Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
c1.php

Overview

General Information

Sample name:c1.php
Analysis ID:1559579
MD5:6a68768c7f6cfdece23f0a0a7e52459f
SHA1:06fb75d44661e5594f2232a3d9df2193624a5ecc
SHA256:e15cb76a4b1c24809328b1405766b00ac3e3b629fc3c8974efd61a677fbb821c
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false

Signatures

Compiles software using common tools
Creates hidden files and/or directories
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "python" command used to interpret Python scripts
Executes the "wget" command typically used for HTTP/S downloading
Reads the 'hosts' file potentially containing internal network hosts
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559579
Start date and time:2024-11-20 17:24:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Sample name:c1.php
Detection:CLEAN
Classification:clean3.linPHP@0/0@1/0
  • VT rate limit hit for: c1.php
Command:php "/tmp/c1.php"
PID:4677
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
<!DOCTYPE html>
<html>
<head>
<title>404</title>
<link rel="stylesheet" href="https://rawcdn.githack.com/Jenderal92/Blog-Gan/63073e604b81df6337c1917990a7330d46b22ae9/ganteng.css">
</head>
<body>
<div class="container">
<h1>[ Avaa Bypassed ]</h1>

<div class="menu-icon" onclick="toggleSidebar()"></div>
<hr>
<div class="button-container">
<form method="post" style="display: inline-block;">
<input type="submit" name="Summon" value="Adminer" class="summon-button">
</form>
<button type="button" onclick="window.location.href='?gas'" class="summon-button">Mail Test</button>
<button type="button" onclick="window.location.href='?do=bc'" class="summon-button">BC</button>
<button type="button" onclick="window.location.href='?dir=/tmp&goo=config'" class="summon-button">Config</button>
</div>
<hr>
<select onchange="location.href = this.value;">
<option value="" selected disabled>Create File Or Folder</option>
<option value="?dir=/tmp&create=file">Create File</option>
<option value="?dir=/tmp&create=folder">Create Folder</option>
</select>
<select onchange="location.href = this.value;">
<option value="" selected disabled>Zipping</option>
<option value="?dir=/tmp&hahay=unzip" >Un ZIP</option>
<option value="?dir=/tmp&hahay=extract_zip" >Extract ZIP</option>
</select>



<hr>


<div class="upload-cmd-container">
<div class="upload-form">
<h2>Upload:</h2>
<form method="post" enctype="multipart/form-data">
<input type="file" name="file">
<button class="button" type="submit" name="upload">Upload</button>
</form>
</div>

<div class="cmd-form">
<h2>Command:</h2>
<form method="post">
root@: ~ $<input type='text' size='30' height='10' name='cmd'>
<input type="submit" class="empty-button">

</form>
</div>
</div>




<hr>
</div>

<center><h2>Filemanager</h2> <div class="breadcrumb">
DIR : <a href="?dir=/">/</a>
<a href="?dir=%2Ftmp">tmp</a>/
</div>
<table>
<tr>
<th>Name</th>
<th>Type</th>
<th>Size</th>
<th>Permission</th>
<th>Actions</th>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2F.ICE-unix">.ICE-unix</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">1777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=.ICE-unix">Rename</option>
<option value="?dir=%2Ftmp&chmod=.ICE-unix">Chmod</option>
<option value="?dir=%2Ftmp&delete=.ICE-unix">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2F.Test-unix">.Test-unix</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">1777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=.Test-unix">Rename</option>
<option value="?dir=%2Ftmp&chmod=.Test-unix">Chmod</option>
<option value="?dir=%2Ftmp&delete=.Test-unix">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2F.X11-unix">.X11-unix</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">1777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=.X11-unix">Rename</option>
<option value="?dir=%2Ftmp&chmod=.X11-unix">Chmod</option>
<option value="?dir=%2Ftmp&delete=.X11-unix">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2F.XIM-unix">.XIM-unix</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">1777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=.XIM-unix">Rename</option>
<option value="?dir=%2Ftmp&chmod=.XIM-unix">Chmod</option>
<option value="?dir=%2Ftmp&delete=.XIM-unix">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2F.font-unix">.font-unix</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">1777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=.font-unix">Rename</option>
<option value="?dir=%2Ftmp&chmod=.font-unix">Chmod</option>
<option value="?dir=%2Ftmp&delete=.font-unix">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2Fhsperfdata_root">hsperfdata_root</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">0755</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=hsperfdata_root">Rename</option>
<option value="?dir=%2Ftmp&chmod=hsperfdata_root">Chmod</option>
<option value="?dir=%2Ftmp&delete=hsperfdata_root">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2Fsystemd-private-630b3cc4c898474bae1eba000e7d4bb0-rtkit-daemon.service-gXJBUo">systemd-private-630b3cc4c898474bae1eba000e7d4bb0-rtkit-daemon.service-gXJBUo</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">0700</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=systemd-private-630b3cc4c898474bae1eba000e7d4bb0-rtkit-daemon.service-gXJBUo">Rename</option>
<option value="?dir=%2Ftmp&chmod=systemd-private-630b3cc4c898474bae1eba000e7d4bb0-rtkit-daemon.service-gXJBUo">Chmod</option>
<option value="?dir=%2Ftmp&delete=systemd-private-630b3cc4c898474bae1eba000e7d4bb0-rtkit-daemon.service-gXJBUo">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2Fsystemd-private-630b3cc4c898474bae1eba000e7d4bb0-systemd-timedated.service-aU6XnT">systemd-private-630b3cc4c898474bae1eba000e7d4bb0-systemd-timedated.service-aU6XnT</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">0700</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=systemd-private-630b3cc4c898474bae1eba000e7d4bb0-systemd-timedated.service-aU6XnT">Rename</option>
<option value="?dir=%2Ftmp&chmod=systemd-private-630b3cc4c898474bae1eba000e7d4bb0-systemd-timedated.service-aU6XnT">Chmod</option>
<option value="?dir=%2Ftmp&delete=systemd-private-630b3cc4c898474bae1eba000e7d4bb0-systemd-timedated.service-aU6XnT">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp%2Fvmware-root">vmware-root</a></td>

<td>
Folder</td>
<td></td>
<td>
<span style="color: green">0700</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&rename=vmware-root">Rename</option>
<option value="?dir=%2Ftmp&chmod=vmware-root">Chmod</option>
<option value="?dir=%2Ftmp&delete=vmware-root">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp&amp;read=%2Ftmp%2F.X0-lock">.X0-lock</a></td>

<td>
File</td>
<td>11 B</td>
<td>
<span style="color: green">0444</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&edit=%2Ftmp%2F.X0-lock">Edit</option>
<option value="?dir=%2Ftmp&rename=.X0-lock">Rename</option>
<option value="?dir=%2Ftmp&chmod=.X0-lock">Chmod</option>
<option value="?dir=%2Ftmp&delete=.X0-lock">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp&amp;read=%2Ftmp%2F.xfsm-ICE-TWMPB2">.xfsm-ICE-TWMPB2</a></td>

<td>
File</td>
<td>406 B</td>
<td>
<span style="color: green">0600</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&edit=%2Ftmp%2F.xfsm-ICE-TWMPB2">Edit</option>
<option value="?dir=%2Ftmp&rename=.xfsm-ICE-TWMPB2">Rename</option>
<option value="?dir=%2Ftmp&chmod=.xfsm-ICE-TWMPB2">Chmod</option>
<option value="?dir=%2Ftmp&delete=.xfsm-ICE-TWMPB2">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp&amp;read=%2Ftmp%2Fc1.php">c1.php</a></td>

<td>
File</td>
<td>177.21 KB</td>
<td>
<span style="color: green">0777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&edit=%2Ftmp%2Fc1.php">Edit</option>
<option value="?dir=%2Ftmp&rename=c1.php">Rename</option>
<option value="?dir=%2Ftmp&chmod=c1.php">Chmod</option>
<option value="?dir=%2Ftmp&delete=c1.php">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp&amp;read=%2Ftmp%2Fconfig-err-Tiv1RD">config-err-Tiv1RD</a></td>

<td>
File</td>
<td>0 B</td>
<td>
<span style="color: green">0600</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&edit=%2Ftmp%2Fconfig-err-Tiv1RD">Edit</option>
<option value="?dir=%2Ftmp&rename=config-err-Tiv1RD">Rename</option>
<option value="?dir=%2Ftmp&chmod=config-err-Tiv1RD">Chmod</option>
<option value="?dir=%2Ftmp&delete=config-err-Tiv1RD">Delete</option>
</select>
</div>
</td>
</tr>
<tr>
<td>
<svg style="width: 20px; height: 20px; margin-right: 5px;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="10"></circle>
<line x1="12" y1="16" x2="12" y2="12"></line>
<line x1="12" y1="8" x2="12" y2="8"></line>
</svg>
<a href="?dir=%2Ftmp&amp;read=%2Ftmp%2Fdmesgtail.log">dmesgtail.log</a></td>

<td>
File</td>
<td>283 B</td>
<td>
<span style="color: green">0777</span>
</td>
<td>

<div class="dropdown">
<select onchange="location.href = this.value;">
<option value="" selected disabled>Action : </option>
<option value="?dir=%2Ftmp&edit=%2Ftmp%2Fdmesgtail.log">Edit</option>
<option value="?dir=%2Ftmp&rename=dmesgtail.log">Rename</option>
<option value="?dir=%2Ftmp&chmod=dmesgtail.log">Chmod</option>
<option value="?dir=%2Ftmp&delete=dmesgtail.log">Delete</option>
</select>
</div>
</td>
</tr>
</table>
</center> </div>

<div class="sidebar" id="sidebar">
<div class="sidebar-content">
<div class="sidebar-close">
<button onclick="toggleSidebar()">Close</button>
</div>
<div class="info-container">
<h2>Server Info</h2>

<ul class="info-list">
<li>Hostname: ubuntu</li>
<li>PHP Version: 7.0.33-0ubuntu0.16.04.4</li>
<li>Server Software: </li>
<li>HDD Total Space: 8.78 GB</li>
<li>HDD Free Space: 3.4 GB</li>
<li>Total Domains in Server: 0</li>
<li>System: Linux ubuntu 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64</li>
</ul>
</div>


<div class="info-container">
<h2>System Info</h2>
<ul class="info-list">

<label for="feature-select">Select Feature:</label>
<select id="feature-select">
<option value="Safe Mode">Safe Mode: Disabled</option>
<option value="Disable Functions">Disable Functions: </option>
<option value="GCC">GCC: On</option>
<option value="Perl">Perl: On</option>
<option value="Python Version">Python Version: Off</option>
<option value="PKEXEC Version">PKEXEC Version: On (pkexec version 0.105
)</option>
<option value="Curl">Curl: On</option>
<option value="Wget">Wget: On</option>
<option value="Mysql">Mysql: Off</option>
<option value="Ftp">Ftp: Off</option>
<option value="Ssh">Ssh: Off</option>
<option value="Mail">Mail: Off</option>
<option value="cron">cron: Off</option>
<option value="SendMail">SendMail: Off</option>
</select>
</ul>
</div>

<div class="info-container">
<h2>User Info</h2>
<ul class="info-list">
<li>Username: root</li>
<li>User ID: 0</li>
<li>Group ID: 0</li>
</ul>
</div>
</div>
</div>
<script>
function toggleOptionsMenu() {
var optionsMenu = document.getElementById('optionsMenu');
optionsMenu.classList.toggle('show');
}

function toggleSidebar() {
var sidebar = document.getElementById('sidebar');
sidebar.classList.toggle('open');
}
</script>
</div>
<div class="footer">
<p>&copy; 2024 <a href="https://www.blog-gan.org/">Coded By</a> Avaa Code.</p>
</div>
</body>
</html>
Standard Error:PHP Notice: Undefined variable: z in /tmp/c1.php on line 2
Python 2.7.12
sh: 1: mysql: not found
sh: 1: ftp: not found
unknown option -- -
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] [user@]hostname [command]
sh: 1: mail: not found
cron: invalid option -- '-'
usage: cron
sh: 1: sendmail: not found
  • system is lnxubuntu1
  • php (PID: 4677, Parent: 4583, MD5: dfdca72c2ef9d3295a7b0703027330c1) Arguments: /usr/bin/php /tmp/c1.php
    • php New Fork (PID: 4684, Parent: 4677)
    • dash (PID: 4684, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "gcc --version"
      • dash New Fork (PID: 4685, Parent: 4684)
      • gcc (PID: 4685, Parent: 4684, MD5: e6f247b5be7f94b21850d0838afbb7bc) Arguments: gcc --version
    • php New Fork (PID: 4693, Parent: 4677)
    • dash (PID: 4693, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "perl --version"
      • dash New Fork (PID: 4698, Parent: 4693)
      • perl (PID: 4698, Parent: 4693, MD5: 3bff1a7d2eef76ecdd800360d896366b) Arguments: perl --version
    • php New Fork (PID: 4710, Parent: 4677)
    • dash (PID: 4710, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "python --version"
      • dash New Fork (PID: 4712, Parent: 4710)
      • python (PID: 4712, Parent: 4710, MD5: fdfa6acc26b1a187ba86772f74812876) Arguments: python --version
    • php New Fork (PID: 4720, Parent: 4677)
    • dash (PID: 4720, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "pkexec --version"
      • dash New Fork (PID: 4726, Parent: 4720)
      • pkexec (PID: 4726, Parent: 4720, MD5: 08328503c3dafada668903d0a094f11f) Arguments: pkexec --version
    • php New Fork (PID: 4740, Parent: 4677)
    • dash (PID: 4740, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "curl --version"
      • dash New Fork (PID: 4743, Parent: 4740)
      • curl (PID: 4743, Parent: 4740, MD5: 3ed0bf9e05e319049a9a40e645ef4b73) Arguments: curl --version
    • php New Fork (PID: 4754, Parent: 4677)
    • dash (PID: 4754, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "wget --version"
      • dash New Fork (PID: 4755, Parent: 4754)
      • wget (PID: 4755, Parent: 4754, MD5: acaead6d3c5bcc35a12ab496fa834365) Arguments: wget --version
    • php New Fork (PID: 4762, Parent: 4677)
    • dash (PID: 4762, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "mysql --version"
    • php New Fork (PID: 4769, Parent: 4677)
    • dash (PID: 4769, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "ftp --version"
    • php New Fork (PID: 4778, Parent: 4677)
    • dash (PID: 4778, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "ssh --version"
      • dash New Fork (PID: 4781, Parent: 4778)
      • ssh (PID: 4781, Parent: 4778, MD5: 1364a38b48fc80f887f7071720836346) Arguments: ssh --version
    • php New Fork (PID: 4796, Parent: 4677)
    • dash (PID: 4796, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "mail --version"
    • php New Fork (PID: 4797, Parent: 4677)
    • dash (PID: 4797, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cron --version"
      • dash New Fork (PID: 4798, Parent: 4797)
      • cron (PID: 4798, Parent: 4797, MD5: 162d6f607a789827ab83f6393c566acf) Arguments: cron --version
    • php New Fork (PID: 4799, Parent: 4677)
    • dash (PID: 4799, Parent: 4677, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "sendmail --version"
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: /bin/dash (PID: 4755)Wget executable: /usr/bin/wget -> wget --versionJump to behavior
Source: /usr/bin/php (PID: 4677)Reads hosts file: /etc/hostsJump to behavior
Source: global trafficDNS traffic detected: DNS query:
Source: classification engineClassification label: clean3.linPHP@0/0@1/0
Source: /bin/dash (PID: 4685)Systemctl executable: /usr/bin/gcc -> gcc --versionJump to behavior
Source: /usr/bin/curl (PID: 4743)Directory: /home/james/.curlrcJump to behavior
Source: /bin/dash (PID: 4743)Curl executable: /usr/bin/curl -> curl --versionJump to behavior
Source: /bin/dash (PID: 4712)Python executable: /usr/bin/python -> python --versionJump to behavior
Source: /bin/dash (PID: 4755)Wget executable: /usr/bin/wget -> wget --versionJump to behavior
Source: submitted sampleStderr: PHP Notice: Undefined variable: z in /tmp/c1.php on line 2Python 2.7.12sh: 1: mysql: not foundsh: 1: ftp: not foundunknown option -- -usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]sh: 1: mail: not foundcron: invalid option -- '-'usage: cronsh: 1: sendmail: not found: exit code = 0
Source: /usr/bin/php (PID: 4677)Queries kernel information via 'uname': Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid AccountsWindows Management Instrumentation1
Scripting
Path Interception1
Hidden Files and Directories
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
1
Exfiltration Over Alternative Protocol
Abuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media11
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559579 Sample: c1.php Startdate: 20/11/2024 Architecture: LINUX Score: 3 31 2->31 7 php 2->7         started        process3 process4 9 php dash 7->9         started        11 php dash 7->11         started        13 php dash 7->13         started        15 9 other processes 7->15 process5 17 dash gcc 9->17         started        19 dash perl 11->19         started        21 dash python 13->21         started        23 dash pkexec 15->23         started        25 dash curl 15->25         started        27 dash wget 15->27         started        29 2 other processes 15->29
SourceDetectionScannerLabelLink
c1.php0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
No context
No context
No context
No context
No context
No created / dropped files found
File type:PHP script, ASCII text
Entropy (8bit):4.4859831414848275
TrID:
    File name:c1.php
    File size:181'468 bytes
    MD5:6a68768c7f6cfdece23f0a0a7e52459f
    SHA1:06fb75d44661e5594f2232a3d9df2193624a5ecc
    SHA256:e15cb76a4b1c24809328b1405766b00ac3e3b629fc3c8974efd61a677fbb821c
    SHA512:9777c7ce9d6b259a701eb89ccaae7e0c0d87b7eee642099719c6bbccad1ae493b3c48344eb1172cf32cfdc015764bf777309a35bd3035cbef8164d89cb99c05d
    SSDEEP:1536:1PP/WT49Y9WqJ8ll6TJufgrFu0F30QA7VeZGBAZY10J:1H6vKb6EgZE30ZGOYKJ
    TLSH:01041DF719052F5F42601F21FCDD240ECAF52866EAAD1B95D42B3DEC23EA90CDA61817
    File Content Preview:<?php.$z .= "DQpA";.$z .= "aW5p";.$z .= "X3Nl";.$z .= "dCgn";.$z .= "ZXJy";.$z .= "b3Jf";.$z .= "bG9n";.$z .= "Jywg";.$z .= "TlVM";.$z .= "TCk7";.$z .= "DQpA";.$z .= "aW5p";.$z .= "X3Nl";.$z .= "dCgn";.$z .= "bG9n";.$z .= "X2Vy";.$z .= "cm9y";.$z .= "cycs
    TimestampSource PortDest PortSource IPDest IP
    Nov 20, 2024 17:24:48.674849033 CET4836153192.168.2.208.8.8.8
    Nov 20, 2024 17:24:48.808690071 CET53483618.8.8.8192.168.2.20
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Nov 20, 2024 17:24:48.674849033 CET192.168.2.208.8.8.80xd69Standard query (0)256256false

    System Behavior

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:/usr/bin/php /tmp/c1.php
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "gcc --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/gcc
    Arguments:gcc --version
    File size:5 bytes
    MD5 hash:e6f247b5be7f94b21850d0838afbb7bc

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "perl --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/perl
    Arguments:perl --version
    File size:1911288 bytes
    MD5 hash:3bff1a7d2eef76ecdd800360d896366b

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "python --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/python
    Arguments:python --version
    File size:9 bytes
    MD5 hash:fdfa6acc26b1a187ba86772f74812876

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "pkexec --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/pkexec
    Arguments:pkexec --version
    File size:23376 bytes
    MD5 hash:08328503c3dafada668903d0a094f11f

    Start time (UTC):16:24:47
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "curl --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/curl
    Arguments:curl --version
    File size:190408 bytes
    MD5 hash:3ed0bf9e05e319049a9a40e645ef4b73

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "wget --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/wget
    Arguments:wget --version
    File size:474656 bytes
    MD5 hash:acaead6d3c5bcc35a12ab496fa834365

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "mysql --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "ftp --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "ssh --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/ssh
    Arguments:ssh --version
    File size:707248 bytes
    MD5 hash:1364a38b48fc80f887f7071720836346

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "mail --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "cron --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:-
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/sbin/cron
    Arguments:cron --version
    File size:4472 bytes
    MD5 hash:162d6f607a789827ab83f6393c566acf

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/usr/bin/php
    Arguments:-
    File size:21 bytes
    MD5 hash:dfdca72c2ef9d3295a7b0703027330c1

    Start time (UTC):16:24:48
    Start date (UTC):20/11/2024
    Path:/bin/dash
    Arguments:sh -c "sendmail --version"
    File size:154072 bytes
    MD5 hash:e02ea3c3450d44126c46d658fa9e654c