Edit tour
Linux
Analysis Report
conf.png
Overview
General Information
| Sample name: | conf.png |
| Analysis ID: | 1645160 |
| MD5: | 65234357f9c2f318acac81d881bb27f2 |
| SHA1: | f9094f8226f694dce08d02b96101dfed94097e74 |
| SHA256: | cef751cdfbabbdde4670d99eece963b1730da16da4f60f985c41c93d2d0ea7eb |
| Infos: |  |
Detection
Tsunami
| Score: | 84 |
| Range: | 0 - 100 |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Tsunami
Executes the "crontab" command typically for achieving persistence
Explicitly modifies time stamps using the "touch" command
Sample tries to persist itself using cron
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "grep" command used to find patterns in files or piped streams
Executes the "rm" command used to delete files or directories
Executes the "touch" command used to create files or modify time stamps
Reads system version information
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match
Classification
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1645160 |
| Start date and time: | 2025-03-21 14:38:38 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 41s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultlinuxfilecookbook.jbs |
| Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
| Analysis Mode: | default |
| Sample name: | conf.png |
| Detection: | MAL |
| Classification: | mal84.troj.evad.linPNG@0/5@0/0 |
| Command: | /tmp/conf.png |
| PID: | 6211 |
| Exit Code: | 0 |
| Exit Code Info: | |
| Killed: | False |
| Standard Output: | |
| Standard Error: |
- system is lnxubuntu20
- conf.png New Fork (PID: 6213, Parent: 6211)
- conf.png New Fork (PID: 6215, Parent: 6213)
- sh New Fork (PID: 6217, Parent: 6215)
- conf.png New Fork (PID: 6218, Parent: 6213)
- sh New Fork (PID: 6220, Parent: 6218)
- conf.png New Fork (PID: 6221, Parent: 6213)
- sh New Fork (PID: 6223, Parent: 6221)
- conf.png New Fork (PID: 6224, Parent: 6213)
- conf.png New Fork (PID: 6231, Parent: 6213)
- conf.png New Fork (PID: 6237, Parent: 6213)
- sh New Fork (PID: 6242, Parent: 6237)
- conf.png New Fork (PID: 6243, Parent: 6213)
- sh New Fork (PID: 6248, Parent: 6243)
- conf.png New Fork (PID: 6249, Parent: 6213)
- conf.png New Fork (PID: 6256, Parent: 6213)
- conf.png New Fork (PID: 6261, Parent: 6213)
- sh New Fork (PID: 6266, Parent: 6261)
- conf.png New Fork (PID: 6267, Parent: 6213)
- sh New Fork (PID: 6272, Parent: 6267)
- conf.png New Fork (PID: 6273, Parent: 6213)
- sh New Fork (PID: 6278, Parent: 6273)
- conf.png New Fork (PID: 6279, Parent: 6213)
- sh New Fork (PID: 6284, Parent: 6279)
- conf.png New Fork (PID: 6285, Parent: 6213)
- sh New Fork (PID: 6291, Parent: 6285)
- conf.png New Fork (PID: 6292, Parent: 6213)
- sh New Fork (PID: 6297, Parent: 6292)
- dash New Fork (PID: 6355, Parent: 4331)
- dash New Fork (PID: 6356, Parent: 4331)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Tsunami | No Attribution |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Linux_Trojan_Tsunami_97288af8 | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Tsunami | Yara detected Tsunami | Joe Security | ||
| Linux_Trojan_Tsunami_ad60d7e8 | unknown | unknown |
| |
| LinuxTsunami | unknown | unknown |
| |
| JoeSecurity_Tsunami | Yara detected Tsunami | Joe Security | ||
| Linux_Trojan_Tsunami_ad60d7e8 | unknown | unknown |
| |
| Click to see the 1 entries | ||||
⊘No Suricata rule has matched
- • AV Detection
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Socket: | Jump to behavior | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Program segment: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Crontab executable: | Jump to behavior | ||
| Source: | Crontab executable: | Jump to behavior | ||
| Source: | Touch executable uses timestamp modification options: | Jump to behavior | ||
| Source: | Touch executable uses timestamp modification options: | Jump to behavior | ||
| Source: | File: | Jump to behavior | ||
| Source: | File: | Jump to behavior | ||
| Source: | File: | Jump to behavior | ||
| Source: | File: | Jump to behavior | ||
| Source: | Directory: | Jump to behavior | ||
| Source: | Empty hidden file: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Shell command executed: | Jump to behavior | ||
| Source: | Chmod executable: | Jump to behavior | ||
| Source: | Grep executable: | Jump to behavior | ||
| Source: | Grep executable: | Jump to behavior | ||
| Source: | Grep executable: | Jump to behavior | ||
| Source: | Grep executable: | Jump to behavior | ||
| Source: | Rm executable: | Jump to behavior | ||
| Source: | Rm executable: | Jump to behavior | ||
| Source: | Rm executable: | Jump to behavior | ||
| Source: | Rm executable: | Jump to behavior | ||
| Source: | Touch executable: | Jump to behavior | ||
| Source: | Touch executable: | Jump to behavior | ||
| Source: | Reads version info: | Jump to behavior | ||
| Source: | File: | Jump to behavior | ||
| Source: | Submission file: | ||
| Source: | Queries kernel information via 'uname': | Jump to behavior | ||
| Source: | Queries kernel information via 'uname': | Jump to behavior | ||
| Source: | Queries kernel information via 'uname': | Jump to behavior | ||
| Source: | Queries kernel information via 'uname': | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 1 Hide Artifacts | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Scripting | Boot or Logon Initialization Scripts | 2 File and Directory Permissions Modification | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Hidden Files and Directories | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Indicator Removal | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 File Deletion | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
⊘No configs have been found
Is Dropped
Number of created Files
Is malicious
Internet| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | Virustotal | Browse | ||
| 54% | ReversingLabs | Linux.Trojan.Tsunami | ||
| 100% | Avira | LINUX/Tsunami.tfrtv |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 54.171.230.55 | unknown | United States | 16509 | AMAZON-02US | false | |
| 147.252.1.254 | unknown | Ireland | 1213 | HEANETIE | false | |
| 216.215.60.21 | unknown | United States | 46392 | GCPOWERNETUS | false | |
| 34.249.145.219 | unknown | United States | 16509 | AMAZON-02US | false | |
| 211.103.199.98 | unknown | China | 17964 | DXTNETBeijingDian-Xin-TongNetworkTechnologiesCoLtd | false | |
| 202.165.193.211 | unknown | Papua New Guinea | 17828 | PNGDATACOLIMITED-AS-PGPNGDATACOLTDPG | false | |
| 202.28.32.30 | unknown | Thailand | 9562 | MSU-TH-APMahasarakhamUniversityTH | false | |
| 109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
| 83.143.80.227 | unknown | Norway | 34989 | SERVETHEWORLD-ASNO | false | |
| 91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
| 91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54.171.230.55 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Mirai | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Chaos | Browse | |||
| Get hash | malicious | Mirai | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| 34.249.145.219 | Get hash | malicious | Prometei | Browse | ||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Mirai | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| Get hash | malicious | Prometei | Browse | |||
| 109.202.202.202 | Get hash | malicious | Unknown | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| GCPOWERNETUS | Get hash | malicious | Mirai, Moobot | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt Mirai | Browse |
| ||
| AMAZON-02US | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| DXTNETBeijingDian-Xin-TongNetworkTechnologiesCoLtd | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| HEANETIE | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| AMAZON-02US | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
| ||
| Get hash | malicious | Prometei | Browse |
|
⊘No context
⊘No context
| Process: | /usr/bin/cat |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29 |
| Entropy (8bit): | 4.297130563869282 |
| Encrypted: | false |
| SSDEEP: | 3:IQfXzs/3hIn:IQghIn |
| MD5: | C7F84E39ADD6606880B95C83F92202A2 |
| SHA1: | C6FF30A7AD6417BBAD81C34CFEB8FF519E87A2E1 |
| SHA-256: | 997EACC8E2251E35D421543C355FEC29557484CB8F74D9A626CC61DAC06E4878 |
| SHA-512: | 54A9C3BA85201734F700268B280AA22341C7341F2CE961D168E5A5AF0419D59BA04A9278241E31B36E8E4E85BE6685D150F287E26CA743A0B62C2DB6D8CC171E |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | /bin/sh |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29 |
| Entropy (8bit): | 4.297130563869282 |
| Encrypted: | false |
| SSDEEP: | 3:IQfXzs/3hIn:IQghIn |
| MD5: | C7F84E39ADD6606880B95C83F92202A2 |
| SHA1: | C6FF30A7AD6417BBAD81C34CFEB8FF519E87A2E1 |
| SHA-256: | 997EACC8E2251E35D421543C355FEC29557484CB8F74D9A626CC61DAC06E4878 |
| SHA-512: | 54A9C3BA85201734F700268B280AA22341C7341F2CE961D168E5A5AF0419D59BA04A9278241E31B36E8E4E85BE6685D150F287E26CA743A0B62C2DB6D8CC171E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | /bin/sh |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43 |
| Entropy (8bit): | 4.0101286386653285 |
| Encrypted: | false |
| SSDEEP: | 3:3P11waKd3h3B2sFz:IBNh3DFz |
| MD5: | DE2F5871B285C0B9BF3DB0FF85B95814 |
| SHA1: | CCA2DB8A7E6B5737D77F81444636FA863FC9E861 |
| SHA-256: | BD6E6129D1E27F1CD2DD311B85BF8687E395467DC86F5A2ADC9378A8AA24CAAC |
| SHA-512: | 4865C82527C8B6A9A85F739BD9CC2025DA6366C372A68B87B3762D5BB273E1DF88C31B59E5E47A855779977677C64FDC45219783733745F25293D1FCC314960C |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | /bin/sh |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 19 |
| Entropy (8bit): | 3.221097250057958 |
| Encrypted: | false |
| SSDEEP: | 3:KkN:KW |
| MD5: | FE0B86955E4EB444F17F54D086580B1F |
| SHA1: | E19182DD3A1465BDA3AA2E1A63067BEC82DD5AD3 |
| SHA-256: | BE102039B1DC4747490C6994CA8DC17D12D32219561F8BA23E8C0B865AC223ED |
| SHA-512: | 6E03176E423005C87C6C7B2EC4E90C46639D4311839A980317102A10445BC563E1C9E288605D6D5B18FADD32563C4C0AE2284F6016A54C81E5A97FA7C3CD5A26 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | /usr/bin/crontab |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 239 |
| Entropy (8bit): | 5.210365098761063 |
| Encrypted: | false |
| SSDEEP: | 6:SUrpqoqQjEOP1K+1xbJYJOBFQZ0Dk4iGMQ5UYLtCFt39YBNh3DFz:8Qjx8Z/4UeHLU9Yfh9 |
| MD5: | B58240B233B5C5D1E9D0C85453B73CAF |
| SHA1: | D65311C1F7BC471939FB2A69A14DEC629893F602 |
| SHA-256: | 57E529B60FE83551A940AE5A08932E58BE08308E176A5492976D3F89C972C861 |
| SHA-512: | 2EA7013BB351B704B43A6D8A7531A442B4CFA52B5AFAE930BA807693F8206E4E50078AC24F4D27BF7930B135F02FE3B0C5DBD641DC03C021E45D13979109345E |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.818871871361637 |
| TrID: |
|
| File name: | conf.png |
| File size: | 924'980 bytes |
| MD5: | 65234357f9c2f318acac81d881bb27f2 |
| SHA1: | f9094f8226f694dce08d02b96101dfed94097e74 |
| SHA256: | cef751cdfbabbdde4670d99eece963b1730da16da4f60f985c41c93d2d0ea7eb |
| SHA512: | 538fd9db53f15d0258c00640485297b19a46e9908594236538d1a86a3ca3a3283a08e9ac912f9be7b4de616639a1a6e95d08db396f48b8a170ef43670acdcbd7 |
| SSDEEP: | 24576:gbkLpPSpXOL6eKL/z8JOuNvgK3Omu71D7SWR6QGx:1RNC/zCt6F7SBJ |
| TLSH: | AD15239C83DE7A810BFB187E74ED34AD69D313105F424CE9EE712A6307E40F607AA985 |
| File Content Preview: | .ELF..............(.........4...........4. ...(...................... ... ..........................................6.l.........................x.........ELF......(.v.....4...9.&.... ..~6....?p.......<............p..]..'....}.D........m?....H..D.X.l..]..? |
ELF header | |
|---|---|
| Class: | |
| Data: | |
| Version: | |
| Machine: | |
| Version Number: | |
| Type: | |
| OS/ABI: | |
| ABI Version: | 0 |
| Entry Point Address: | |
| Flags: | |
| ELF Header Size: | 52 |
| Program Header Offset: | 52 |
| Program Header Size: | 32 |
| Number of Program Headers: | 2 |
| Section Header Offset: | 0 |
| Section Header Size: | 40 |
| Number of Section Headers: | 0 |
| Header String Table Index: | 0 |
| Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
|---|---|---|---|---|---|---|---|---|---|---|---|
| LOAD | 0x0 | 0x8000 | 0x8000 | 0xc200f | 0xc200f | 7.8018 | 0x5 | R E | 0x8000 | ||
| LOAD | 0x2e10 | 0x1bae10 | 0x1bae10 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x8000 |
Download Network PCAP: filtered – full
- Total Packets: 64
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 21, 2025 14:39:17.028408051 CET | 33608 | 443 | 192.168.2.23 | 54.171.230.55 |
| Mar 21, 2025 14:39:17.796392918 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
| Mar 21, 2025 14:39:21.180093050 CET | 41200 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:39:22.211754084 CET | 41200 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:39:23.427526951 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
| Mar 21, 2025 14:39:24.227368116 CET | 41200 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:39:24.963449001 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
| Mar 21, 2025 14:39:28.290829897 CET | 41200 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:39:31.201066971 CET | 36720 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:39:32.226284981 CET | 36720 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:39:34.242149115 CET | 36720 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:39:38.017576933 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
| Mar 21, 2025 14:39:38.273452997 CET | 36720 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:39:41.228679895 CET | 59270 | 8080 | 192.168.2.23 | 202.165.193.211 |
| Mar 21, 2025 14:39:42.240916014 CET | 59270 | 8080 | 192.168.2.23 | 202.165.193.211 |
| Mar 21, 2025 14:39:44.256959915 CET | 59270 | 8080 | 192.168.2.23 | 202.165.193.211 |
| Mar 21, 2025 14:39:45.553956985 CET | 39248 | 443 | 192.168.2.23 | 34.249.145.219 |
| Mar 21, 2025 14:39:45.554044008 CET | 443 | 39248 | 34.249.145.219 | 192.168.2.23 |
| Mar 21, 2025 14:39:45.554167986 CET | 39248 | 443 | 192.168.2.23 | 34.249.145.219 |
| Mar 21, 2025 14:39:45.555109978 CET | 39248 | 443 | 192.168.2.23 | 34.249.145.219 |
| Mar 21, 2025 14:39:45.555160046 CET | 443 | 39248 | 34.249.145.219 | 192.168.2.23 |
| Mar 21, 2025 14:39:48.512352943 CET | 59270 | 8080 | 192.168.2.23 | 202.165.193.211 |
| Mar 21, 2025 14:39:50.303895950 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
| Mar 21, 2025 14:39:51.260669947 CET | 37834 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:39:52.287544966 CET | 37834 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:39:54.303405046 CET | 37834 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:39:54.399377108 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
| Mar 21, 2025 14:39:58.494769096 CET | 37834 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:40:01.290966034 CET | 58562 | 8080 | 192.168.2.23 | 147.252.1.254 |
| Mar 21, 2025 14:40:01.464036942 CET | 8080 | 58562 | 147.252.1.254 | 192.168.2.23 |
| Mar 21, 2025 14:40:02.295571089 CET | 36730 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:40:03.326004982 CET | 36730 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:40:05.341742039 CET | 36730 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:40:09.501245022 CET | 36730 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:40:12.321266890 CET | 53304 | 8080 | 192.168.2.23 | 83.143.80.227 |
| Mar 21, 2025 14:40:13.340724945 CET | 53304 | 8080 | 192.168.2.23 | 83.143.80.227 |
| Mar 21, 2025 14:40:15.356389046 CET | 53304 | 8080 | 192.168.2.23 | 83.143.80.227 |
| Mar 21, 2025 14:40:18.971997976 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
| Mar 21, 2025 14:40:19.483958960 CET | 53304 | 8080 | 192.168.2.23 | 83.143.80.227 |
| Mar 21, 2025 14:40:22.345907927 CET | 41216 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:23.355297089 CET | 41216 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:25.371021032 CET | 41216 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:29.466557980 CET | 41216 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:32.370604992 CET | 41218 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:33.401987076 CET | 41218 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:35.417630911 CET | 41218 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:39.449129105 CET | 41218 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:42.395078897 CET | 58572 | 8080 | 192.168.2.23 | 147.252.1.254 |
| Mar 21, 2025 14:40:42.566521883 CET | 8080 | 58572 | 147.252.1.254 | 192.168.2.23 |
| Mar 21, 2025 14:40:43.399746895 CET | 58574 | 8080 | 192.168.2.23 | 147.252.1.254 |
| Mar 21, 2025 14:40:43.570358992 CET | 8080 | 58574 | 147.252.1.254 | 192.168.2.23 |
| Mar 21, 2025 14:40:44.403819084 CET | 58576 | 8080 | 192.168.2.23 | 147.252.1.254 |
| Mar 21, 2025 14:40:44.574054003 CET | 8080 | 58576 | 147.252.1.254 | 192.168.2.23 |
| Mar 21, 2025 14:40:45.407897949 CET | 41226 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:45.546519041 CET | 39248 | 443 | 192.168.2.23 | 34.249.145.219 |
| Mar 21, 2025 14:40:45.588341951 CET | 443 | 39248 | 34.249.145.219 | 192.168.2.23 |
| Mar 21, 2025 14:40:46.424118996 CET | 41226 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:48.439856052 CET | 41226 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:52.503390074 CET | 41226 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:55.432096004 CET | 41228 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:56.438735008 CET | 41228 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:40:58.454505920 CET | 41228 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:41:02.486010075 CET | 41228 | 8080 | 192.168.2.23 | 202.28.32.30 |
| Mar 21, 2025 14:41:05.457179070 CET | 37856 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:41:06.485357046 CET | 37856 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:41:08.501080036 CET | 37856 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:41:12.724627972 CET | 37856 | 8080 | 192.168.2.23 | 216.215.60.21 |
| Mar 21, 2025 14:41:15.478440046 CET | 36750 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:41:16.500016928 CET | 36750 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:41:18.515651941 CET | 36750 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:41:22.707036972 CET | 36750 | 8080 | 192.168.2.23 | 211.103.199.98 |
| Mar 21, 2025 14:41:23.999202967 CET | 443 | 39248 | 34.249.145.219 | 192.168.2.23 |
System Behavior
| Start time (UTC): | 13:39:18 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | /tmp/conf.png |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "chmod 700 /tmp/conf.png > /dev/null 2>&1 &" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/chmod |
| Arguments: | chmod 700 /tmp/conf.png |
| File size: | 63864 bytes |
| MD5 hash: | 739483b900c045ae1374d6f53a86a279 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "touch -acmr /bin/ls /tmp/conf.png" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/touch |
| Arguments: | touch -acmr /bin/ls /tmp/conf.png |
| File size: | 100728 bytes |
| MD5 hash: | 3859c173f5d3b37be3e531b7c84a9c68 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "(crontab -l | grep -v \"/tmp/conf.png\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00846930886) > /dev/null 2>&1" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/crontab |
| Arguments: | crontab -l |
| File size: | 43720 bytes |
| MD5 hash: | 66e521d421ac9b407699061bf21806f5 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/grep |
| Arguments: | grep -v /tmp/conf.png |
| File size: | 199136 bytes |
| MD5 hash: | 1e6ebb9dd094f774478f72727bdba0f5 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/grep |
| Arguments: | grep -v "no cron" |
| File size: | 199136 bytes |
| MD5 hash: | 1e6ebb9dd094f774478f72727bdba0f5 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/grep |
| Arguments: | grep -v lesshts/run.sh |
| File size: | 199136 bytes |
| MD5 hash: | 1e6ebb9dd094f774478f72727bdba0f5 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "echo \"* * * * * /tmp/conf.png > /dev/null 2>&1 &\" >> /var/run/.x00846930886" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "crontab /var/run/.x00846930886" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/crontab |
| Arguments: | crontab /var/run/.x00846930886 |
| File size: | 43720 bytes |
| MD5 hash: | 66e521d421ac9b407699061bf21806f5 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "rm -rf /var/run/.x00846930886" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/rm |
| Arguments: | rm -rf /var/run/.x00846930886 |
| File size: | 72056 bytes |
| MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:19 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "cat /etc/inittab | grep -v \"/tmp/conf.png\" > /etc/inittab2" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/cat |
| Arguments: | cat /etc/inittab |
| File size: | 43416 bytes |
| MD5 hash: | 7e9d213e404ad3bb82e4ebb2e1f2c1b3 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/grep |
| Arguments: | grep -v /tmp/conf.png |
| File size: | 199136 bytes |
| MD5 hash: | 1e6ebb9dd094f774478f72727bdba0f5 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "echo \"0:2345:respawn:/tmp/conf.png\" >> /etc/inittab2" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "cat /etc/inittab2 > /etc/inittab" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/cat |
| Arguments: | cat /etc/inittab2 |
| File size: | 43416 bytes |
| MD5 hash: | 7e9d213e404ad3bb82e4ebb2e1f2c1b3 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "rm -rf /etc/inittab2" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/rm |
| Arguments: | rm -rf /etc/inittab2 |
| File size: | 72056 bytes |
| MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "touch -acmr /bin/ls /etc/inittab" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/touch |
| Arguments: | touch -acmr /bin/ls /etc/inittab |
| File size: | 100728 bytes |
| MD5 hash: | 3859c173f5d3b37be3e531b7c84a9c68 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "/bin/uname -n" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/uname |
| Arguments: | /bin/uname -n |
| File size: | 39288 bytes |
| MD5 hash: | 4ac7c634c5bec95753c480e9d421dcc2 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "/bin/uname -n" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/uname |
| Arguments: | /bin/uname -n |
| File size: | 39288 bytes |
| MD5 hash: | 4ac7c634c5bec95753c480e9d421dcc2 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /tmp/conf.png |
| Arguments: | - |
| File size: | 4956856 bytes |
| MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | sh -c "/bin/uname -n" |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/sh |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:39:20 |
| Start date (UTC): | 21/03/2025 |
| Path: | /bin/uname |
| Arguments: | /bin/uname -n |
| File size: | 39288 bytes |
| MD5 hash: | 4ac7c634c5bec95753c480e9d421dcc2 |
| Start time (UTC): | 13:40:44 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/dash |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:40:44 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/rm |
| Arguments: | rm -f /tmp/tmp.U04JniX6To /tmp/tmp.83mzqoU2jO /tmp/tmp.JoCGz7H2nA |
| File size: | 72056 bytes |
| MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
| Start time (UTC): | 13:40:44 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/dash |
| Arguments: | - |
| File size: | 129816 bytes |
| MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
| Start time (UTC): | 13:40:44 |
| Start date (UTC): | 21/03/2025 |
| Path: | /usr/bin/rm |
| Arguments: | rm -f /tmp/tmp.U04JniX6To /tmp/tmp.83mzqoU2jO /tmp/tmp.JoCGz7H2nA |
| File size: | 72056 bytes |
| MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
