Loading ...

Play interactive tourEdit tour

Analysis Report cron

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:194469
Start date:08.12.2019
Start time:23:57:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:cron
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal76.troj.mine.lin@0/0@4/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.38, 91.189.92.19, 91.189.92.41, 91.189.92.20
  • Excluded domains from analysis (whitelisted): api.snapcraft.io

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold760 - 100false
Xmrig
malicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpactPost-Adversary Device AccessWithout Adversary Device Access
Valid AccountsCommand-Line Interface1Winlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1Data Destruction
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Data Encrypted for Impact
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: cronAvira: detection malicious, Label: LINUX/BitCoinMiner.wkfyp
Multi AV Scanner detection for submitted fileShow sources
Source: cronVirustotal: Detection: 40%Perma Link
Source: cronMetadefender: Detection: 15%Perma Link

Bitcoin Miner:

barindex
Yara detected Xmrig cryptocurrency minerShow sources
Source: Yara matchFile source: cron, type: SAMPLE
Detected Stratum mining protocolShow sources
Source: global trafficTCP traffic: 192.168.2.20:45164 -> 45.9.148.125:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 35 42 4c 41 76 4c 4e 61 79 65 66 71 4e 61 64 33 74 47 70 48 4b 50 7a 76 69 51 55 59 48 46 31 6d 43 61 70 4d 68 67 52 75 69 69 41 4a 50 59 58 34 4b 79 52 43 56 67 39 76 65 54 6d 63 6b 50 4e 37 62 44 65 62 78 35 31 4c 43 75 44 51 59 79 68 46 67 56 62 55 4d 68 63 34 71 59 31 34 43 51 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 35 2e 30 2e 32 2d 64 65 76 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 33 2e 31 20 67 63 63 2f 38 2e 33 2e 30 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f
Found strings related to Crypto-MiningShow sources
Source: cronString found in binary or memory: stratum+ssl://
Source: cronString found in binary or memory: cryptonight/0
Source: cronString found in binary or memory: -o, --url=URL URL of mining server
Source: cronString found in binary or memory: stratum+tcp://
Source: cronString found in binary or memory: XMRig
Source: cronString found in binary or memory: Usage: xmrig [OPTIONS]
Reads CPU information from /proc indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20759)Reads CPU info from proc file: /proc/cpuinfo
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblings
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblings
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/possible

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: debian-package.center
Urls found in memory or binary dataShow sources
Source: cronString found in binary or memory: https://gcc.gnu.org/bugs/):
Source: cronString found in binary or memory: https://xmrig.com/docs/algorithms

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: w ATI
Source: Initial samplePotential command found: cmp r,i
Source: Initial samplePotential command found: file already exists
Source: Initial samplePotential command found: file too large
Source: Initial samplePotential command found: host is unreachable
Source: Initial samplePotential command found: file table overflow
Source: Initial samplePotential command found: host is down
Source: Initial samplePotential command found: service not available for socket type
Source: Initial samplePotential command found: w == &loop->async_io_watcher
Source: Initial samplePotential command found: start + CMSG_LEN(count * sizeof(*pi)) == end
Source: Initial samplePotential command found: timeout >= -1
Source: Initial samplePotential command found: timeout != -1
Source: Initial samplePotential command found: timeout > 0
Source: Initial samplePotential command found: size > 0
Source: Initial samplePotential command found: w != NULL
Source: Initial samplePotential command found: start + CMSG_LEN(count * sizeof(*pi)) == endreq->handle->write_queue_size >= sizeuv__has_active_reqs(stream->loop)stream->type == UV_TCP || stream->type == UV_NAMED_PIPE || stream->type == UV_TTY!(stream->flags & UV_HANDLE_CLOSING)stream->type == UV_TCP || stream->type == UV_NAMED_PIPE!uv__io_active(&stream->io_watcher, POLLIN | POLLOUT)stream->flags & UV_HANDLE_CLOSEDstream->type == UV_TCP || stream->type == UV_TTY || stream->type == UV_NAMED_PIPE(stream->type == UV_TCP || stream->type == UV_NAMED_PIPE || stream->type == UV_TTY) && "uv_write (unix) does not yet support other types of streams"!(stream->flags & UV_HANDLE_BLOCKING_WRITES)!uv__io_active(&handle->io_watcher, POLLIN | POLLOUT)uv__stream_closeuv_read_startuv_try_writeuv_write2uv_shutdownuv_acceptuv__server_iouv__stream_destroyuv__stream_openuv__drainuv__write_req_sizeuv__write_callbacksuv__write_req_updateuv__writeuv__stream_recv_cmsguv__readuv__stream_connectuv__stream_iosrc/unix/tcp.chandle->type == UV_TCPUV_TCP_SINGLE_ACCEPTuv__tcp_connectsrc/un
Source: Initial samplePotential command found: last == hwloc_get_obj_by_depth(topology, depth, width-1)
Source: Initial samplePotential command found: last != -1
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.mine.lin@0/0@4/0

Persistence and Installation Behavior:

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
Source: /tmp/cron (PID: 20759)File: /proc/20759/mounts
Reads system information from the proc file systemShow sources
Source: /tmp/cron (PID: 20759)Reads from proc file: /proc/cpuinfo
Source: /tmp/cron (PID: 20759)Reads from proc file: /proc/meminfo

Malware Analysis System Evasion:

barindex
Reads CPU information from /proc indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20759)Reads CPU info from proc file: /proc/cpuinfo
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblings
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblings
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition
Source: /tmp/cron (PID: 20759)Reads CPU info from /sys: /sys/devices/system/cpu/possible
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /tmp/cron (PID: 20759)Queries kernel information via 'uname':

Malware Configuration

No configs have been found


Runtime Messages

Command:/tmp/cron
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:[2019-12-09 00:58:23.620] unable to open '/tmp/config.json'.
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
cronJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    PCAP (Network Traffic)

    No yara matches

    Dropped Files

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    45.9.148.125cQLmNrunGet hashmaliciousBrowse

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknownhttp://cdnus.filesupdatehead.com/ofr/Famofama/01_07_19/Famofama_pages.zipGet hashmaliciousBrowse
      • 199.115.112.67
      http://27.69.242.187Get hashmaliciousBrowse
      • 159.148.172.231
      http://www2.formatta.com/download/fillersetup.exeGet hashmaliciousBrowse
      • 40.84.144.206
      vij.exeGet hashmaliciousBrowse
      • 139.28.39.70
      SAMPLE.exeGet hashmaliciousBrowse
      • 127.0.0.1
      cronGet hashmaliciousBrowse
      • 45.9.148.129
      ze99HWZnJK.exeGet hashmaliciousBrowse
      • 52.97.183.194
      https://kbelectricals.co.in/varujy3/ox07-svj-94Get hashmaliciousBrowse
      • 103.28.36.212
      http://solarsistem.net/doc/8me4x/*Get hashmaliciousBrowse
      • 162.241.24.173
      http://lakewin.org/wp-admin/j19x/*Get hashmaliciousBrowse
      • 162.241.24.26
      http://vanguardesigns.com/akbadminton/0412/*Get hashmaliciousBrowse
      • 162.241.24.179
      http://nowotnik.com/nqrgo8/cy3a6/'Get hashmaliciousBrowse
      • 50.87.253.50
      http://ngiveu.com/hcy5u/icv4/*Get hashmaliciousBrowse
      • 49.235.41.178
      Sidify Music Converter.exeGet hashmaliciousBrowse
      • 104.26.5.204
      MdecService.apkGet hashmaliciousBrowse
      • 216.58.201.106
      SAMPLE.exeGet hashmaliciousBrowse
      • 127.0.0.1
      http://bit.ly/2DomIvZGet hashmaliciousBrowse
      • 104.17.236.50
      782357810619658324.docGet hashmaliciousBrowse
      • 50.87.253.53
      http://etsmaleye.com/setup/protected-zone/test-warehouse/v7pgehn-vy8ssvw0390/Get hashmaliciousBrowse
      • 66.147.244.50
      https://iranglass.co/5rxyfoqpzc3/zcCvaR/Get hashmaliciousBrowse
      • 93.115.151.36

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      cron41%VirustotalBrowse
      cron18%MetadefenderBrowse
      cron100%AviraLINUX/BitCoinMiner.wkfyp

      Dropped Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      debian-package.center0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe

      Startup

      • system is lnxubuntu1
      • cron (PID: 20759, Parent: 20706, MD5: 0bdbb47336d7a9332886a80267e892e1) Arguments: /tmp/cron
        • cron New Fork (PID: 20760, Parent: 20759)
      • cleanup

      Created / dropped Files

      No created / dropped files found

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      debian-package.center
      45.9.148.129
      truefalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://gcc.gnu.org/bugs/):cronfalse
        high
        https://xmrig.com/docs/algorithmscronfalse
        • Avira URL Cloud: safe
        unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPCountryFlagASNASN NameMalicious
        45.9.148.125
        Netherlands
        49447unknowntrue

        Static File Info

        General

        File type:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
        Entropy (8bit):6.340019841487885
        TrID:
        • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
        • ELF Executable and Linkable format (generic) (4004/1) 49.46%
        • Lumena CEL bitmap (63/63) 0.78%
        File name:cron
        File size:2269000
        MD5:0bdbb47336d7a9332886a80267e892e1
        SHA1:19414ad5800a2a5eec01da79d5de54bfd2a46c0d
        SHA256:70e8ab8b9aeb9ad887a8281876d1ca3845f66308d992fbb0619737be21d93cdf
        SHA512:efafefb0f88856cfd124510ad4c907b9f5c31414d2e02e378023792e2aaac17bb4efc037d98fccb461645c61d37b0a358e37c0d2ead8ef663e10c56d25ec4b65
        SSDEEP:49152:hMW2UNoG3YwFW/////////0HL6bqgkfL+y9pObHfYagWyedY/MVS0p0spVyYwAFB:SU1YwFW/////////Fb/YXWddY/MVS0iX
        File Content Preview:.ELF..............>.............@.........".........@.8...@......................................g.......g.......................p.......p.......p..............................................................X_......X_........................!......."....

        Static ELF Info

        ELF header

        Class:ELF64
        Data:2's complement, little endian
        Version:1 (current)
        Machine:Advanced Micro Devices X86-64
        Version Number:0x1
        Type:DYN (Shared object file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x19fbd
        Flags:0x0
        ELF Header Size:64
        Program Header Offset:64
        Program Header Size:56
        Number of Program Headers:9
        Section Header Offset:2267400
        Section Header Size:64
        Number of Section Headers:25
        Header String Table Index:24

        Sections

        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .gnu.hashGNU_HASH0x2380x2380x1c0x00x2A208
        .dynsymDYNSYM0x2580x2580x180x180x2A318
        .dynstrSTRTAB0x2700x2700x10x00x2A001
        .rela.dynRELA0x2780x2780x164880x180x2A208
        .initPROGBITS0x170000x170000xd0x00x6AX001
        .pltPROGBITS0x170100x170100x800x100x6AX0016
        .textPROGBITS0x170c00x170c00x1a17ec0x00x6AX0064
        .finiPROGBITS0x1b88ac0x1b88ac0x80x00x6AX001
        .rodataPROGBITS0x1b90000x1b90000x1b9d00x00x2A0032
        .eh_frame_hdrPROGBITS0x1d49d00x1d49d00xb60c0x00x2A004
        .eh_framePROGBITS0x1dffe00x1dffe00x3a1c00x00x2A008
        .gcc_except_tablePROGBITS0x21a1a00x21a1a00x4db80x00x2A004
        .tbssNOBITS0x2207f80x21f7f80x100x00x403WAT008
        .init_arrayINIT_ARRAY0x2207f80x21f7f80xf00x80x3WA008
        .fini_arrayFINI_ARRAY0x2208e80x21f8e80x180x80x3WA008
        .ctorsPROGBITS0x2209000x21f9000x100x00x3WA008
        .dtorsPROGBITS0x2209100x21f9100x100x00x3WA008
        .data.rel.roPROGBITS0x2209200x21f9200x93100x00x3WA0032
        .dynamicDYNAMIC0x229c300x228c300x1900x100x3WA308
        .gotPROGBITS0x229dc00x228dc00x2300x80x3WA008
        .dataPROGBITS0x22a0000x2290000x8180x00x3WA0032
        .bssNOBITS0x22a8400x2298180xc9080x00x3WA0064
        .commentPROGBITS0x00x2298180x1a0x10x30MS001
        .shstrtabSTRTAB0x00x2298320xd30x00x0001

        Program Segments

        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x00x00x167000x167000x4R 0x1000.gnu.hash .dynsym .dynstr .rela.dyn
        LOAD0x170000x170000x170000x1a18b40x1a18b40x5R E0x1000.init .plt .text .fini
        LOAD0x1b90000x1b90000x1b90000x65f580x65f580x4R 0x1000.rodata .eh_frame_hdr .eh_frame .gcc_except_table
        LOAD0x21f7f80x2207f80x2207f80xa0200x169500x6RW 0x1000.init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss
        DYNAMIC0x228c300x229c300x229c300x1900x1900x6RW 0x8.dynamic
        TLS0x21f7f80x2207f80x2207f80x00x100x4R 0x8
        GNU_EH_FRAME0x1d49d00x1d49d00x1d49d00xb60c0xb60c0x4R 0x4.eh_frame_hdr
        GNU_STACK0x00x00x00x00x00x6RW 0x10
        GNU_RELRO0x21f7f80x2207f80x2207f80x98080x98080x4R 0x1.init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got

        Dynamic Tags

        TypeMetaValueTag
        DT_SYMBOLICvalue0x00x10
        DT_INITvalue0x170000xc
        DT_FINIvalue0x1b88ac0xd
        DT_INIT_ARRAYvalue0x2207f80x19
        DT_INIT_ARRAYSZbytes2400x1b
        DT_FINI_ARRAYvalue0x2208e80x1a
        DT_FINI_ARRAYSZbytes240x1c
        DT_GNU_HASHvalue0x2380x6ffffef5
        DT_STRTABvalue0x2700x5
        DT_SYMTABvalue0x2580x6
        DT_STRSZbytes10xa
        DT_SYMENTbytes240xb
        DT_DEBUGvalue0x00x15
        DT_PLTGOTvalue0x229dc00x3
        DT_RELAvalue0x2780x7
        DT_RELASZbytes912720x8
        DT_RELAENTbytes240x9
        DT_BIND_NOWvalue0x00x18
        DT_FLAGS_1value0x80000010x6ffffffb
        DT_RELACOUNTvalue38030x6ffffff9
        DT_NULLvalue0x00x0

        Symbols

        NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
        .dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Dec 8, 2019 23:58:24.874710083 CET4516480192.168.2.2045.9.148.125
        Dec 8, 2019 23:58:24.899811029 CET804516445.9.148.125192.168.2.20
        Dec 8, 2019 23:58:24.900065899 CET4516480192.168.2.2045.9.148.125
        Dec 8, 2019 23:58:24.900342941 CET4516480192.168.2.2045.9.148.125
        Dec 8, 2019 23:58:24.925559044 CET804516445.9.148.125192.168.2.20
        Dec 8, 2019 23:58:24.933262110 CET804516445.9.148.125192.168.2.20
        Dec 8, 2019 23:58:24.933418989 CET4516480192.168.2.2045.9.148.125
        Dec 8, 2019 23:59:08.507926941 CET804516445.9.148.125192.168.2.20
        Dec 8, 2019 23:59:08.508090019 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:00:08.586517096 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:00:08.611617088 CET804516445.9.148.125192.168.2.20
        Dec 9, 2019 00:00:08.629437923 CET804516445.9.148.125192.168.2.20
        Dec 9, 2019 00:00:08.629642010 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:01:09.151357889 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:01:09.189357042 CET804516445.9.148.125192.168.2.20
        Dec 9, 2019 00:01:09.189492941 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:02:09.291719913 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:02:09.316966057 CET804516445.9.148.125192.168.2.20
        Dec 9, 2019 00:02:10.189001083 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:02:10.214319944 CET804516445.9.148.125192.168.2.20
        Dec 9, 2019 00:02:10.214582920 CET4516480192.168.2.2045.9.148.125
        Dec 9, 2019 00:02:26.066289902 CET804516445.9.148.125192.168.2.20
        Dec 9, 2019 00:02:26.066412926 CET4516480192.168.2.2045.9.148.125

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Dec 8, 2019 23:58:24.830738068 CET5055053192.168.2.208.8.8.8
        Dec 8, 2019 23:58:24.830944061 CET5055053192.168.2.208.8.4.4
        Dec 8, 2019 23:58:24.831003904 CET5055053192.168.2.208.8.8.8
        Dec 8, 2019 23:58:24.831051111 CET5055053192.168.2.208.8.4.4
        Dec 8, 2019 23:58:24.856201887 CET53505508.8.8.8192.168.2.20
        Dec 8, 2019 23:58:24.856265068 CET53505508.8.4.4192.168.2.20
        Dec 8, 2019 23:58:24.856291056 CET53505508.8.8.8192.168.2.20
        Dec 8, 2019 23:58:24.856354952 CET53505508.8.4.4192.168.2.20
        Dec 8, 2019 23:58:34.875283003 CET3698353192.168.2.208.8.8.8
        Dec 8, 2019 23:58:34.875513077 CET4668753192.168.2.208.8.8.8
        Dec 8, 2019 23:58:34.900954008 CET53466878.8.8.8192.168.2.20
        Dec 8, 2019 23:58:34.908958912 CET53369838.8.8.8192.168.2.20

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Dec 8, 2019 23:58:24.830738068 CET192.168.2.208.8.8.80xc549Standard query (0)debian-package.centerA (IP address)IN (0x0001)
        Dec 8, 2019 23:58:24.830944061 CET192.168.2.208.8.4.40xc549Standard query (0)debian-package.centerA (IP address)IN (0x0001)
        Dec 8, 2019 23:58:24.831003904 CET192.168.2.208.8.8.80xc628Standard query (0)debian-package.center28IN (0x0001)
        Dec 8, 2019 23:58:24.831051111 CET192.168.2.208.8.4.40xc628Standard query (0)debian-package.center28IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Dec 8, 2019 23:58:24.856201887 CET8.8.8.8192.168.2.200xc549No error (0)debian-package.center45.9.148.129A (IP address)IN (0x0001)
        Dec 8, 2019 23:58:24.856201887 CET8.8.8.8192.168.2.200xc549No error (0)debian-package.center45.9.148.125A (IP address)IN (0x0001)
        Dec 8, 2019 23:58:24.856265068 CET8.8.4.4192.168.2.200xc549No error (0)debian-package.center45.9.148.129A (IP address)IN (0x0001)
        Dec 8, 2019 23:58:24.856265068 CET8.8.4.4192.168.2.200xc549No error (0)debian-package.center45.9.148.125A (IP address)IN (0x0001)

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination Port
        0192.168.2.204516445.9.148.12580
        TimestampkBytes transferredDirectionData
        Dec 8, 2019 23:58:24.900342941 CET1OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 35 42 4c 41 76 4c 4e 61 79 65 66 71 4e 61 64 33 74 47 70 48 4b
        Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45BLAvLNayefqNad3tGpHKPzviQUYHF1mCapMhgRuiiAJPYX4KyRCVg9veTmckPN7bDebx51LCuDQYyhFgVbUMhc4qY14CQ","pass":"x","agent":"XMRig/5.0.2-dev (Linux x86_64) libuv/1.33.1 gcc/8.3.0","algo":["cn
        Dec 8, 2019 23:58:24.933262110 CET2INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 66 65 37 38 30 63 63 61 2d 39 38 39 35 2d 34 64 63 35 2d 38 64 36 34 2d 62 31 31 33 31
        Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"fe780cca-9895-4dc5-8d64-b1131115a0b3","job":{"blob":"0c0caaffb5ef0566eefbf340cdc720a762d0aa64b6c7f969231b53cca5d175579c1a0226b8bd18000000fa3b9115711f3d141a10c26f10caf31ca5b871cc4294ff2addfcb
        Dec 8, 2019 23:59:08.507926941 CET539INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 63 30 63 61 61 66 66 62 35 65 66 30 35 36 36 65 65 66 62 66 33 34 30 63 64 63 37 32 30 61 37
        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"0c0caaffb5ef0566eefbf340cdc720a762d0aa64b6c7f969231b53cca5d175579c1a0226b8bd18000000faaade9304dcbe425d8b69f3415130c130debc1d164bcfa731daca76c4167211cb05","job_id":"PdCHKUVXUWaFYJWvG1ybwy++83Fu"
        Dec 9, 2019 00:00:08.629437923 CET540INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 63 30 63 61 61 66 66 62 35 65 66 30 35 36 36 65 65 66 62 66 33 34 30 63 64 63 37 32 30 61 37
        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"0c0caaffb5ef0566eefbf340cdc720a762d0aa64b6c7f969231b53cca5d175579c1a0226b8bd18000000fa966ad434df732c51569a4a61907c55f49f062b18c03f835a0641634b1c5d964505","job_id":"UJVP0C3cX24SnB7XvSjh6qoidfRP"
        Dec 9, 2019 00:01:09.151357889 CET541OUTData Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 66 65 37 38 30 63 63 61 2d 39 38 39 35 2d 34 64 63 35 2d 38
        Data Ascii: {"id":2,"jsonrpc":"2.0","method":"keepalived","params":{"id":"fe780cca-9895-4dc5-8d64-b1131115a0b3"}}
        Dec 9, 2019 00:01:09.189357042 CET541INData Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a
        Data Ascii: {"id":2,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
        Dec 9, 2019 00:02:10.189001083 CET541OUTData Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 66 65 37 38 30 63 63 61 2d 39 38 39 35 2d 34 64 63 35 2d 38
        Data Ascii: {"id":3,"jsonrpc":"2.0","method":"keepalived","params":{"id":"fe780cca-9895-4dc5-8d64-b1131115a0b3"}}
        Dec 9, 2019 00:02:10.214319944 CET541INData Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a
        Data Ascii: {"id":3,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
        Dec 9, 2019 00:02:26.066289902 CET542INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 63 30 63 38 31 38 32 62 36 65 66 30 35 30 37 37 39 65 38 34 64 37 36 33 36 36 62 66 62 64 31
        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"0c0c8182b6ef050779e84d76366bfbd1493d2c0b1c12572b7c643e698fff568ed727daed2d03e7000000fa03799a3a5c8df74f27305c2a3494f3f5739ee094a4cb3bbee3a1a60df24984c318","job_id":"Tg2DDm74ZjpmL/ZoJ2+DD51tDw0t"


        System Behavior

        General

        Start time:23:58:23
        Start date:08/12/2019
        Path:/tmp/cron
        Arguments:/tmp/cron
        File size:2269000 bytes
        MD5 hash:0bdbb47336d7a9332886a80267e892e1

        General

        Start time:23:58:23
        Start date:08/12/2019
        Path:/tmp/cron
        Arguments:n/a
        File size:2269000 bytes
        MD5 hash:0bdbb47336d7a9332886a80267e892e1