Linux Analysis Report
c1.php

Overview

General Information

Sample name: c1.php
Analysis ID: 1559579
MD5: 6a68768c7f6cfdece23f0a0a7e52459f
SHA1: 06fb75d44661e5594f2232a3d9df2193624a5ecc
SHA256: e15cb76a4b1c24809328b1405766b00ac3e3b629fc3c8974efd61a677fbb821c
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false

Signatures

Compiles software using common tools
Creates hidden files and/or directories
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "python" command used to interpret Python scripts
Executes the "wget" command typically used for HTTP/S downloading
Reads the 'hosts' file potentially containing internal network hosts
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Executes the "wget" command typically used for HTTP/S downloading
Source: /bin/dash (PID: 4755) Wget executable: /usr/bin/wget -> wget --version Jump to behavior
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/bin/php (PID: 4677) Reads hosts file: /etc/hosts Jump to behavior
Source: global traffic DNS traffic detected: DNS query:
Source: classification engine Classification label: clean3.linPHP@0/0@1/0
Compiles software using common tools
Source: /bin/dash (PID: 4685) Systemctl executable: /usr/bin/gcc -> gcc --version Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/curl (PID: 4743) Directory: /home/james/.curlrc Jump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Source: /bin/dash (PID: 4743) Curl executable: /usr/bin/curl -> curl --version Jump to behavior
Executes the "python" command used to interpret Python scripts
Source: /bin/dash (PID: 4712) Python executable: /usr/bin/python -> python --version Jump to behavior
Executes the "wget" command typically used for HTTP/S downloading
Source: /bin/dash (PID: 4755) Wget executable: /usr/bin/wget -> wget --version Jump to behavior
Source: submitted sample Stderr: PHP Notice: Undefined variable: z in /tmp/c1.php on line 2Python 2.7.12sh: 1: mysql: not foundsh: 1: ftp: not foundunknown option -- -usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]sh: 1: mail: not foundcron: invalid option -- '-'usage: cronsh: 1: sendmail: not found: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/php (PID: 4677) Queries kernel information via 'uname': Jump to behavior

No Screenshots

No contacted IP infos