IOC Report

Files

File Path

Type

Category

Malicious

psO5Q4nOUG

ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dfbc50eadb8baef274f11c0276302be5ad2347eb, not stripped

initial sample

download

/.Library/SystemServices/updateSystem

ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dfbc50eadb8baef274f11c0276302be5ad2347eb, not stripped

dropped

download

/var/spool/cron/crontabs/tmp.UWWGtW

ASCII text

dropped

download

/var/cache/man/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/cs/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/cs/index.db.rlN8gW

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/da/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/da/index.db.9suQKU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/de/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/de/index.db.Fo7BhW

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/es/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/es/index.db.XIWXQU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fi/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fi/index.db.07YLZV

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fr.ISO8859-1/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fr.ISO8859-1/index.db.9zj0ZV

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fr.UTF-8/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fr.UTF-8/index.db.iKqK8V

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fr/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/fr/index.db.eKn6GU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/hu/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/hu/index.db.3WXrsU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/id/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/id/index.db.o5YvpT

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/index.db.ZagOpS

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/it/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/it/index.db.o3NNXV

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/ja/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/ja/index.db.lKZhqV

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/ko/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/ko/index.db.Tf5QMV

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/nl/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/nl/index.db.dHSDcU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/pl/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/pl/index.db.GiWNoS

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/pt/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/pt/index.db.WxlxPT

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/pt_BR/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/pt_BR/index.db.4aotkW

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/ru/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/ru/index.db.dt3OxU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/sl/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/sl/index.db.XOKjzW

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/sr/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/sr/index.db.avBoCS

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/sv/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/sv/index.db.krDkoU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/tr/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/tr/index.db.U6TInU

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/zh_CN/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/zh_CN/index.db.69pmYV

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/zh_TW/5220

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/man/zh_TW/index.db.rZzj2V

GNU dbm 1.x or ndbm database, little endian, 64-bit

dropped

download

/var/cache/motd-news

ASCII text

dropped

download

/var/lib/logrotate/status.tmp

ASCII text

dropped

download

/var/log/cups/access_log.1.gz

gzip compressed data, last modified: Tue Jan 11 23:54:16 2022, from Unix

dropped

download

/var/log/syslog.1.gz

gzip compressed data, last modified: Tue Jan 11 23:54:16 2022, from Unix

dropped

download

There are 47 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

/usr/lib/systemd/systemd

n/a

/usr/sbin/logrotate

/usr/sbin/logrotate /etc/logrotate.conf

/usr/sbin/logrotate

n/a

/bin/gzip

/bin/gzip

/usr/sbin/logrotate

n/a

/bin/sh

sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "

/bin/sh

n/a

/usr/sbin/invoke-rc.d

invoke-rc.d --quiet cups restart

/usr/sbin/invoke-rc.d

n/a

/sbin/runlevel

/sbin/runlevel

/usr/sbin/invoke-rc.d

n/a

/usr/bin/systemctl

systemctl --quiet is-enabled cups.service

/usr/sbin/invoke-rc.d

n/a

/usr/bin/ls

ls /etc/rc[S2345].d/S[0-9][0-9]cups

/usr/sbin/invoke-rc.d

n/a

/usr/bin/systemctl

systemctl --quiet is-active cups.service

/usr/sbin/logrotate

n/a

/bin/gzip

/bin/gzip

/usr/sbin/logrotate

n/a

/bin/sh

sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

/bin/sh

n/a

/usr/lib/rsyslog/rsyslog-rotate

/usr/lib/rsyslog/rsyslog-rotate

/usr/lib/rsyslog/rsyslog-rotate

n/a

/usr/bin/systemctl

systemctl kill -s HUP rsyslog.service

/usr/lib/systemd/systemd

n/a

/usr/bin/install

/usr/bin/install -d -o man -g man -m 0755 /var/cache/man

/usr/lib/systemd/systemd

n/a

/usr/bin/find

/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete

/usr/lib/systemd/systemd

n/a

/usr/bin/mandb

/usr/bin/mandb --quiet

/tmp/psO5Q4nOUG

/tmp/psO5Q4nOUG

/tmp/psO5Q4nOUG

n/a

/bin/sh

sh -c "id -u"

/bin/sh

n/a

/usr/bin/id

id -u

/tmp/psO5Q4nOUG

n/a

/bin/sh

sh -c whoami

/bin/sh

n/a

/usr/bin/whoami

whoami

/tmp/psO5Q4nOUG

n/a

/bin/sh

sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\""

/bin/sh

n/a

/usr/bin/crontab

crontab -l

/bin/sh

n/a

/usr/bin/egrep

egrep -v ^(#|$)

/usr/bin/grep

grep -E -v ^(#|$)

/bin/sh

n/a

/usr/bin/grep

grep -e "@reboot (/.Library/SystemServices/updateSystem)"

/tmp/psO5Q4nOUG

n/a

/bin/sh

sh -c "(crontab -l; echo \"@reboot (/.Library/SystemServices/updateSystem)\") | crontab -"

/bin/sh

n/a

/bin/sh

n/a

/usr/bin/crontab

crontab -l

/bin/sh

n/a

/usr/bin/crontab

crontab -

/tmp/psO5Q4nOUG

n/a

/bin/sh

sh -c "cp -rf '/tmp/psO5Q4nOUG' '/.Library/SystemServices/updateSystem'"

/bin/sh

n/a

/usr/bin/cp

cp -rf /tmp/psO5Q4nOUG /.Library/SystemServices/updateSystem

/tmp/psO5Q4nOUG

n/a

/bin/sh

sh -c "nohup '/.Library/SystemServices/updateSystem' >/dev/null 2>&1 &"

/bin/sh

n/a

/usr/bin/nohup

nohup /.Library/SystemServices/updateSystem

/.Library/SystemServices/updateSystem

/.Library/SystemServices/updateSystem

/.Library/SystemServices/updateSystem

n/a

/bin/sh

sh -c "id -u"

/bin/sh

n/a

/usr/bin/id

id -u

/.Library/SystemServices/updateSystem

n/a

/bin/sh

sh -c whoami

/bin/sh

n/a

/usr/bin/whoami

whoami

/.Library/SystemServices/updateSystem

n/a

/bin/sh

sh -c "crontab -l | egrep -v \"^(#|$)\" | grep -e \"@reboot (/.Library/SystemServices/updateSystem)\""

/bin/sh

n/a

/usr/bin/crontab

crontab -l

/bin/sh

n/a

/usr/bin/egrep

egrep -v ^(#|$)

/usr/bin/grep

grep -E -v ^(#|$)

/bin/sh

n/a

/usr/bin/grep

grep -e "@reboot (/.Library/SystemServices/updateSystem)"

/.Library/SystemServices/updateSystem

n/a

/bin/sh

sh -c "ifconfig | grep -v 127.0.0.1 | grep -E \"inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\" | awk '{print $2}'"

/bin/sh

n/a

/usr/sbin/ifconfig

ifconfig

/bin/sh

n/a

/usr/bin/grep

grep -v 127.0.0.1

/bin/sh

n/a

/usr/bin/grep

grep -E "inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"

/bin/sh

n/a

/usr/bin/awk

awk "{print $2}"

/.Library/SystemServices/updateSystem

n/a

/bin/sh

sh -c "ip address | awk '/ether/{print $2}'"

/bin/sh

n/a

/usr/sbin/ip

ip address

/bin/sh

n/a

/usr/bin/awk

awk "/ether/{print $2}"

/.Library/SystemServices/updateSystem

n/a

/bin/sh

sh -c "uname -mrs"

/bin/sh

n/a

/usr/bin/uname

uname -mrs

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.Q8Xy6IVkIu

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.Q8Xy6IVkIu

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/rm

rm -f /tmp/tmp.Q8Xy6IVkIu /tmp/tmp.IvmgDS2E93 /tmp/tmp.bl8wKDFCTb

There are 109 hidden processes, click here to show them.

URLs

Name

IP

Malicious

https://gcc.gnu.org/bugs

unknown

Details

Name:	https://gcc.gnu.org/bugs
TargetID:	68
From Memory:	true
Current Path:	/usr/bin/cp
Source:	updateSystem.68.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

Details

Name:	https://ubuntu.com/blog/microk8s-memory-optimisation
TargetID:	125
From Memory:	true
Current Path:	/usr/bin/cut
Source:	motd-news.125.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

IP

Malicious

graphic-updater.com

23.254.131.176

drive.google.com

142.250.181.78

Details

Name:	drive.google.com
IP:	142.250.181.78
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

googlehosted.l.googleusercontent.com

142.250.181.65

doc-0k-2o-docs.googleusercontent.com

unknown

IPs

IP

Domain

Country

Malicious

54.171.230.55

unknown

United States

Details

IP:	54.171.230.55
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

23.254.131.176

graphic-updater.com

United States

Details

IP:	23.254.131.176
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	54290
ASN name:	HOSTWINDSUS
Private:	false
Domain:	graphic-updater.com

142.250.181.78

drive.google.com

United States

Details

IP:	142.250.181.78
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	drive.google.com

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

142.250.181.65

googlehosted.l.googleusercontent.com

United States

Details

IP:	142.250.181.65
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking