Source: psO5Q4nOUG |
ReversingLabs: Detection: 13% |
Source: unknown |
HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 33608 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 34804 |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 36110 |
Source: unknown |
Network traffic detected: HTTP traffic on port 33608 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 36112 |
Source: unknown |
Network traffic detected: HTTP traffic on port 44708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 44708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 36106 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 36108 |
Source: unknown |
Network traffic detected: HTTP traffic on port 34804 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 36108 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 36110 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 36112 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 36106 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: psO5Q4nOUG, updateSystem.68.dr |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu |
Source: psO5Q4nOUG, 5249.1.0000000076e416fc.00000000a43e02a2.rw-.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu1 |
Source: updateSystem.68.dr |
String found in binary or memory: https://gcc.gnu.org/bugs |
Source: motd-news.125.dr |
String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation |
Source: unknown |
DNS traffic detected: queries for: drive.google.com |
Source: unknown |
HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2 |
Source: classification engine |
Classification label: mal64.troj.spyw.evad.lin@0/56@10/0 |
Source: /usr/bin/cp (PID: 5263) |
File written to hidden directory: /.Library/SystemServices/updateSystem |
Jump to dropped file |
Source: /usr/bin/crontab (PID: 5260) |
File: /var/spool/cron/crontabs/tmp.UWWGtW |
Jump to behavior |
Source: /usr/bin/crontab (PID: 5260) |
File: /var/spool/cron/crontabs/root |
Jump to behavior |
Source: /bin/sh (PID: 5255) |
Crontab executable: /usr/bin/crontab -> crontab -l |
Jump to behavior |
Source: /bin/sh (PID: 5261) |
Crontab executable: /usr/bin/crontab -> crontab -l |
Jump to behavior |
Source: /bin/sh (PID: 5260) |
Crontab executable: /usr/bin/crontab -> crontab - |
Jump to behavior |
Source: /bin/sh (PID: 5272) |
Crontab executable: /usr/bin/crontab -> crontab -l |
Jump to behavior |
Source: /usr/bin/cp (PID: 5263) |
File written: /.Library/SystemServices/updateSystem |
Jump to dropped file |
Source: /usr/bin/egrep (PID: 5256) |
Grep executable: /usr/bin/grep -> grep -E -v ^(#|$) |
Jump to behavior |
Source: /bin/sh (PID: 5257) |
Grep executable: /usr/bin/grep -> grep -e "@reboot (/.Library/SystemServices/updateSystem)" |
Jump to behavior |
Source: /usr/bin/egrep (PID: 5273) |
Grep executable: /usr/bin/grep -> grep -E -v ^(#|$) |
Jump to behavior |
Source: /bin/sh (PID: 5274) |
Grep executable: /usr/bin/grep -> grep -e "@reboot (/.Library/SystemServices/updateSystem)" |
Jump to behavior |
Source: /bin/sh (PID: 5279) |
Grep executable: /usr/bin/grep -> grep -v 127.0.0.1 |
Jump to behavior |
Source: /bin/sh (PID: 5280) |
Grep executable: /usr/bin/grep -> grep -E "inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" |
Jump to behavior |
Source: /usr/sbin/invoke-rc.d (PID: 5225) |
Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service |
Jump to behavior |
Source: /usr/sbin/invoke-rc.d (PID: 5227) |
Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service |
Jump to behavior |
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5233) |
Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5249) |
Directory: /.Library |
Jump to behavior |
Source: /bin/sh (PID: 5251) |
Executable: /usr/bin/id -> id -u |
Jump to behavior |
Source: /bin/sh (PID: 5268) |
Executable: /usr/bin/id -> id -u |
Jump to behavior |
Source: /usr/sbin/logrotate (PID: 5222) |
Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " |
Jump to behavior |
Source: /usr/sbin/logrotate (PID: 5231) |
Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5250) |
Shell command executed: sh -c "id -u" |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5252) |
Shell command executed: sh -c whoami |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5254) |
Shell command executed: sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\"" |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5258) |
Shell command executed: sh -c "(crontab -l; echo \"@reboot (/.Library/SystemServices/updateSystem)\") | crontab -" |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5262) |
Shell command executed: sh -c "cp -rf '/tmp/psO5Q4nOUG' '/.Library/SystemServices/updateSystem'" |
Jump to behavior |
Source: /tmp/psO5Q4nOUG (PID: 5264) |
Shell command executed: sh -c "nohup '/.Library/SystemServices/updateSystem' >/dev/null 2>&1 &" |
Jump to behavior |
Source: /.Library/SystemServices/updateSystem (PID: 5267) |
Shell command executed: sh -c "id -u" |
Jump to behavior |
Source: /.Library/SystemServices/updateSystem (PID: 5269) |
Shell command executed: sh -c whoami |
Jump to behavior |
Source: /.Library/SystemServices/updateSystem (PID: 5271) |
Shell command executed: sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\"" |
Jump to behavior |
Source: /.Library/SystemServices/updateSystem (PID: 5277) |
Shell command executed: sh -c "ifconfig | grep -v 127.0.0.1 | grep -E \"inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\" | awk '{print $2}'" |
Jump to behavior |
Source: /.Library/SystemServices/updateSystem (PID: 5282) |
Shell command executed: sh -c "ip address | awk '/ether/{print $2}'" |
Jump to behavior |
Source: /.Library/SystemServices/updateSystem (PID: 5285) |
Shell command executed: sh -c "uname -mrs" |
Jump to behavior |
Source: /bin/sh (PID: 5265) |
Nohup executable: /usr/bin/nohup -> nohup /.Library/SystemServices/updateSystem |
Jump to behavior |
Source: /usr/bin/dash (PID: 5304) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Q8Xy6IVkIu /tmp/tmp.IvmgDS2E93 /tmp/tmp.bl8wKDFCTb |
Jump to behavior |
Source: /bin/sh (PID: 5281) |
Awk executable: /usr/bin/awk -> awk "{print $2}" |
Jump to behavior |
Source: /bin/sh (PID: 5284) |
Awk executable: /usr/bin/awk -> awk "/ether/{print $2}" |
Jump to behavior |
Source: submitted sample |
Stderr: no crontab for rootno crontab for root: exit code = 0 |
Source: /.Library/SystemServices/updateSystem (PID: 5265) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: /usr/sbin/ifconfig (PID: 5278) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: /usr/bin/uname (PID: 5286) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: /usr/sbin/logrotate (PID: 5172) |
Truncated file: /var/log/cups/access_log.1 |
Jump to behavior |
Source: /usr/sbin/logrotate (PID: 5172) |
Truncated file: /var/log/syslog.1 |
Jump to behavior |
Source: /bin/sh (PID: 5251) |
Executable: /usr/bin/id -> id -u |
Jump to behavior |
Source: /bin/sh (PID: 5268) |
Executable: /usr/bin/id -> id -u |
Jump to behavior |
Source: 5220.9.dr |
Binary or memory string: -9915837702310A--gzvmware kernel module |
Source: 5220.9.dr |
Binary or memory string: -1116261022170A--gzQEMU User Emulator |
Source: 5220.9.dr |
Binary or memory string: qemu-or1k |
Source: 5220.9.dr |
Binary or memory string: qemu-riscv64 |
Source: 5220.9.dr |
Binary or memory string: {cqemu |
Source: 5220.9.dr |
Binary or memory string: qemu-arm |
Source: 5220.9.dr |
Binary or memory string: (qemu |
Source: 5220.9.dr |
Binary or memory string: qemu-tilegx |
Source: 5220.9.dr |
Binary or memory string: qemu-hppa |
Source: 5220.9.dr |
Binary or memory string: q{rqemu% |
Source: 5220.9.dr |
Binary or memory string: )qemu |
Source: 5220.9.dr |
Binary or memory string: vmware-toolbox-cmd |
Source: 5220.9.dr |
Binary or memory string: qemu-ppc |
Source: 5220.9.dr |
Binary or memory string: Tqemu9 |
Source: 5220.9.dr |
Binary or memory string: qemu-aarch64_be |
Source: 5220.9.dr |
Binary or memory string: 0qemu9 |
Source: 5220.9.dr |
Binary or memory string: qemu-sparc64 |
Source: 5220.9.dr |
Binary or memory string: qemu-mips64 |
Source: 5220.9.dr |
Binary or memory string: vV:qemu9 |
Source: 5220.9.dr |
Binary or memory string: qemu-ppc64le |
Source: 5220.9.dr |
Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-11 |