PID: 6232, Parent: 6231, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt

10000.elf New Fork (PID: 6233, Parent: 6224)

sh (PID: 6233, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"

sh New Fork (PID: 6234, Parent: 6233)

ln (PID: 6234, Parent: 6233, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt

10000.elf New Fork (PID: 6235, Parent: 6224)

sh (PID: 6235, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"

sh New Fork (PID: 6236, Parent: 6235)

ln (PID: 6236, Parent: 6235, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt

10000.elf New Fork (PID: 6237, Parent: 6224)

sh (PID: 6237, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /usr/bin/bsd-port"

sh New Fork (PID: 6238, Parent: 6237)

mkdir (PID: 6238, Parent: 6237, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /usr/bin/bsd-port

10000.elf New Fork (PID: 6239, Parent: 6224)

sh (PID: 6239, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/10000.elf /usr/bin/bsd-port/knerl"

sh New Fork (PID: 6240, Parent: 6239)

cp (PID: 6240, Parent: 6239, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/10000.elf /usr/bin/bsd-port/knerl

10000.elf New Fork (PID: 6241, Parent: 6224)

10000.elf New Fork (PID: 6242, Parent: 6241)

sh (PID: 6242, Parent: 6241, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c /usr/bin/bsd-port/knerl

sh New Fork (PID: 6243, Parent: 6242)

knerl (PID: 6243, Parent: 6242, MD5: 8a51a05df6f69f2a6fc4c4e376b65f70) Arguments: /usr/bin/bsd-port/knerl

knerl New Fork (PID: 6244, Parent: 6243)

knerl New Fork (PID: 6249, Parent: 6244)

sh (PID: 6249, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"

sh New Fork (PID: 6250, Parent: 6249)

ln (PID: 6250, Parent: 6249, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux

knerl New Fork (PID: 6251, Parent: 6244)

sh (PID: 6251, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"

sh New Fork (PID: 6252, Parent: 6251)

ln (PID: 6252, Parent: 6251, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux

knerl New Fork (PID: 6253, Parent: 6244)

sh (PID: 6253, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"

sh New Fork (PID: 6256, Parent: 6253)

ln (PID: 6256, Parent: 6253, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux

knerl New Fork (PID: 6258, Parent: 6244)

sh (PID: 6258, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"

sh New Fork (PID: 6259, Parent: 6258)

ln (PID: 6259, Parent: 6258, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux

knerl New Fork (PID: 6260, Parent: 6244)

sh (PID: 6260, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"

sh New Fork (PID: 6262, Parent: 6260)

ln (PID: 6262, Parent: 6260, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux

knerl New Fork (PID: 6264, Parent: 6244)

sh (PID: 6264, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /usr/bin/dpkgd"

sh New Fork (PID: 6266, Parent: 6264)

mkdir (PID: 6266, Parent: 6264, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /usr/bin/dpkgd

knerl New Fork (PID: 6268, Parent: 6244)

sh (PID: 6268, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /bin/netstat /usr/bin/dpkgd/netstat"

sh New Fork (PID: 6276, Parent: 6268)

cp (PID: 6276, Parent: 6268, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /bin/netstat /usr/bin/dpkgd/netstat

knerl New Fork (PID: 6277, Parent: 6244)

sh (PID: 6277, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /bin"

sh New Fork (PID: 6278, Parent: 6277)

mkdir (PID: 6278, Parent: 6277, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /bin

knerl New Fork (PID: 6279, Parent: 6244)

sh (PID: 6279, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /usr/bin/bsd-port/knerl /bin/netstat"

sh New Fork (PID: 6280, Parent: 6279)

cp (PID: 6280, Parent: 6279, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /usr/bin/bsd-port/knerl /bin/netstat

knerl New Fork (PID: 6281, Parent: 6244)

sh (PID: 6281, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 0755 /bin/netstat"

sh New Fork (PID: 6282, Parent: 6281)

chmod (PID: 6282, Parent: 6281, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 0755 /bin/netstat

knerl New Fork (PID: 6283, Parent: 6244)

sh (PID: 6283, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"

sh New Fork (PID: 6284, Parent: 6283)

cp (PID: 6284, Parent: 6283, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /bin/lsof /usr/bin/dpkgd/lsof

knerl New Fork (PID: 6285, Parent: 6244)

sh (PID: 6285, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /bin"

sh New Fork (PID: 6286, Parent: 6285)

mkdir (PID: 6286, Parent: 6285, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /bin

knerl New Fork (PID: 6287, Parent: 6244)

sh (PID: 6287, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"

sh New Fork (PID: 6288, Parent: 6287)

cp (PID: 6288, Parent: 6287, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /usr/bin/bsd-port/knerl /bin/lsof

knerl New Fork (PID: 6289, Parent: 6244)

sh (PID: 6289, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 0755 /bin/lsof"

sh New Fork (PID: 6290, Parent: 6289)

chmod (PID: 6290, Parent: 6289, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 0755 /bin/lsof

knerl New Fork (PID: 6291, Parent: 6244)

sh (PID: 6291, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"

sh New Fork (PID: 6292, Parent: 6291)

cp (PID: 6292, Parent: 6291, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /bin/ps /usr/bin/dpkgd/ps

knerl New Fork (PID: 6295, Parent: 6244)

sh (PID: 6295, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /bin"

sh New Fork (PID: 6296, Parent: 6295)

mkdir (PID: 6296, Parent: 6295, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /bin

knerl New Fork (PID: 6297, Parent: 6244)

sh (PID: 6297, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"

sh New Fork (PID: 6298, Parent: 6297)

cp (PID: 6298, Parent: 6297, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /usr/bin/bsd-port/knerl /bin/ps

knerl New Fork (PID: 6299, Parent: 6244)

sh (PID: 6299, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 0755 /bin/ps"

sh New Fork (PID: 6300, Parent: 6299)

chmod (PID: 6300, Parent: 6299, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 0755 /bin/ps

knerl New Fork (PID: 6301, Parent: 6244)

sh (PID: 6301, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /usr/bin"

sh New Fork (PID: 6302, Parent: 6301)

mkdir (PID: 6302, Parent: 6301, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /usr/bin

knerl New Fork (PID: 6303, Parent: 6244)

sh (PID: 6303, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/netstat"

sh New Fork (PID: 6304, Parent: 6303)

cp (PID: 6304, Parent: 6303, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /usr/bin/bsd-port/knerl /usr/bin/netstat

knerl New Fork (PID: 6305, Parent: 6244)

sh (PID: 6305, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 0755 /usr/bin/netstat"

sh New Fork (PID: 6306, Parent: 6305)

chmod (PID: 6306, Parent: 6305, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 0755 /usr/bin/netstat

knerl New Fork (PID: 6307, Parent: 6244)

sh (PID: 6307, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /usr/bin"

sh New Fork (PID: 6308, Parent: 6307)

mkdir (PID: 6308, Parent: 6307, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /usr/bin

knerl New Fork (PID: 6309, Parent: 6244)

sh (PID: 6309, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"

sh New Fork (PID: 6310, Parent: 6309)

cp (PID: 6310, Parent: 6309, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof

knerl New Fork (PID: 6311, Parent: 6244)

sh (PID: 6311, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 0755 /usr/bin/lsof"

sh New Fork (PID: 6312, Parent: 6311)

chmod (PID: 6312, Parent: 6311, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 0755 /usr/bin/lsof

knerl New Fork (PID: 6313, Parent: 6244)

sh (PID: 6313, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /usr/bin"

sh New Fork (PID: 6314, Parent: 6313)

mkdir (PID: 6314, Parent: 6313, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /usr/bin

knerl New Fork (PID: 6315, Parent: 6244)

sh (PID: 6315, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"

sh New Fork (PID: 6316, Parent: 6315)

cp (PID: 6316, Parent: 6315, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /usr/bin/bsd-port/knerl /usr/bin/ps

knerl New Fork (PID: 6317, Parent: 6244)

sh (PID: 6317, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 0755 /usr/bin/ps"

sh New Fork (PID: 6318, Parent: 6317)

chmod (PID: 6318, Parent: 6317, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 0755 /usr/bin/ps

knerl New Fork (PID: 6319, Parent: 6244)

sh (PID: 6319, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "insmod /usr/lib/xpacket.ko"

sh New Fork (PID: 6320, Parent: 6319)

insmod (PID: 6320, Parent: 6319, MD5: 0b44462b1a40df8039d6d61cfff7ea84) Arguments: insmod /usr/lib/xpacket.ko

10000.elf New Fork (PID: 6245, Parent: 6224)

sh (PID: 6245, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /usr/bin"

sh New Fork (PID: 6246, Parent: 6245)

mkdir (PID: 6246, Parent: 6245, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /usr/bin

10000.elf New Fork (PID: 6247, Parent: 6224)

sh (PID: 6247, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/10000.elf /usr/bin/pythno"

sh New Fork (PID: 6248, Parent: 6247)

cp (PID: 6248, Parent: 6247, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/10000.elf /usr/bin/pythno

10000.elf New Fork (PID: 6254, Parent: 6224)

10000.elf New Fork (PID: 6255, Parent: 6254)

sh (PID: 6255, Parent: 6254, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c /usr/bin/pythno

sh New Fork (PID: 6257, Parent: 6255)

pythno (PID: 6257, Parent: 6255, MD5: 8a51a05df6f69f2a6fc4c4e376b65f70) Arguments: /usr/bin/pythno

pythno New Fork (PID: 6261, Parent: 6257)

10000.elf New Fork (PID: 6263, Parent: 6224)

sh (PID: 6263, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "insmod /usr/lib/xpacket.ko"

sh New Fork (PID: 6265, Parent: 6263)

insmod (PID: 6265, Parent: 6263, MD5: 0b44462b1a40df8039d6d61cfff7ea84) Arguments: insmod /usr/lib/xpacket.ko

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6223.1.0000000008048000.0000000008120000.r-x.sdmp	JoeSecurity_BillGates	Yara detected BillGates	Joe Security
6223.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Ganiw_b9f045aa	unknown	unknown	0x3cd36:$a: E5 57 8B 55 0C 85 D2 74 21 FC 31 C0 8B 7D 08 AB AB AB AB AB AB
6223.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Setag_351eeb76	unknown	unknown	0x353:$a: 04 8B 45 F8 C1 E0 02 01 C2 8B 45 EC 89 02 8D 45 F8 FF 00 8B
6223.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Setag_01e2f79b	unknown	unknown	0x2dd1:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x3047:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x3203:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x334b:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x362f:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x38b1:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0xb7e9:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x138ed:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x1b793:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x27da3:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x2cd73:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC
6223.1.0000000008048000.0000000008120000.r-x.sdmp	LinuxBillGates	unknown	unknown	0xaa00c:$a: 12CUpdateGates 0xa9ff0:$b: 11CUpdateBill
6241.1.0000000008048000.0000000008120000.r-x.sdmp	JoeSecurity_BillGates	Yara detected BillGates	Joe Security
6241.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Ganiw_b9f045aa	unknown	unknown	0x3cd36:$a: E5 57 8B 55 0C 85 D2 74 21 FC 31 C0 8B 7D 08 AB AB AB AB AB AB
6241.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Setag_351eeb76	unknown	unknown	0x353:$a: 04 8B 45 F8 C1 E0 02 01 C2 8B 45 EC 89 02 8D 45 F8 FF 00 8B
6241.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Setag_01e2f79b	unknown	unknown	0x2dd1:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x3047:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x3203:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x334b:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x362f:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x38b1:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0xb7e9:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x138ed:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x1b793:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x27da3:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x2cd73:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC
6241.1.0000000008048000.0000000008120000.r-x.sdmp	LinuxBillGates	unknown	unknown	0xaa00c:$a: 12CUpdateGates 0xa9ff0:$b: 11CUpdateBill
6254.1.0000000008048000.0000000008120000.r-x.sdmp	JoeSecurity_BillGates	Yara detected BillGates	Joe Security
6254.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Ganiw_b9f045aa	unknown	unknown	0x3cd36:$a: E5 57 8B 55 0C 85 D2 74 21 FC 31 C0 8B 7D 08 AB AB AB AB AB AB
6254.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Setag_351eeb76	unknown	unknown	0x353:$a: 04 8B 45 F8 C1 E0 02 01 C2 8B 45 EC 89 02 8D 45 F8 FF 00 8B
6254.1.0000000008048000.0000000008120000.r-x.sdmp	Linux_Trojan_Setag_01e2f79b	unknown	unknown	0x2dd1:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x3047:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x3203:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x334b:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x362f:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x38b1:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0xb7e9:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x138ed:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x1b793:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x27da3:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC 0x2cd73:$a: 0C 8B 45 EC 89 45 FC 8D 55 E8 83 EC 04 8D 45 F8 50 8D 45 FC
6254.1.0000000008048000.0000000008120000.r-x.sdmp	LinuxBillGates	unknown	unknown	0xaa00c:$a: 12CUpdateGates 0xa9ff0:$b: 11CUpdateBill
Process Memory Space: 10000.elf PID: 6223	JoeSecurity_BillGates	Yara detected BillGates	Joe Security
Process Memory Space: 10000.elf PID: 6223	LinuxBillGates	unknown	unknown	0xa12:$a: 12CUpdateGates 0xa04:$b: 11CUpdateBill
Process Memory Space: 10000.elf PID: 6241	JoeSecurity_BillGates	Yara detected BillGates	Joe Security
Process Memory Space: 10000.elf PID: 6241	LinuxBillGates	unknown	unknown	0x1ce1:$a: 12CUpdateGates 0x1cd3:$b: 11CUpdateBill
Process Memory Space: 10000.elf PID: 6254	JoeSecurity_BillGates	Yara detected BillGates	Joe Security
Process Memory Space: 10000.elf PID: 6254	LinuxBillGates	unknown	unknown	0x1c90:$a: 12CUpdateGates 0x1c82:$b: 11CUpdateBill
Click to see the 16 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 10000.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/bin/ps	Avira: detection malicious, Label: LINUX/AVI.Bot.zmipz
Source: /usr/bin/bsd-port/knerl	Avira: detection malicious, Label: LINUX/AVI.Bot.zmipz
Source: /usr/bin/lsof	Avira: detection malicious, Label: LINUX/AVI.Bot.zmipz
Source: /usr/bin/pythno	Avira: detection malicious, Label: LINUX/AVI.Bot.zmipz
Source: /usr/bin/netstat	Avira: detection malicious, Label: LINUX/AVI.Bot.zmipz

Multi AV Scanner detection for submitted file

Source: 10000.elf

ReversingLabs: Detection: 39%

Source: /tmp/10000.elf (PID: 6224)	Reads CPU info from proc file: /proc/cpuinfo			Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Reads CPU info from proc file: /proc/cpuinfo			Jump to behavior

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /usr/bin/bsd-port/knerl (PID: 6244)	Opens: /proc/net/route			Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Opens: /proc/net/arp			Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.23:55554 -> 213.139.233.9:10000

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: vip-1.0889.org

Source: netstat.93.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: netstat.93.dr	ELF static info symbol of dropped file: getaddrinfo
Source: netstat.93.dr	ELF static info symbol of dropped file: getnameinfo

Source: 10000.elf, ps.133.dr, ps.169.dr, lsof.117.dr, knerl.41.dr, lsof.157.dr, netstat.101.dr, pythno.55.dr, netstat.145.dr	String found in binary or memory: http://uuu.sf.net
Source: 10000.elf, 6223.1.0000000008048000.0000000008120000.r-x.sdmp, 10000.elf, 6241.1.0000000008048000.0000000008120000.r-x.sdmp, 10000.elf, 6254.1.0000000008048000.0000000008120000.r-x.sdmp	String found in binary or memory: http://www.gnu.org/software/libc/bugs.html
Source: lsof.109.dr	String found in binary or memory: https://github.com/lsof-org/lsof
Source: lsof.109.dr	String found in binary or memory: https://github.com/lsof-org/lsof/blob/master/00FAQ
Source: lsof.109.dr	String found in binary or memory: https://github.com/lsof-org/lsof/blob/master/Lsof.8
Source: lsof.109.dr	String found in binary or memory: https://github.com/lsof-org/lsofhttps://github.com/lsof-org/lsof/blob/master/00FAQhttps://github.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

DDoS

Yara detected BillGates

Source: Yara match	File source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 10000.elf PID: 6223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 10000.elf PID: 6241, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 10000.elf PID: 6254, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ganiw_b9f045aa Author: unknown
Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_351eeb76 Author: unknown
Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_01e2f79b Author: unknown
Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: LinuxBillGates Author: unknown
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ganiw_b9f045aa Author: unknown
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_351eeb76 Author: unknown
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_01e2f79b Author: unknown
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: LinuxBillGates Author: unknown
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ganiw_b9f045aa Author: unknown
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_351eeb76 Author: unknown
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_01e2f79b Author: unknown
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: LinuxBillGates Author: unknown
Source: Process Memory Space: 10000.elf PID: 6223, type: MEMORYSTR	Matched rule: LinuxBillGates Author: unknown
Source: Process Memory Space: 10000.elf PID: 6241, type: MEMORYSTR	Matched rule: LinuxBillGates Author: unknown
Source: Process Memory Space: 10000.elf PID: 6254, type: MEMORYSTR	Matched rule: LinuxBillGates Author: unknown

Source: LOAD without section mappings

Program segment: 0x8048000

Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ganiw_b9f045aa os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ganiw, fingerprint = 0aaec92ca1c622df848bba80a2f1e4646252625d58e28269965b13d65158f238, id = b9f045aa-99fa-47e9-b179-ac62158b3fe2, last_modified = 2021-09-16
Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_351eeb76 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Setag, fingerprint = c6edc7ae898831e9cc3c92fcdce4cd5b4412de061575e6da2f4e07776e0885f5, id = 351eeb76-ccca-40d5-8ee3-e8daf6494dda, last_modified = 2021-09-16
Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_01e2f79b reference_sample = 5b5e8486174026491341a750f6367959999bbacd3689215f59a62dbb13a45fcc, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Setag, fingerprint = 4ea87a6ccf907babdebbbb07b9bc32a5437d0213f1580ea4b4b3f44ce543a5bd, id = 01e2f79b-fcbc-41d0-a68b-3a692b893f26, last_modified = 2021-09-16
Source: 6223.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: LinuxBillGates Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429, Date = 2014/08/11, Author = @benkow_
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ganiw_b9f045aa os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ganiw, fingerprint = 0aaec92ca1c622df848bba80a2f1e4646252625d58e28269965b13d65158f238, id = b9f045aa-99fa-47e9-b179-ac62158b3fe2, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_351eeb76 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Setag, fingerprint = c6edc7ae898831e9cc3c92fcdce4cd5b4412de061575e6da2f4e07776e0885f5, id = 351eeb76-ccca-40d5-8ee3-e8daf6494dda, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_01e2f79b reference_sample = 5b5e8486174026491341a750f6367959999bbacd3689215f59a62dbb13a45fcc, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Setag, fingerprint = 4ea87a6ccf907babdebbbb07b9bc32a5437d0213f1580ea4b4b3f44ce543a5bd, id = 01e2f79b-fcbc-41d0-a68b-3a692b893f26, last_modified = 2021-09-16
Source: 6241.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: LinuxBillGates Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429, Date = 2014/08/11, Author = @benkow_
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Ganiw_b9f045aa os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ganiw, fingerprint = 0aaec92ca1c622df848bba80a2f1e4646252625d58e28269965b13d65158f238, id = b9f045aa-99fa-47e9-b179-ac62158b3fe2, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_351eeb76 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Setag, fingerprint = c6edc7ae898831e9cc3c92fcdce4cd5b4412de061575e6da2f4e07776e0885f5, id = 351eeb76-ccca-40d5-8ee3-e8daf6494dda, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Setag_01e2f79b reference_sample = 5b5e8486174026491341a750f6367959999bbacd3689215f59a62dbb13a45fcc, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Setag, fingerprint = 4ea87a6ccf907babdebbbb07b9bc32a5437d0213f1580ea4b4b3f44ce543a5bd, id = 01e2f79b-fcbc-41d0-a68b-3a692b893f26, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008120000.r-x.sdmp, type: MEMORY	Matched rule: LinuxBillGates Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429, Date = 2014/08/11, Author = @benkow_
Source: Process Memory Space: 10000.elf PID: 6223, type: MEMORYSTR	Matched rule: LinuxBillGates Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429, Date = 2014/08/11, Author = @benkow_
Source: Process Memory Space: 10000.elf PID: 6241, type: MEMORYSTR	Matched rule: LinuxBillGates Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429, Date = 2014/08/11, Author = @benkow_
Source: Process Memory Space: 10000.elf PID: 6254, type: MEMORYSTR	Matched rule: LinuxBillGates Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429, Date = 2014/08/11, Author = @benkow_

Source: classification engine

Classification label: mal96.spre.troj.evad.linELF@0/18@1/0

Persistence and Installation Behavior

Sample tries to persist itself using System V runlevels

Source: /usr/bin/ln (PID: 6228)	File: /etc/rc1.d/S97VsystemsshMdt -> /etc/init.d/VsystemsshMdt	Jump to behavior
Source: /usr/bin/ln (PID: 6230)	File: /etc/rc2.d/S97VsystemsshMdt -> /etc/init.d/VsystemsshMdt	Jump to behavior
Source: /usr/bin/ln (PID: 6232)	File: /etc/rc3.d/S97VsystemsshMdt -> /etc/init.d/VsystemsshMdt	Jump to behavior
Source: /usr/bin/ln (PID: 6234)	File: /etc/rc4.d/S97VsystemsshMdt -> /etc/init.d/VsystemsshMdt	Jump to behavior
Source: /usr/bin/ln (PID: 6236)	File: /etc/rc5.d/S97VsystemsshMdt -> /etc/init.d/VsystemsshMdt	Jump to behavior
Source: /usr/bin/ln (PID: 6250)	File: /etc/rc1.d/S99selinux -> /etc/init.d/selinux	Jump to behavior
Source: /usr/bin/ln (PID: 6252)	File: /etc/rc2.d/S99selinux -> /etc/init.d/selinux	Jump to behavior
Source: /usr/bin/ln (PID: 6256)	File: /etc/rc3.d/S99selinux -> /etc/init.d/selinux	Jump to behavior
Source: /usr/bin/ln (PID: 6259)	File: /etc/rc4.d/S99selinux -> /etc/init.d/selinux	Jump to behavior
Source: /usr/bin/ln (PID: 6262)	File: /etc/rc5.d/S99selinux -> /etc/init.d/selinux	Jump to behavior

Writes identical ELF files to multiple locations

Source: /usr/bin/cp (PID: 6240)	File with SHA-256 7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994 written: /usr/bin/bsd-port/knerl	Jump to dropped file
Source: /usr/bin/cp (PID: 6280)	File with SHA-256 7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994 written: /usr/bin/netstat
Source: /usr/bin/cp (PID: 6288)	File with SHA-256 7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994 written: /usr/bin/lsof
Source: /usr/bin/cp (PID: 6248)	File with SHA-256 7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994 written: /usr/bin/pythno	Jump to dropped file
Source: /usr/bin/cp (PID: 6298)	File with SHA-256 7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994 written: /usr/bin/ps

Source: /bin/sh (PID: 6282)	Chmod directory: /usr/bin/chmod -> chmod 0755 /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 6290)	Chmod directory: /usr/bin/chmod -> chmod 0755 /bin/lsof	Jump to behavior
Source: /bin/sh (PID: 6300)	Chmod directory: /usr/bin/chmod -> chmod 0755 /bin/ps	Jump to behavior
Source: /bin/sh (PID: 6306)	Chmod directory: /usr/bin/chmod -> chmod 0755 /usr/bin/netstat	Jump to behavior
Source: /bin/sh (PID: 6312)	Chmod directory: /usr/bin/chmod -> chmod 0755 /usr/bin/lsof	Jump to behavior
Source: /bin/sh (PID: 6318)	Chmod directory: /usr/bin/chmod -> chmod 0755 /usr/bin/ps	Jump to behavior

Source: /tmp/10000.elf (PID: 6227)	Shell command executed: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"	Jump to behavior
Source: /tmp/10000.elf (PID: 6229)	Shell command executed: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"	Jump to behavior
Source: /tmp/10000.elf (PID: 6231)	Shell command executed: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"	Jump to behavior
Source: /tmp/10000.elf (PID: 6233)	Shell command executed: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"	Jump to behavior
Source: /tmp/10000.elf (PID: 6235)	Shell command executed: sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"	Jump to behavior
Source: /tmp/10000.elf (PID: 6237)	Shell command executed: sh -c "mkdir -p /usr/bin/bsd-port"	Jump to behavior
Source: /tmp/10000.elf (PID: 6239)	Shell command executed: sh -c "cp -f /tmp/10000.elf /usr/bin/bsd-port/knerl"	Jump to behavior
Source: /tmp/10000.elf (PID: 6242)	Shell command executed: sh -c /usr/bin/bsd-port/knerl	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6249)	Shell command executed: sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6251)	Shell command executed: sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6253)	Shell command executed: sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6258)	Shell command executed: sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6260)	Shell command executed: sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6264)	Shell command executed: sh -c "mkdir -p /usr/bin/dpkgd"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6268)	Shell command executed: sh -c "cp -f /bin/netstat /usr/bin/dpkgd/netstat"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6277)	Shell command executed: sh -c "mkdir -p /bin"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6279)	Shell command executed: sh -c "cp -f /usr/bin/bsd-port/knerl /bin/netstat"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6281)	Shell command executed: sh -c "chmod 0755 /bin/netstat"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6283)	Shell command executed: sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6285)	Shell command executed: sh -c "mkdir -p /bin"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6287)	Shell command executed: sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6289)	Shell command executed: sh -c "chmod 0755 /bin/lsof"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6291)	Shell command executed: sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6295)	Shell command executed: sh -c "mkdir -p /bin"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6297)	Shell command executed: sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6299)	Shell command executed: sh -c "chmod 0755 /bin/ps"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6301)	Shell command executed: sh -c "mkdir -p /usr/bin"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6303)	Shell command executed: sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/netstat"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6305)	Shell command executed: sh -c "chmod 0755 /usr/bin/netstat"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6307)	Shell command executed: sh -c "mkdir -p /usr/bin"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6309)	Shell command executed: sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6311)	Shell command executed: sh -c "chmod 0755 /usr/bin/lsof"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6313)	Shell command executed: sh -c "mkdir -p /usr/bin"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6315)	Shell command executed: sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6317)	Shell command executed: sh -c "chmod 0755 /usr/bin/ps"	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6319)	Shell command executed: sh -c "insmod /usr/lib/xpacket.ko"	Jump to behavior
Source: /tmp/10000.elf (PID: 6245)	Shell command executed: sh -c "mkdir -p /usr/bin"	Jump to behavior
Source: /tmp/10000.elf (PID: 6247)	Shell command executed: sh -c "cp -f /tmp/10000.elf /usr/bin/pythno"	Jump to behavior
Source: /tmp/10000.elf (PID: 6255)	Shell command executed: sh -c /usr/bin/pythno	Jump to behavior
Source: /tmp/10000.elf (PID: 6263)	Shell command executed: sh -c "insmod /usr/lib/xpacket.ko"	Jump to behavior

Source: /bin/sh (PID: 6282)	Chmod executable: /usr/bin/chmod -> chmod 0755 /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 6290)	Chmod executable: /usr/bin/chmod -> chmod 0755 /bin/lsof	Jump to behavior
Source: /bin/sh (PID: 6300)	Chmod executable: /usr/bin/chmod -> chmod 0755 /bin/ps	Jump to behavior
Source: /bin/sh (PID: 6306)	Chmod executable: /usr/bin/chmod -> chmod 0755 /usr/bin/netstat	Jump to behavior
Source: /bin/sh (PID: 6312)	Chmod executable: /usr/bin/chmod -> chmod 0755 /usr/bin/lsof	Jump to behavior
Source: /bin/sh (PID: 6318)	Chmod executable: /usr/bin/chmod -> chmod 0755 /usr/bin/ps	Jump to behavior

Source: /bin/sh (PID: 6238)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /usr/bin/bsd-port	Jump to behavior
Source: /bin/sh (PID: 6266)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /usr/bin/dpkgd	Jump to behavior
Source: /bin/sh (PID: 6278)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /bin	Jump to behavior
Source: /bin/sh (PID: 6286)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /bin	Jump to behavior
Source: /bin/sh (PID: 6296)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /bin	Jump to behavior
Source: /bin/sh (PID: 6302)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /usr/bin	Jump to behavior
Source: /bin/sh (PID: 6308)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /usr/bin	Jump to behavior
Source: /bin/sh (PID: 6314)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /usr/bin	Jump to behavior
Source: /bin/sh (PID: 6246)	Mkdir executable: /usr/bin/mkdir -> mkdir -p /usr/bin	Jump to behavior

Source: /tmp/10000.elf (PID: 6224)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/10000.elf (PID: 6224)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/10000.elf (PID: 6224)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Reads from proc file: /proc/stat	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /usr/bin/chmod (PID: 6282)	File: /bin/netstat (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6290)	File: /bin/lsof (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6300)	File: /bin/ps (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6306)	File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6312)	File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6318)	File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /usr/bin/cp (PID: 6240)	File written: /usr/bin/bsd-port/knerl	Jump to dropped file
Source: /usr/bin/cp (PID: 6276)	File written: /usr/bin/dpkgd/netstat	Jump to dropped file
Source: /usr/bin/cp (PID: 6280)	File written: /usr/bin/netstat
Source: /usr/bin/cp (PID: 6284)	File written: /usr/bin/dpkgd/lsof	Jump to dropped file
Source: /usr/bin/cp (PID: 6288)	File written: /usr/bin/lsof
Source: /usr/bin/cp (PID: 6292)	File written: /usr/bin/dpkgd/ps	Jump to dropped file
Source: /usr/bin/cp (PID: 6298)	File written: /usr/bin/ps
Source: /usr/bin/cp (PID: 6304)	File written: /usr/bin/netstat	Jump to dropped file
Source: /usr/bin/cp (PID: 6310)	File written: /usr/bin/lsof	Jump to dropped file
Source: /usr/bin/cp (PID: 6316)	File written: /usr/bin/ps	Jump to dropped file
Source: /usr/bin/cp (PID: 6248)	File written: /usr/bin/pythno	Jump to dropped file

Source: /tmp/10000.elf (PID: 6224)	Writes shell script file to disk with an unusual file extension: /etc/init.d/VsystemsshMdt			Jump to dropped file
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Writes shell script file to disk with an unusual file extension: /etc/init.d/selinux			Jump to dropped file

Source: /usr/bin/pythno (PID: 6261)

Log file created: /tmp/idus.log

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/10000.elf (PID: 6224)	File: /etc/init.d/VsystemsshMdt	Jump to dropped file
Source: /usr/bin/cp (PID: 6240)	File: /usr/bin/bsd-port/knerl	Jump to dropped file
Source: /usr/bin/bsd-port/knerl (PID: 6244)	File: /usr/bin/bsd-port/knerl.conf	Jump to dropped file
Source: /usr/bin/bsd-port/knerl (PID: 6244)	File: /etc/init.d/selinux	Jump to dropped file
Source: /usr/bin/bsd-port/knerl (PID: 6244)	File: /usr/bin/bsd-port/conf.n	Jump to dropped file
Source: /usr/bin/cp (PID: 6276)	File: /usr/bin/dpkgd/netstat	Jump to dropped file
Source: /usr/bin/cp (PID: 6280)	File: /usr/bin/netstat
Source: /usr/bin/cp (PID: 6284)	File: /usr/bin/dpkgd/lsof	Jump to dropped file
Source: /usr/bin/cp (PID: 6288)	File: /usr/bin/lsof
Source: /usr/bin/cp (PID: 6292)	File: /usr/bin/dpkgd/ps	Jump to dropped file
Source: /usr/bin/cp (PID: 6298)	File: /usr/bin/ps
Source: /usr/bin/cp (PID: 6304)	File: /usr/bin/netstat	Jump to dropped file
Source: /usr/bin/cp (PID: 6310)	File: /usr/bin/lsof	Jump to dropped file
Source: /usr/bin/cp (PID: 6316)	File: /usr/bin/ps	Jump to dropped file
Source: /usr/bin/cp (PID: 6248)	File: /usr/bin/pythno	Jump to dropped file

Source: /usr/bin/bsd-port/knerl (PID: 6244)	Path: /etc/init.d/selinux	Jump to dropped file
Source: /usr/bin/cp (PID: 6276)	Path: /usr/bin/dpkgd/netstat	Jump to dropped file
Source: /usr/bin/cp (PID: 6280)	Path: /usr/bin/netstat
Source: /usr/bin/cp (PID: 6284)	Path: /usr/bin/dpkgd/lsof	Jump to dropped file
Source: /usr/bin/cp (PID: 6288)	Path: /usr/bin/lsof
Source: /usr/bin/cp (PID: 6292)	Path: /usr/bin/dpkgd/ps	Jump to dropped file
Source: /usr/bin/cp (PID: 6298)	Path: /usr/bin/ps
Source: /usr/bin/cp (PID: 6304)	Path: /usr/bin/netstat	Jump to dropped file
Source: /usr/bin/cp (PID: 6310)	Path: /usr/bin/lsof	Jump to dropped file
Source: /usr/bin/cp (PID: 6316)	Path: /usr/bin/ps	Jump to dropped file

Source: 10000.elf	Submission file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: 10000.elf	Submission file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: knerl.41.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: knerl.41.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: netstat.101.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: netstat.101.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: lsof.117.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: lsof.117.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: ps.133.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: ps.133.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: netstat.145.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: netstat.145.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: lsof.157.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: lsof.157.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: ps.169.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: ps.169.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)
Source: pythno.55.dr	Dropped file: segment LOAD with 7.8635 entropy (max. 8.0)
Source: pythno.55.dr	Dropped file: segment LOAD with 7.9987 entropy (max. 8.0)

Source: /tmp/10000.elf (PID: 6224)	Reads CPU info from proc file: /proc/cpuinfo			Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Reads CPU info from proc file: /proc/cpuinfo			Jump to behavior

Source: /tmp/10000.elf (PID: 6224)	Sleeps longer then 60s: 3600.0s	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Sleeps longer then 60s: 3600.0s	Jump to behavior
Source: /usr/bin/pythno (PID: 6261)	Sleeps longer then 60s: 60.0s	Jump to behavior
Source: /usr/bin/pythno (PID: 6261)	Sleeps longer then 60s: 60.0s	Jump to behavior
Source: /usr/bin/pythno (PID: 6261)	Sleeps longer then 60s: 3600.0s	Jump to behavior

Source: /tmp/10000.elf (PID: 6223)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/10000.elf (PID: 6224)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6243)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/bsd-port/knerl (PID: 6244)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/insmod (PID: 6320)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pythno (PID: 6257)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/insmod (PID: 6265)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 File and Directory Permissions Modification	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
10000.elf	39%	ReversingLabs	Linux.Packed.Elknot
10000.elf	100%	Avira	LINUX/AVI.Bot.zmipz

Dropped Files

Source	Detection	Scanner	Label
/usr/bin/ps	100%	Avira	LINUX/AVI.Bot.zmipz
/usr/bin/bsd-port/knerl	100%	Avira	LINUX/AVI.Bot.zmipz
/usr/bin/lsof	100%	Avira	LINUX/AVI.Bot.zmipz
/usr/bin/pythno	100%	Avira	LINUX/AVI.Bot.zmipz
/usr/bin/netstat	100%	Avira	LINUX/AVI.Bot.zmipz
/etc/init.d/selinux	0%	ReversingLabs
/usr/bin/bsd-port/knerl	39%	ReversingLabs	Win32.Trojan.Generic
/usr/bin/dpkgd/lsof	0%	ReversingLabs
/usr/bin/dpkgd/netstat	0%	ReversingLabs
/usr/bin/dpkgd/ps	0%	ReversingLabs
/usr/bin/lsof	39%	ReversingLabs	Win32.Trojan.Generic
/usr/bin/netstat	39%	ReversingLabs	Win32.Trojan.Generic
/usr/bin/ps	39%	ReversingLabs	Win32.Trojan.Generic
/usr/bin/pythno	39%	ReversingLabs	Win32.Trojan.Generic

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vip-1.0889.org	213.139.233.9	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.gnu.org/software/libc/bugs.html	10000.elf, 6223.1.0000000008048000.0000000008120000.r-x.sdmp, 10000.elf, 6241.1.0000000008048000.0000000008120000.r-x.sdmp, 10000.elf, 6254.1.0000000008048000.0000000008120000.r-x.sdmp	false	unknown
https://github.com/lsof-org/lsof	lsof.109.dr	false	unknown
http://uuu.sf.net	10000.elf, ps.133.dr, ps.169.dr, lsof.117.dr, knerl.41.dr, lsof.157.dr, netstat.101.dr, pythno.55.dr, netstat.145.dr	false	unknown
https://github.com/lsof-org/lsof/blob/master/Lsof.8	lsof.109.dr	false	unknown
https://github.com/lsof-org/lsof/blob/master/00FAQ	lsof.109.dr	false	unknown
https://github.com/lsof-org/lsofhttps://github.com/lsof-org/lsof/blob/master/00FAQhttps://github.com	lsof.109.dr	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.139.233.9	vip-1.0889.org	Russian Federation	136782	PINGTAN-AS-APKirinNetworksCN	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	boatnet.x86.elf	Get hash	malicious	Mirai	Browse
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	i586.elf	Get hash	malicious	Mirai	Browse
	sh4.elf	Get hash	malicious	Mirai	Browse
	nuklear.ppc.elf	Get hash	malicious	Mirai	Browse
	nuklear.x86.elf	Get hash	malicious	Mirai	Browse
	nuklear.arm6.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	boatnet.x86.elf	Get hash	malicious	Mirai	Browse
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	armv7l.elf	Get hash	malicious	Mirai	Browse
	sparc.elf	Get hash	malicious	Mirai	Browse
	i586.elf	Get hash	malicious	Mirai	Browse
	sh4.elf	Get hash	malicious	Mirai	Browse
	nuklear.ppc.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	i.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	armv7l.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	sparc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	i.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	armv7l.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	sparc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
INIT7CH	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	armv7l.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	sparc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	i586.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	sh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	nuklear.ppc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
PINGTAN-AS-APKirinNetworksCN	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	103.96.197.3
	1FOZSuwbGF.elf	Get hash	malicious	Mirai	Browse	103.96.197.9
	1ik5K4HEZO	Get hash	malicious	Unknown	Browse	103.96.197.9
	TT copy.exe	Get hash	malicious	FormBook	Browse	185.254.241.173
	RxD0XMDsWp	Get hash	malicious	Mirai	Browse	103.96.153.100
	ywvz5i8kT9.exe	Get hash	malicious	Unknown	Browse	45.135.48.153
	28z8ooA3oC	Get hash	malicious	Mirai	Browse	196.19.196.209
	y8uLBHoe4J.exe	Get hash	malicious	BitRAT	Browse	62.133.35.244
	4RjVkoQ93E	Get hash	malicious	Unknown	Browse	103.96.171.168
	vcredist_2010.exe	Get hash	malicious	Unknown	Browse	113.212.88.60

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/selinux	Od6wNV2xta.elf	Get hash	malicious	BillGates	Browse
/usr/bin/dpkgd/lsof	linux_arm5.elf	Get hash	malicious	Kaiji	Browse
	linux_aarch64.elf	Get hash	malicious	Kaiji	Browse
	linux_arm7.elf	Get hash	malicious	Kaiji	Browse
	linux_arm6.elf	Get hash	malicious	Kaiji	Browse
	wwYapf2DSJ.elf	Get hash	malicious	BillGates	Browse
	ff.elf	Get hash	malicious	BillGates	Browse
	DerI9qwTwK.elf	Get hash	malicious	Kaiji	Browse
	Od6wNV2xta.elf	Get hash	malicious	BillGates	Browse
	odSNe417qU.elf	Get hash	malicious	BillGates	Browse
	p2GrGlDHjw.elf	Get hash	malicious	Kaiji	Browse

Created / dropped Files

/etc/init.d/VsystemsshMdt

Download File

Process:	/tmp/10000.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.0141467614227295
Encrypted:	false
SSDEEP:	3:TKH/KoKM/V0JDvn:FM/V0Jzn
MD5:	952C935E1F6081C64DFD8A1E3B43D843
SHA1:	512ED6F615EF891332CDB4D3CF8822C85CF85B2D
SHA-256:	950F0A4648694CBFD3606B4DADB4D394AA640ED883543EABBCCE6645474D067A
SHA-512:	6AB2ADFC4D4BEE7D6E50DDC6E1520308659B89DFBC06804199D329ED032FAF88FB6577E1A3D559CB2DD97DAA763A50C441ABAB3CAEC09273F8B62D85D42F19F1
Malicious:	true
Reputation:	low
Preview:	#!/bin/bash./tmp/10000.elf.

/etc/init.d/selinux

Download File

Process:	/usr/bin/bsd-port/knerl
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	36
Entropy (8bit):	4.009523959475163
Encrypted:	false
SSDEEP:	3:TKH/LQ9lIVfkyhn:8cIVff
MD5:	CAA27B819C9303446F702929874A00E8
SHA1:	D24199C0E376EDEA3F822B215148CC0DC78364BF
SHA-256:	DA9B535A14C6D9152857E211F14FB8DA9056E84BA1B8D4DC27AB79C98264050B
SHA-512:	DCD9413EB2CB24D77F637EDFC00CA0BB42229A1A3B0D84E29EFF94A7B91AEE6EE8C126C286A4B4103E01834D1C6AEC9DE09FFAB3927E8DE8015421005F31446E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Od6wNV2xta.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/bash./usr/bin/bsd-port/knerl.

/tmp/idus.log

Download File

Process:	/usr/bin/pythno
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:kn:kn
MD5:	AFF82E881075D9C1EC306F86AE15C833
SHA1:	BBB8A685783B3DB9298E026F8EB0CC390FE61858
SHA-256:	6AE6EFDE2B863944726FBACC695FBBB845F870389ACBB52C8AE81C683AB51FDF
SHA-512:	1B222E39DB8E2C206541B3C917A133BC2D7C600C9620425E7318CB8A57CB5640F5D7017EEB4660786A1B9533E56A4F3EBD84BC6C6AC26E246F259C2EC7BCE5B6
Malicious:	false
Reputation:	low
Preview:	6261

/tmp/notify.file

Download File

Process:	/tmp/10000.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.093069207771891
Encrypted:	false
SSDEEP:	3:TgUV/V0JDn:TgM/V0JD
MD5:	8419CD1B86EE250EDFD28B2E3E745BCC
SHA1:	CC2689103871203C7446BD2EAB68A9A13F1B78A0
SHA-256:	B86F8C64393CD851F2B07D102FF7D977CAB6950CAFE9AE25C72BA6B90015F847
SHA-512:	7CF94D5A0548907107DAEA17F6355C8DB3241548DA32C96472B59588B2F9A6DF5CBDCA93697AEB41FFCED3EEF82E7FC93CF1FBED63B5FDFFD8FC8DB173806601
Malicious:	false
Reputation:	low
Preview:	/tmp/10000.elf

/tmp/vga.conf

Download File

Process:	/tmp/10000.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:9n:9
MD5:	69783EE76A92567D446143B811519068
SHA1:	9FD09D038621EF70720D1266F6CBA81874C3D7A4
SHA-256:	25472DBF66BE1E822940F02732343E04021E49E8847808D88D64C17BA24E5037
SHA-512:	705F65C38E06317176612DCF3631201EEE1AC438EAE18C92FB602410B4347D8F97075F7639668F839D7E292E712EEF1B3068C858AC7A743B8C3465A936F6E8D6
Malicious:	false
Reputation:	low
Preview:	6224

/usr/bin/bsd-port/conf.n

Download File

Process:	/usr/bin/bsd-port/knerl
File Type:	data
Category:	dropped
Size (bytes):	966
Entropy (8bit):	2.444785661119398
Encrypted:	false
SSDEEP:	24:JiGCCCCBiGCCCCBiGCCCCBiGCCCCBiGCCCCBiGCCCCBiGCCCCBiGCCCCBiGCCCCv:4GCCCCQGCCCCQGCCCCQGCCCCQGCCCCQe
MD5:	A7F120154441D07BFFF8CD6C3862F5CC
SHA1:	FCC07A96B6C231CA6F40603846A5E8821461B932
SHA-256:	D4C600E3F2669527C5595DED27063C44A4F303CEADD59A34E9359B5D87E55B21
SHA-512:	BB1ECE73D649732143383DD98A73F5B979F6F4D1D4BC15BDD6992E9A14A6DB59F61353C3F03F0A279B16EABD046623391B6302B98199210C19E63A68E30BBF0A
Malicious:	true
Reputation:	low
Preview:	A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................A........2...........................................................

/usr/bin/bsd-port/knerl

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), for GNU/Linux 2.2.5, statically linked, no section header
Category:	dropped
Size (bytes):	339160
Entropy (8bit):	7.998973706382248
Encrypted:	true
SSDEEP:	6144:BCrHpDm5hTFhrjI0TYUdCwnpmLl/JF1RQDq7oSqhiQAH9LU:uJDEZXI8dCwnC1RQDyoSqhiQAH9U
MD5:	8A51A05DF6F69F2A6FC4C4E376B65F70
SHA1:	1B68E2894D97363DCD9F2D7E42724DFC58E0A260
SHA-256:	7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994
SHA-512:	505595AEEAE9018DC0D31E158899D620EF4FE1D9D8E510EE10A82AEC889202E4994A3E387F628033A90AA53D633C1E7C7865A98CFDFB147ECC950B3C1376A37D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	.ELF........................4...........4. ..........................................................I...I.......................... ... ...........Q.td........................................GNU...................McUUU!.........Q..cr......h..........?.E.h;...#..\|`...8Qj.R.&.mv.QO...k.'._2..Tz...g.<....u..YN...\|...e..?0....diNZ]..D/&.0.-d.9..p..&..p.q..9....I!......6......W7......K.V/.T.d.G..f..."xRG....iT..._Z.8.'M0Oz.....l.H.h.V.....B....p.\|/.*):........?wG.0..U.\?z.E@.....K.}jbH.......^...mM.'.$P....y....!.k..O){.....W.%./o..x...A.z$.....p..=.a]....<.L.h..BoL.I.....np..s.....Q#.j.L..r.......I.j....1.sL1\.k$I...(.=...2".-....._.=..^.G..D8' f...`a.SX...J...#...:..`C.j....<......_...bC.C..R.H..v..h.#..X.. .9..UV....1....6.........<......oQ..[..#(h?..&....y.(.gmI..(....(P..r.!.9.JXK0.g..a....e..JyD..j ...Iw...~.R.i\|BA8..7....w....6. .J.?..`.m.?.?.8........P.... ...)Y.'.5i.1....c..`...Yq.k-.._.NqO.!...[.V."K.m.P.......MM...+....G....`.. .2;....B..

/usr/bin/bsd-port/knerl.conf

Download File

Process:	/usr/bin/bsd-port/knerl
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:bn:b
MD5:	21F4C3B5591DA245AF90A2FD52FA1A55
SHA1:	7BF446DEFE82C44EDADC2E74AF4FE0340C4602D9
SHA-256:	FF2FBB2C3BFF60DDA45042CBC05BC633AFC1719B19A9E74C55988C48A78C2FC3
SHA-512:	A8DEBFD0429625D27B38B421BA212F32B790120600620DBE97E0C9E701CDC5F8C5F046A1EBC061D8943270732731993DBAC16BC08A12854970598912E9EA7957
Malicious:	true
Reputation:	low
Preview:	6244

/usr/bin/dpkgd/lsof

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b70e28f8c4071cf6da1a5d9bdf83301153a83a49, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	175744
Entropy (8bit):	5.936169929539334
Encrypted:	false
SSDEEP:	3072:OF7SUSobvRwXmq4jOFFa5xMxlVUo2Ljy5frrI3ZaAZEWI4+Qap8AY8Vl/2eOmFW3:OMUSkymqiOFLL2Ljy5frrI3ZaAZEWI4+
MD5:	061386937EC7ACF924438A2643A32BE0
SHA1:	01A044B9E58839BEA3E58C66CB32ACC16241BF91
SHA-256:	8A26BBAE9EB85AA98EF29CFE5B0A291234DB6EB394C3E0C2841983DCF7DDA959
SHA-512:	2DE2E56AC4C32F47B4A1945CCFB0DB378E6D59019EE8004E3E5D2EC8935EFB5AA8EE14B8A0B21C61A267E195D42A3232A6DCADE8720DE06118FD579277F59DB7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: linux_arm5.elf, Detection: malicious, Browse Filename: linux_aarch64.elf, Detection: malicious, Browse Filename: linux_arm7.elf, Detection: malicious, Browse Filename: linux_arm6.elf, Detection: malicious, Browse Filename: wwYapf2DSJ.elf, Detection: malicious, Browse Filename: ff.elf, Detection: malicious, Browse Filename: DerI9qwTwK.elf, Detection: malicious, Browse Filename: Od6wNV2xta.elf, Detection: malicious, Browse Filename: odSNe417qU.elf, Detection: malicious, Browse Filename: p2GrGlDHjw.elf, Detection: malicious, Browse
Preview:	.ELF..............>.....`=......@...................@.8...@.............@.......@.......@.......................................................................................................................H%......H%.......................0.......0.......0....................................... ....... ....... ......Ps......Ps......................0.......0.......0.......x...............................h.......h.......h.......................................8.......8.......8....... ....... .......................X.......X.......X.......D.......D...............S.td....8.......8.......8....... ....... ...............P.td.....k.......k.......k......<.......<...............Q.td....................................................R.td....0.......0.......0.............................../lib64/ld-linux-x86-64.so.2.................GNU.............................GNU...(.......]..0.S.:I............GNU.........................p...................p...r.......(....e.m9..........................

/usr/bin/dpkgd/netstat

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=51b4397f31c5992fa18047069bfa92ca1444ef99, stripped
Category:	dropped
Size (bytes):	158288
Entropy (8bit):	5.495895004028753
Encrypted:	false
SSDEEP:	1536:lVVZidyDSsOKijSMQHiubRaPuFzbCPopEjApaSH0YnYHAznwfoORW3yfrEjucVBF:fidyKKijokmQPHcpaSHyftW3XUsNTf
MD5:	D31D945767DD5A51E78FF0069533635F
SHA1:	64665A224F472B07778819F38FF5A300C1712EEB
SHA-256:	7AF5F6CDA055B65E31298FE20ED4456A87D2CA92803552BC0D3422F0E1A1FDA1
SHA-512:	8EFEB8DF05338ABBD4305FC48914A91012EDC91C2F6423BA59F4E54303C867DC7C5723EE94ADE118585AA6965CC888558E699533F4F9D5EEB22E45C57634A628
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.ELF..............>.....P.......@.......Pc..........@.8...@.............@.......@.......@.......h.......h........................................................................................................p.......p..............................................}.......}...............................................h.......h........................0.......@.......@......h1.......E.......................J.......Z.......Z..............................................................D.......D...............P.td....................................................Q.td....................................................R.td.....0.......@.......@......P.......P.............../lib64/ld-linux-x86-64.so.2.............GNU.............................GNU.Q.9.1./..G......D.C...j..............0....4..%.....".p.^3...As@...t"0..R..2 ..(.....@%2..H3...!$.j...k.......o...q.......s...v...x...y...{...}...................................................................................................

/usr/bin/dpkgd/ps

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=21b21cccacabfe9b0573bf0b894279a9502005b4, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	137688
Entropy (8bit):	4.861913553163927
Encrypted:	false
SSDEEP:	1536:QQN5YhnrOag7gX/LBzGLEcQrAqgyz51Xs+9EEgG54MZszIWzbr63XrZOIhK5nn5F:QNXXFcsbsprg7Z9hK15IcKR4CS
MD5:	AB48054475A6F70F8E7FA847331F3327
SHA1:	83FEB47FF6E58A79152C2AD2882D6332751F4EA1
SHA-256:	6E1BE2FF79ADF6A05AD09B6DF87618A5F9857378A2978BEB1DEC12E20FD34844
SHA-512:	784A85F3758D18E23FDDD40A0DE6322B2C6CD63216C22433971A13522E18A34FCB3155AC400567DFEB32CCD54C2313731C8EFC712BF8FB9C05B2495DE1E5BF23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.ELF..............>.............@.......X...........@.8...@.............@.......@.......@..............................................................................................................................................................................................................`.......`.......`.......c.......c......................p.......p.......p........A......xT..............................................................................8.......8.......8....... ....... .......................X.......X.......X.......D.......D...............S.td....8.......8.......8....... ....... ...............P.td....................................................Q.td....................................................R.td....p.......p.......p........@.......@............../lib64/ld-linux-x86-64.so.2.................GNU.............................GNU.!.......s...By.P ..............GNU.........................a............... ...a...d.......(....b&t.e.m.Pv..;O..bA..^~.9......

/usr/bin/lsof

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), for GNU/Linux 2.2.5, statically linked, no section header
Category:	dropped
Size (bytes):	339160
Entropy (8bit):	7.998973706382248
Encrypted:	true
SSDEEP:	6144:BCrHpDm5hTFhrjI0TYUdCwnpmLl/JF1RQDq7oSqhiQAH9LU:uJDEZXI8dCwnC1RQDyoSqhiQAH9U
MD5:	8A51A05DF6F69F2A6FC4C4E376B65F70
SHA1:	1B68E2894D97363DCD9F2D7E42724DFC58E0A260
SHA-256:	7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994
SHA-512:	505595AEEAE9018DC0D31E158899D620EF4FE1D9D8E510EE10A82AEC889202E4994A3E387F628033A90AA53D633C1E7C7865A98CFDFB147ECC950B3C1376A37D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	.ELF........................4...........4. ..........................................................I...I.......................... ... ...........Q.td........................................GNU...................McUUU!.........Q..cr......h..........?.E.h;...#..\|`...8Qj.R.&.mv.QO...k.'._2..Tz...g.<....u..YN...\|...e..?0....diNZ]..D/&.0.-d.9..p..&..p.q..9....I!......6......W7......K.V/.T.d.G..f..."xRG....iT..._Z.8.'M0Oz.....l.H.h.V.....B....p.\|/.*):........?wG.0..U.\?z.E@.....K.}jbH.......^...mM.'.$P....y....!.k..O){.....W.%./o..x...A.z$.....p..=.a]....<.L.h..BoL.I.....np..s.....Q#.j.L..r.......I.j....1.sL1\.k$I...(.=...2".-....._.=..^.G..D8' f...`a.SX...J...#...:..`C.j....<......_...bC.C..R.H..v..h.#..X.. .9..UV....1....6.........<......oQ..[..#(h?..&....y.(.gmI..(....(P..r.!.9.JXK0.g..a....e..JyD..j ...Iw...~.R.i\|BA8..7....w....6. .J.?..`.m.?.?.8........P.... ...)Y.'.5i.1....c..`...Yq.k-.._.NqO.!...[.V."K.m.P.......MM...+....G....`.. .2;....B..

/usr/bin/netstat

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), for GNU/Linux 2.2.5, statically linked, no section header
Category:	dropped
Size (bytes):	339160
Entropy (8bit):	7.998973706382248
Encrypted:	true
SSDEEP:	6144:BCrHpDm5hTFhrjI0TYUdCwnpmLl/JF1RQDq7oSqhiQAH9LU:uJDEZXI8dCwnC1RQDyoSqhiQAH9U
MD5:	8A51A05DF6F69F2A6FC4C4E376B65F70
SHA1:	1B68E2894D97363DCD9F2D7E42724DFC58E0A260
SHA-256:	7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994
SHA-512:	505595AEEAE9018DC0D31E158899D620EF4FE1D9D8E510EE10A82AEC889202E4994A3E387F628033A90AA53D633C1E7C7865A98CFDFB147ECC950B3C1376A37D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	.ELF........................4...........4. ..........................................................I...I.......................... ... ...........Q.td........................................GNU...................McUUU!.........Q..cr......h..........?.E.h;...#..\|`...8Qj.R.&.mv.QO...k.'._2..Tz...g.<....u..YN...\|...e..?0....diNZ]..D/&.0.-d.9..p..&..p.q..9....I!......6......W7......K.V/.T.d.G..f..."xRG....iT..._Z.8.'M0Oz.....l.H.h.V.....B....p.\|/.*):........?wG.0..U.\?z.E@.....K.}jbH.......^...mM.'.$P....y....!.k..O){.....W.%./o..x...A.z$.....p..=.a]....<.L.h..BoL.I.....np..s.....Q#.j.L..r.......I.j....1.sL1\.k$I...(.=...2".-....._.=..^.G..D8' f...`a.SX...J...#...:..`C.j....<......_...bC.C..R.H..v..h.#..X.. .9..UV....1....6.........<......oQ..[..#(h?..&....y.(.gmI..(....(P..r.!.9.JXK0.g..a....e..JyD..j ...Iw...~.R.i\|BA8..7....w....6. .J.?..`.m.?.?.8........P.... ...)Y.'.5i.1....c..`...Yq.k-.._.NqO.!...[.V."K.m.P.......MM...+....G....`.. .2;....B..

/usr/bin/ps

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), for GNU/Linux 2.2.5, statically linked, no section header
Category:	dropped
Size (bytes):	339160
Entropy (8bit):	7.998973706382248
Encrypted:	true
SSDEEP:	6144:BCrHpDm5hTFhrjI0TYUdCwnpmLl/JF1RQDq7oSqhiQAH9LU:uJDEZXI8dCwnC1RQDyoSqhiQAH9U
MD5:	8A51A05DF6F69F2A6FC4C4E376B65F70
SHA1:	1B68E2894D97363DCD9F2D7E42724DFC58E0A260
SHA-256:	7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994
SHA-512:	505595AEEAE9018DC0D31E158899D620EF4FE1D9D8E510EE10A82AEC889202E4994A3E387F628033A90AA53D633C1E7C7865A98CFDFB147ECC950B3C1376A37D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	.ELF........................4...........4. ..........................................................I...I.......................... ... ...........Q.td........................................GNU...................McUUU!.........Q..cr......h..........?.E.h;...#..\|`...8Qj.R.&.mv.QO...k.'._2..Tz...g.<....u..YN...\|...e..?0....diNZ]..D/&.0.-d.9..p..&..p.q..9....I!......6......W7......K.V/.T.d.G..f..."xRG....iT..._Z.8.'M0Oz.....l.H.h.V.....B....p.\|/.*):........?wG.0..U.\?z.E@.....K.}jbH.......^...mM.'.$P....y....!.k..O){.....W.%./o..x...A.z$.....p..=.a]....<.L.h..BoL.I.....np..s.....Q#.j.L..r.......I.j....1.sL1\.k$I...(.=...2".-....._.=..^.G..D8' f...`a.SX...J...#...:..`C.j....<......_...bC.C..R.H..v..h.#..X.. .9..UV....1....6.........<......oQ..[..#(h?..&....y.(.gmI..(....(P..r.!.9.JXK0.g..a....e..JyD..j ...Iw...~.R.i\|BA8..7....w....6. .J.?..`.m.?.?.8........P.... ...)Y.'.5i.1....c..`...Yq.k-.._.NqO.!...[.V."K.m.P.......MM...+....G....`.. .2;....B..

/usr/bin/pythno

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), for GNU/Linux 2.2.5, statically linked, no section header
Category:	dropped
Size (bytes):	339160
Entropy (8bit):	7.998973706382248
Encrypted:	true
SSDEEP:	6144:BCrHpDm5hTFhrjI0TYUdCwnpmLl/JF1RQDq7oSqhiQAH9LU:uJDEZXI8dCwnC1RQDyoSqhiQAH9U
MD5:	8A51A05DF6F69F2A6FC4C4E376B65F70
SHA1:	1B68E2894D97363DCD9F2D7E42724DFC58E0A260
SHA-256:	7F048A07A9C6166054AE0A1FE9AF0C38769FF6FC5189ADA4E4144C71E5D24994
SHA-512:	505595AEEAE9018DC0D31E158899D620EF4FE1D9D8E510EE10A82AEC889202E4994A3E387F628033A90AA53D633C1E7C7865A98CFDFB147ECC950B3C1376A37D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	.ELF........................4...........4. ..........................................................I...I.......................... ... ...........Q.td........................................GNU...................McUUU!.........Q..cr......h..........?.E.h;...#..\|`...8Qj.R.&.mv.QO...k.'._2..Tz...g.<....u..YN...\|...e..?0....diNZ]..D/&.0.-d.9..p..&..p.q..9....I!......6......W7......K.V/.T.d.G..f..."xRG....iT..._Z.8.'M0Oz.....l.H.h.V.....B....p.\|/.*):........?wG.0..U.\?z.E@.....K.}jbH.......^...mM.'.$P....y....!.k..O){.....W.%./o..x...A.z$.....p..=.a]....<.L.h..BoL.I.....np..s.....Q#.j.L..r.......I.j....1.sL1\.k$I...(.=...2".-....._.=..^.G..D8' f...`a.SX...J...#...:..`C.j....<......_...bC.C..R.H..v..h.#..X.. .9..UV....1....6.........<......oQ..[..#(h?..&....y.(.gmI..(....(P..r.!.9.JXK0.g..a....e..JyD..j ...Iw...~.R.i\|BA8..7....w....6. .J.?..`.m.?.?.8........P.... ...)Y.'.5i.1....c..`...Yq.k-.._.NqO.!...[.V."K.m.P.......MM...+....G....`.. .2;....B..

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), for GNU/Linux 2.2.5, statically linked, no section header
Entropy (8bit):	7.998973706382248
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	10000.elf
File size:	339'160 bytes
MD5:	8a51a05df6f69f2a6fc4c4e376b65f70
SHA1:	1b68e2894d97363dcd9f2d7e42724dfc58e0a260
SHA256:	7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994
SHA512:	505595aeeae9018dc0d31e158899d620ef4fe1d9d8e510ee10a82aec889202e4994a3e387f628033a90aa53d633c1e7c7865a98cfdfb147ecc950b3c1376a37d
SSDEEP:	6144:BCrHpDm5hTFhrjI0TYUdCwnpmLl/JF1RQDq7oSqhiQAH9LU:uJDEZXI8dCwnC1RQDyoSqhiQAH9U
TLSH:	BF742351E6C8A83E914CD0767EEC17CB75724B9C19E10BB13D6EBD82488B21CAD647BC
File Content Preview:	.ELF........................4...........4. ..........................................................I...I.......................... ... ...........Q.td........................................GNU...................McUUU!.........Q..cr......h..........?.E.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x816d6f8
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	0
Section Header Size:	0
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x1000	0xe1e8c	7.8635	0x6	RW	0x1000
LOAD	0x0	0x812a000	0x812a000	0x449db	0x449db	7.9987	0x5	R E	0x1000
NOTE	0xb4	0x80480b4	0x80480b4	0x20	0x20	1.6862	0x4	R	0x4
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 10:05:53.994297028 CET	43928	443	192.168.2.23	91.189.91.42
Nov 2, 2024 10:05:59.369589090 CET	42836	443	192.168.2.23	91.189.91.43
Nov 2, 2024 10:05:59.867424965 CET	55554	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:05:59.872258902 CET	10000	55554	213.139.233.9	192.168.2.23
Nov 2, 2024 10:05:59.872312069 CET	55554	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:05:59.876846075 CET	55554	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:05:59.881648064 CET	10000	55554	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:00.905359030 CET	42516	80	192.168.2.23	109.202.202.202
Nov 2, 2024 10:06:08.381370068 CET	10000	55554	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:08.381678104 CET	55554	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:08.381809950 CET	55556	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:08.386810064 CET	10000	55556	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:08.386900902 CET	55556	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:08.391875982 CET	10000	55556	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:14.727482080 CET	43928	443	192.168.2.23	91.189.91.42
Nov 2, 2024 10:06:16.880026102 CET	10000	55556	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:16.880222082 CET	55558	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:16.880275011 CET	55556	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:16.893208981 CET	10000	55558	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:16.893285990 CET	55558	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:16.904552937 CET	10000	55558	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:24.966085911 CET	42836	443	192.168.2.23	91.189.91.43
Nov 2, 2024 10:06:25.429239035 CET	10000	55558	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:25.429409027 CET	55558	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:25.429471970 CET	55560	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:25.434370995 CET	10000	55560	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:25.434449911 CET	55560	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:25.439260006 CET	10000	55560	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:31.109281063 CET	42516	80	192.168.2.23	109.202.202.202
Nov 2, 2024 10:06:34.325103998 CET	10000	55560	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:34.325120926 CET	10000	55560	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:34.325376987 CET	55560	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:34.325468063 CET	55560	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:34.325592041 CET	55562	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:34.330440044 CET	10000	55562	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:34.330508947 CET	55562	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:34.331491947 CET	55562	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:34.336294889 CET	10000	55562	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:42.821985006 CET	10000	55562	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:42.822104931 CET	55562	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:42.822170973 CET	55564	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:42.828444958 CET	10000	55564	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:42.828495026 CET	55564	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:42.834741116 CET	10000	55564	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:51.331789970 CET	10000	55564	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:51.332075119 CET	55564	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:51.332112074 CET	55566	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:51.336956024 CET	10000	55566	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:51.337049961 CET	55566	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:51.341979027 CET	10000	55566	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:55.681932926 CET	43928	443	192.168.2.23	91.189.91.42
Nov 2, 2024 10:06:59.843103886 CET	10000	55566	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:59.843394041 CET	55568	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:59.843400002 CET	55566	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:59.848359108 CET	10000	55568	213.139.233.9	192.168.2.23
Nov 2, 2024 10:06:59.848444939 CET	55568	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:06:59.853216887 CET	10000	55568	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:08.346024990 CET	10000	55568	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:08.346227884 CET	55568	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:08.346369028 CET	55570	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:08.351166964 CET	10000	55570	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:08.351272106 CET	55570	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:08.356043100 CET	10000	55570	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:16.159132004 CET	42836	443	192.168.2.23	91.189.91.43
Nov 2, 2024 10:07:16.855671883 CET	10000	55570	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:16.855820894 CET	55570	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:16.856030941 CET	55572	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:16.860759974 CET	10000	55572	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:16.860843897 CET	55572	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:16.866476059 CET	10000	55572	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:25.366832018 CET	10000	55572	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:25.367131948 CET	55572	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:25.367268085 CET	55574	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:25.372884989 CET	10000	55574	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:25.372948885 CET	55574	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:25.378422976 CET	10000	55574	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:33.856333971 CET	10000	55574	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:33.856616974 CET	55574	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:33.856950998 CET	55576	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:33.861764908 CET	10000	55576	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:33.861855984 CET	55576	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:33.867156982 CET	10000	55576	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:42.350996971 CET	10000	55576	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:42.351100922 CET	55576	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:42.351135015 CET	55578	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:42.356046915 CET	10000	55578	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:42.356132984 CET	55578	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:42.361140013 CET	10000	55578	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:50.869021893 CET	10000	55578	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:50.869251966 CET	55578	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:50.869292974 CET	55580	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:50.874095917 CET	10000	55580	213.139.233.9	192.168.2.23
Nov 2, 2024 10:07:50.874162912 CET	55580	10000	192.168.2.23	213.139.233.9
Nov 2, 2024 10:07:50.878933907 CET	10000	55580	213.139.233.9	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 10:05:59.846163988 CET	56041	53	192.168.2.23	1.1.1.1
Nov 2, 2024 10:05:59.867170095 CET	53	56041	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 2, 2024 10:05:59.846163988 CET	192.168.2.23	1.1.1.1	0xfbfb	Standard query (0)	vip-1.0889.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 2, 2024 10:05:59.867170095 CET	1.1.1.1	192.168.2.23	0xfbfb	No error (0)	vip-1.0889.org		213.139.233.9	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: 10000.elf PID: 6223, Parent PID: 6144

General

Start time (UTC):	09:05:50
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	/tmp/10000.elf
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: 10000.elf PID: 6224, Parent PID: 6223

General

Start time (UTC):	09:05:50
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: 10000.elf PID: 6227, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6227, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6228, Parent PID: 6227

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6228, Parent PID: 6227

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: 10000.elf PID: 6229, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6229, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6230, Parent PID: 6229

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6230, Parent PID: 6229

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: 10000.elf PID: 6231, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6231, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6232, Parent PID: 6231

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6232, Parent PID: 6231

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: 10000.elf PID: 6233, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6233, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6234, Parent PID: 6233

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6234, Parent PID: 6233

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: 10000.elf PID: 6235, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6235, Parent PID: 6224

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6236, Parent PID: 6235

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6236, Parent PID: 6235

General

Start time (UTC):	09:05:53
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: 10000.elf PID: 6237, Parent PID: 6224

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6237, Parent PID: 6224

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /usr/bin/bsd-port"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6238, Parent PID: 6237

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6238, Parent PID: 6237

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /usr/bin/bsd-port
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: 10000.elf PID: 6239, Parent PID: 6224

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6239, Parent PID: 6224

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/10000.elf /usr/bin/bsd-port/knerl"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6240, Parent PID: 6239

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6240, Parent PID: 6239

General

Start time (UTC):	09:05:55
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/10000.elf /usr/bin/bsd-port/knerl
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: 10000.elf PID: 6241, Parent PID: 6224

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: 10000.elf PID: 6242, Parent PID: 6241

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6242, Parent PID: 6241

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c /usr/bin/bsd-port/knerl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6243, Parent PID: 6242

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: knerl PID: 6243, Parent PID: 6242

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	/usr/bin/bsd-port/knerl
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: knerl PID: 6244, Parent PID: 6243

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: knerl PID: 6249, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6249, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6250, Parent PID: 6249

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6250, Parent PID: 6249

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: knerl PID: 6251, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6251, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6252, Parent PID: 6251

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6252, Parent PID: 6251

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: knerl PID: 6253, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6253, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6256, Parent PID: 6253

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6256, Parent PID: 6253

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: knerl PID: 6258, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6258, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6259, Parent PID: 6258

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6259, Parent PID: 6258

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: knerl PID: 6260, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6260, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6262, Parent PID: 6260

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6262, Parent PID: 6260

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: knerl PID: 6264, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6264, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /usr/bin/dpkgd"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6266, Parent PID: 6264

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6266, Parent PID: 6264

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /usr/bin/dpkgd
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6268, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6268, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /bin/netstat /usr/bin/dpkgd/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6276, Parent PID: 6268

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6276, Parent PID: 6268

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /bin/netstat /usr/bin/dpkgd/netstat
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6277, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6277, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6278, Parent PID: 6277

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6278, Parent PID: 6277

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6279, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6279, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /usr/bin/bsd-port/knerl /bin/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6280, Parent PID: 6279

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6280, Parent PID: 6279

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /usr/bin/bsd-port/knerl /bin/netstat
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6281, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6281, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 0755 /bin/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6282, Parent PID: 6281

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6282, Parent PID: 6281

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 0755 /bin/netstat
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: knerl PID: 6283, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6283, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6284, Parent PID: 6283

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6284, Parent PID: 6283

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /bin/lsof /usr/bin/dpkgd/lsof
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6285, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6285, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6286, Parent PID: 6285

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6286, Parent PID: 6285

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6287, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6287, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6288, Parent PID: 6287

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6288, Parent PID: 6287

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /usr/bin/bsd-port/knerl /bin/lsof
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6289, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6289, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 0755 /bin/lsof"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6290, Parent PID: 6289

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6290, Parent PID: 6289

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 0755 /bin/lsof
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: knerl PID: 6291, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6291, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6292, Parent PID: 6291

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6292, Parent PID: 6291

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /bin/ps /usr/bin/dpkgd/ps
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6295, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6295, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6296, Parent PID: 6295

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6296, Parent PID: 6295

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6297, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6297, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6298, Parent PID: 6297

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6298, Parent PID: 6297

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /usr/bin/bsd-port/knerl /bin/ps
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6299, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6299, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 0755 /bin/ps"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6300, Parent PID: 6299

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6300, Parent PID: 6299

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 0755 /bin/ps
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: knerl PID: 6301, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6301, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /usr/bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6302, Parent PID: 6301

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6302, Parent PID: 6301

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /usr/bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6303, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6303, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6304, Parent PID: 6303

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6304, Parent PID: 6303

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /usr/bin/bsd-port/knerl /usr/bin/netstat
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6305, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6305, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 0755 /usr/bin/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6306, Parent PID: 6305

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6306, Parent PID: 6305

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 0755 /usr/bin/netstat
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: knerl PID: 6307, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6307, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /usr/bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6308, Parent PID: 6307

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6308, Parent PID: 6307

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /usr/bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6309, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6309, Parent PID: 6244

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6310, Parent PID: 6309

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6310, Parent PID: 6309

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6311, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6311, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 0755 /usr/bin/lsof"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6312, Parent PID: 6311

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6312, Parent PID: 6311

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 0755 /usr/bin/lsof
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: knerl PID: 6313, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6313, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /usr/bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6314, Parent PID: 6313

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6314, Parent PID: 6313

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /usr/bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: knerl PID: 6315, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6315, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6316, Parent PID: 6315

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6316, Parent PID: 6315

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: knerl PID: 6317, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6317, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 0755 /usr/bin/ps"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6318, Parent PID: 6317

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6318, Parent PID: 6317

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod 0755 /usr/bin/ps
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: knerl PID: 6319, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/bin/bsd-port/knerl
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6319, Parent PID: 6244

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "insmod /usr/lib/xpacket.ko"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6320, Parent PID: 6319

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: insmod PID: 6320, Parent PID: 6319

General

Start time (UTC):	09:05:59
Start date (UTC):	02/11/2024
Path:	/usr/sbin/insmod
Arguments:	insmod /usr/lib/xpacket.ko
File size:	174424 bytes
MD5 hash:	0b44462b1a40df8039d6d61cfff7ea84

Chronological Activities

Analysis Process: 10000.elf PID: 6245, Parent PID: 6224

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6245, Parent PID: 6224

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /usr/bin"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6246, Parent PID: 6245

General

Start time (UTC):	09:05:56
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6246, Parent PID: 6245

General

Start time (UTC):	09:05:57
Start date (UTC):	02/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /usr/bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: 10000.elf PID: 6247, Parent PID: 6224

General

Start time (UTC):	09:05:57
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6247, Parent PID: 6224

General

Start time (UTC):	09:05:57
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/10000.elf /usr/bin/pythno"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6248, Parent PID: 6247

General

Start time (UTC):	09:05:57
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 6248, Parent PID: 6247

General

Start time (UTC):	09:05:57
Start date (UTC):	02/11/2024
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/10000.elf /usr/bin/pythno
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: 10000.elf PID: 6254, Parent PID: 6224

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: 10000.elf PID: 6255, Parent PID: 6254

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6255, Parent PID: 6254

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c /usr/bin/pythno
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6257, Parent PID: 6255

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pythno PID: 6257, Parent PID: 6255

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/pythno
Arguments:	/usr/bin/pythno
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: pythno PID: 6261, Parent PID: 6257

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/bin/pythno
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: 10000.elf PID: 6263, Parent PID: 6224

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/tmp/10000.elf
Arguments:	-
File size:	339160 bytes
MD5 hash:	8a51a05df6f69f2a6fc4c4e376b65f70

Chronological Activities

Analysis Process: sh PID: 6263, Parent PID: 6224

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	sh -c "insmod /usr/lib/xpacket.ko"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6265, Parent PID: 6263

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: insmod PID: 6265, Parent PID: 6263

General

Start time (UTC):	09:05:58
Start date (UTC):	02/11/2024
Path:	/usr/sbin/insmod
Arguments:	insmod /usr/lib/xpacket.ko
File size:	174424 bytes
MD5 hash:	0b44462b1a40df8039d6d61cfff7ea84

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 10000.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

DDoS

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/init.d/VsystemsshMdt

/etc/init.d/selinux

/tmp/idus.log

/tmp/notify.file

/tmp/vga.conf

/usr/bin/bsd-port/conf.n

/usr/bin/bsd-port/knerl

/usr/bin/bsd-port/knerl.conf

/usr/bin/dpkgd/lsof

/usr/bin/dpkgd/netstat

/usr/bin/dpkgd/ps

/usr/bin/lsof

/usr/bin/netstat

/usr/bin/ps

/usr/bin/pythno

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: 10000.elf PID: 6223, Parent PID: 6144

General

Chronological Activities

Linux Analysis Report
10000.elf