ID: 446038 Sample Name: recovered_bin2 Cookbook: defaultlinuxfilecookbook.jbs Time: 18:09:20 Date: 08/07/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Linux Analysis Report recovered_bin2 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 General Information 5 Process Tree 5 Yara Overview 6 Jbx Signature Overview 6 AV Detection: 7 Bitcoin Miner: 7 Networking: 7 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Mitre Att&ck Matrix 7 Malware Configuration 8 Behavior Graph 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 9 Dropped Files 9 Domains 9 URLs 9 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Runtime Messages 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 13 Created / dropped Files 13 Static File Info 14 General 14 Static ELF Info 15 ELF header 15 Program Segments 15 Network Behavior 15 TCP Packets 15 HTTP Request Dependency Graph 15 System Behavior 15 Analysis Process: recovered_bin2 PID: 4571 Parent PID: 4500 15 General 15 File Activities 16 File Deleted 16 File Read 16 File Written 16 Directory Enumerated 16 Directory Created 16 Permission Modified 16 Analysis Process: recovered_bin2 PID: 4590 Parent PID: 4571 16 General 16 Analysis Process: sh PID: 4590 Parent PID: 4571 16 General 16 File Activities 16 File Read 16 Analysis Process: sh PID: 4591 Parent PID: 4590 16 General 16 Analysis Process: netstat PID: 4591 Parent PID: 4590 17 General 17 File Activities 17 File Read 17 Directory Enumerated 17 Analysis Process: sh PID: 4592 Parent PID: 4590 17 General 17 Analysis Process: grep PID: 4592 Parent PID: 4590 17 General 17 File Activities 17 File Read 17 Analysis Process: sh PID: 4593 Parent PID: 4590 17 General 17 Analysis Process: awk PID: 4593 Parent PID: 4590 18 Copyright Joe Security LLC 2021 Page 2 of 28 General 18 File Activities 18 File Read 18 Analysis Process: sh PID: 4594 Parent PID: 4590 18 General 18 Analysis Process: awk PID: 4594 Parent PID: 4590 18 General 18 File Activities 18 File Read 18 Analysis Process: sh PID: 4595 Parent PID: 4590 18 General 18 Analysis Process: grep PID: 4595 Parent PID: 4590 19 General 19 File Activities 19 File Read 19 Analysis Process: sh PID: 4596 Parent PID: 4590 19 General 19 Analysis Process: xargs PID: 4596 Parent PID: 4590 19 General 19 File Activities 19 File Read 19 Directory Enumerated 19 Analysis Process: recovered_bin2 PID: 4655 Parent PID: 4571 19 General 19 Analysis Process: sh PID: 4655 Parent PID: 4571 20 General 20 File Activities 20 File Read 20 Analysis Process: sh PID: 4656 Parent PID: 4655 20 General 20 Analysis Process: netstat PID: 4656 Parent PID: 4655 20 General 20 File Activities 20 File Read 20 Directory Enumerated 20 Analysis Process: sh PID: 4657 Parent PID: 4655 20 General 20 Analysis Process: grep PID: 4657 Parent PID: 4655 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 4658 Parent PID: 4655 21 General 21 Analysis Process: awk PID: 4658 Parent PID: 4655 21 General 21 File Activities 21 File Read 21 Analysis Process: sh PID: 4659 Parent PID: 4655 21 General 21 Analysis Process: awk PID: 4659 Parent PID: 4655 21 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 4660 Parent PID: 4655 22 General 22 Analysis Process: grep PID: 4660 Parent PID: 4655 22 General 22 File Activities 22 File Read 22 Analysis Process: sh PID: 4661 Parent PID: 4655 22 General 22 Analysis Process: xargs PID: 4661 Parent PID: 4655 22 General 22 File Activities 23 File Read 23 Directory Enumerated 23 Analysis Process: recovered_bin2 PID: 4718 Parent PID: 4571 23 General 23 Analysis Process: kthreaddk PID: 4718 Parent PID: 4571 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23 Analysis Process: kthreaddk PID: 4721 Parent PID: 4718 23 General 23 File Activities 23 File Read 23 File Written 23 Directory Enumerated 24 Analysis Process: kthreaddk PID: 4739 Parent PID: 4721 24 General 24 Analysis Process: sh PID: 4739 Parent PID: 4721 24 General 24 File Activities 24 File Read 24 Analysis Process: sh PID: 4740 Parent PID: 4739 24 General 24 Analysis Process: modprobe PID: 4740 Parent PID: 4739 24 General 24 File Activities 24 File Read 24 Directory Enumerated 25 Analysis Process: recovered_bin2 PID: 4733 Parent PID: 4571 25 General 25 Copyright Joe Security LLC 2021 Page 3 of 28 Analysis Process: sh PID: 4733 Parent PID: 4571 25 General 25 File Activities 25 File Read 25 Analysis Process: sh PID: 4734 Parent PID: 4733 25 General 25 Analysis Process: chattr PID: 4734 Parent PID: 4733 25 General 25 File Activities 25 File Read 25 Directory Enumerated 26 Analysis Process: sh PID: 4743 Parent PID: 4733 26 General 26 Analysis Process: chattr PID: 4743 Parent PID: 4733 26 General 26 File Activities 26 File Read 26 Analysis Process: sh PID: 4752 Parent PID: 4733 26 General 26 Analysis Process: chattr PID: 4752 Parent PID: 4733 26 General 26 File Activities 26 File Read 26 Directory Enumerated 27 Analysis Process: sh PID: 4756 Parent PID: 4733 27 General 27 Analysis Process: chattr PID: 4756 Parent PID: 4733 27 General 27 File Activities 27 File Read 27 Directory Enumerated 27 Analysis Process: recovered_bin2 PID: 4763 Parent PID: 4571 27 General 27 Analysis Process: sh PID: 4763 Parent PID: 4571 27 General 27 File Activities 27 File Read 28 Analysis Process: sh PID: 4766 Parent PID: 4763 28 General 28 Analysis Process: sh PID: 4767 Parent PID: 4763 28 General 28 Analysis Process: crontab PID: 4767 Parent PID: 4763 28 General 28 File Activities 28 File Read 28 File Written 28 File Moved 28 Permission Modified 28

Copyright Joe Security LLC 2021 Page 4 of 28 Linux Analysis Report recovered_bin2

Overview

General Information Detection Signatures Classification

Sample recovered_bin2 Name: Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm…

Analysis ID: 446038 SMSnnuooltrrrit tt A IIIDDVS SS acalalleenrrrtntt feffoorrr r d nneeettettwwcotoirorrkkn t ttrfrraoafrfff ffisiiccu ((b(eem...… MD5: 99cc0f1d0310922… DSDenetotteerctc ttIteDeddS S Satttrlrreaarttttuu fmor m nieiinntiwiinngog r pkpr rrtoortattoofcfcioco lll(e. Ransomware SHA1: 7d7cd6c71449bd… Miner Spreading DDrrerootpepscs t feffiiilldlee sSs itiinrna stsuumsspp miiicciiionouiunssg d dpiiirrreoectcotttoocrroriiieless SHA256: 03e3859f2109215… mmaallliiiccciiioouusss EDExrxoeepccusu tttfeeilses sttth hiene "s""ccurrrsoopnnittctaaiobbu""" scc oodmiremcataonnrddie ttstyy… malicious Evader Phishing Infos: sssuusssppiiiccciiioouusss suspicious MExaaennciiipuputuelllaastt tiitioohnne oo"cfff rddoeenvvtiaiiccbee"ss c iiinon m ///ddmeevavnd ty Maanniippuullaattiioonn ooff ddeevviicceess iinn //ddeevv cccllleeaann

clean

SMSaamnipplllueel addteeiollleenttt eeossf diiitttsesevelillfcffes in /dev Exploiter Banker

SSaampplllee iidisse ppleaatceckksee idtds wewliifittthh UUPPXX

Spyware Trojan / Bot

SSaampplllee rrirsee aapddassc k///peprrdroo cwc///mithoo UuunPntttXss (((oofffttteenn uu… Adware

SSaampplllee ttrtrreriiieaesds sttto o/ p ppreeorrrcss/iimissttto iiituttssneetllslfff u(uossfiiitnneggn ccu… Score: 92 Range: 0 - 100 WSarrrimiittteepssl e iiid dtereinenttstiiic ctaaolll pEEeLLrFFs i fsffiiiltlle eistss tettoolf musuuillnltttiiigpp lllece…

Whitelisted: false DWDeerttiteteeccsttte eidde TTnCCticPPa olo rErr ULUFDD PfPil e tttrrsraa ftfffoffiiic cm oounnl t ninpoolenn…

EDEnenutuemceteerrradat tteTesCs pPprr roocrc eeUssDssePess t rwwaiifitttfhhiciiin no ttnthh ene o """pnp…

EExnxeuecmcuuettteerass t cecosom pmroacanendsdsse uusss wiiinnigtgh aian s sthheell llll" cpc…

EExxeeccuuttteess ttcthhoeem """mggrrraeenppd""" s cc ouomsinmgaa ann dds huuessleel dcd…

RERexeeaacddusst eCCsPP tUUh e iiin n"fffgoorrrrempaa" tttciiioonnm fffmrrrooamn d///pp urrrosocec d iiinn… General Information RReeaaddss CCPPUU iiinnfffoorrrmaatttiiioonn fffrrroom ///spsyryoss c iiin nin…

Reads CPU information from /sys in Joe Sandbox Version: 32.0.0 Black Diamond RReeaaddss sCsyyPssUtttee min f ioiinnrfffmoorrramtiaoatnttiiio ofnrno fffmrrroo m/s y ttthsh eein …

Analysis ID: 446038 RReemadoosvv esesys s ppterrroomtttee icnctttfiiioornnm fffrarrootimon fff iiiflllereossm the Start date: 08.07.2021 SRSaeampopllvleee csco opnnrtttoaatiiienncsst ioonnlll yyf r aoa m LLO fiAlAeDDs sseeggm… Start time: 18:09:20 SSaampplllee llcliiisostttneetnnassin oosn no ana l syso oacc kLkeeOtttAD segm Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s SSaampplllee ttltrirrsiiieetessn tttsoo ossnee ttta ttt hhseeo ceekxxeeetccuutttaabblllee ffflll…

Hypervisor based Inspection enabled: false USUsasemessp ttlthehe et r ""i"euusnn aatom seee""" t s styhyssettt eemxe ccaaullltlll a tttobo l eqq uufl… Report type: light WUsrrrieiittteses st h EEeLL "FFu nfffiiilalleemss etttoo" sddyiiisskktem call to qu Sample file name: recovered_bin2 Writes ELF files to disk Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Analysis Mode: default Detection: MAL Classification: mal92.troj.evad.mine.lin@0/5@0/0 Warnings: Show All

Process Tree

Copyright Joe Security LLC 2021 Page 5 of 28 system is lnxubuntu1 recovered_bin2 (PID: 4571, Parent: 4500, MD5: 99cc0f1d0310922619c5bf55967969fa) Arguments: /tmp/recovered_bin2 recovered_bin2 New Fork (PID: 4590, Parent: 4571) sh (PID: 4590, Parent: 4571, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "netstat -anp | grep '51255' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v \"-\" | xargs -I % kill -9 %" sh New Fork (PID: 4591, Parent: 4590) netstat (PID: 4591, Parent: 4590, MD5: 78d9a4b9c73de4d9fb0257c5588d67b1) Arguments: netstat -anp sh New Fork (PID: 4592, Parent: 4590) grep (PID: 4592, Parent: 4590, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep 51255 sh New Fork (PID: 4593, Parent: 4590) awk (PID: 4593, Parent: 4590, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk "{print $7}" sh New Fork (PID: 4594, Parent: 4590) awk (PID: 4594, Parent: 4590, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F[/] "{print $1}" sh New Fork (PID: 4595, Parent: 4590) grep (PID: 4595, Parent: 4590, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v - sh New Fork (PID: 4596, Parent: 4590) xargs (PID: 4596, Parent: 4590, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs -I % kill -9 % recovered_bin2 New Fork (PID: 4655, Parent: 4571) sh (PID: 4655, Parent: 4571, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "netstat -anp | grep '51951' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v \"-\" | xargs -I % kill -9 %" sh New Fork (PID: 4656, Parent: 4655) netstat (PID: 4656, Parent: 4655, MD5: 78d9a4b9c73de4d9fb0257c5588d67b1) Arguments: netstat -anp sh New Fork (PID: 4657, Parent: 4655) grep (PID: 4657, Parent: 4655, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep 51951 sh New Fork (PID: 4658, Parent: 4655) awk (PID: 4658, Parent: 4655, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk "{print $7}" sh New Fork (PID: 4659, Parent: 4655) awk (PID: 4659, Parent: 4655, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F[/] "{print $1}" sh New Fork (PID: 4660, Parent: 4655) grep (PID: 4660, Parent: 4655, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v - sh New Fork (PID: 4661, Parent: 4655) xargs (PID: 4661, Parent: 4655, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs -I % kill -9 % recovered_bin2 New Fork (PID: 4718, Parent: 4571) kthreaddk (PID: 4718, Parent: 4571, MD5: unknown) Arguments: kthreaddk kthreaddk New Fork (PID: 4721, Parent: 4718) kthreaddk New Fork (PID: 4739, Parent: 4721) sh (PID: 4739, Parent: 4721, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/sbin/modprobe msr > /dev/null 2>&1" sh New Fork (PID: 4740, Parent: 4739) modprobe (PID: 4740, Parent: 4739, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe msr recovered_bin2 New Fork (PID: 4733, Parent: 4571) sh (PID: 4733, Parent: 4571, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "chattr -R -ia /var/spool/cron\nchattr -ia /etc/crontab\nchattr -R -ia /var/spool/cron/crontabs\nchattr -R -ia /etc/cron.d" sh New Fork (PID: 4734, Parent: 4733) chattr (PID: 4734, Parent: 4733, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron sh New Fork (PID: 4743, Parent: 4733) chattr (PID: 4743, Parent: 4733, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/crontab sh New Fork (PID: 4752, Parent: 4733) chattr (PID: 4752, Parent: 4733, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron/crontabs sh New Fork (PID: 4756, Parent: 4733) chattr (PID: 4756, Parent: 4733, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /etc/cron.d recovered_bin2 New Fork (PID: 4763, Parent: 4571) sh (PID: 4763, Parent: 4571, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "echo '* * * * * /etc/apm/event.d/ejdkfu' | /usr/bin/crontab -" sh New Fork (PID: 4766, Parent: 4763) sh New Fork (PID: 4767, Parent: 4763) crontab (PID: 4767, Parent: 4763, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: /usr/bin/crontab - cleanup

Yara Overview

No yara matches

Jbx Signature Overview

• AV Detection • Bitcoin Miner • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Lowering of HIPS / PFW / Operating System Security Settings

Copyright Joe Security LLC 2021 Page 6 of 28 Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Bitcoin Miner:

Detected Stratum mining protocol

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Data Obfuscation:

Manipulation of devices in /dev

Sample is packed with UPX

Persistence and Installation Behavior:

Executes the "crontab" command typically for achieving persistence

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using cron

Writes identical ELF files to multiple locations

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Sample deletes itself

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Command Scheduled Scheduled Masquerading 1 OS Security Remote Data from Exfiltration Non- Eavesdrop on Remotely Modify Accounts and Scripting Task/Job 1 Task/Job 1 Credential Software Services Local Over Other Standard Insecure Track Device System Interpreter 1 Dumping 1 Discovery 1 1 System Network Port 1 Network Without Partition Medium Communication Authorization

Copyright Joe Security LLC 2021 Page 7 of 28 Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Default Scheduled At (Linux) 1 At File and LSASS File and Remote Data from Exfiltration Ingress Exploit SS7 to Remotely Device Accounts Task/Job 1 (Linux) 1 Directory Memory Directory Desktop Removable Over Tool Redirect Phone Wipe Data Lockout Permissions Discovery 1 Protocol Media Bluetooth Transfer 1 Calls/SMS Without Modification 2 Authorization Domain Scripting 1 Logon Script Logon Scripting 1 Security System SMB/Windows Data from Automated Non- Exploit SS7 to Obtain Delete Accounts (Windows) Script Account Information Admin Shares Network Exfiltration Application Track Device Device Device (Windows) Manager Discovery 3 Shared Layer Location Cloud Data Drive Protocol 1 Backups Local At (Linux) 1 Logon Script Logon Obfuscated Files NTDS System Distributed Input Scheduled Application SIM Card Carrier Accounts (Mac) Script (Mac) or Information 1 Network Component Capture Transfer Layer Swap Billing Configuration Object Model Protocol 1 Fraud Discovery Cloud Cron Network Network File Deletion 1 LSA Remote System SSH Keylogging Data Fallback Manipulate Manipulate Accounts Logon Script Logon Secrets Discovery Transfer Channels Device App Store Script Size Limits Communication Rankings or Ratings

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Behavior Graph ID: 446038 Legend: Sample: recovered_bin2 Startdate: 08/07/2021 Process Architecture: LINUX Score: 92 Signature

155.183.159.148 102.87.132.233 ZAMRENZM ZAINUGASUG 98 other IPs or domains Created File United States Uganda DNS/IP Info started

Snort IDS alert for network traffic (e.g. Multi AV Scanner detection Detected Stratum mining Sample is packed with Is Dropped based on Emerging Threat for submitted file protocol UPX rules) Number of created Files

recovered_bin2 Is malicious

Internet dropped dropped dropped

/ejdkfu, ELF /boot/ejdkfu, ELF /bin/ejdkfu, ELF

started started started

Writes identical ELF Drops files in suspicious Manipulation of devices Sample deletes itself files to multiple locations directories in /dev

recovered_bin2 recovered_bin2 recovered_bin2 sh kthreaddk sh

2 other processes

Sample reads /proc/mounts started started (often used for finding started started started started started a writable filesystem)

sh sh sh sh sh sh kthreaddk crontab netstat grep awk netstat

3 other processes 9 other processes

dropped

/var/spool/cron/crontabs/tmp.fY5a0S, ASCII

started

Executes the "crontab" Sample tries to persist command typically for itself using cron achieving persistence

kthreaddk sh

started

sh modprobe

Antivirus, Machine Learning and Genetic Malware Detection

Copyright Joe Security LLC 2021 Page 8 of 28 Initial Sample

Source Detection Scanner Label Link recovered_bin2 21% Virustotal Browse recovered_bin2 11% Metadefender Browse recovered_bin2 9% ReversingLabs Linux.Coinminer.BitCoinMi ner

Dropped Files

Source Detection Scanner Label Link /bin/ejdkfu 21% Virustotal Browse /bin/ejdkfu 11% Metadefender Browse /bin/ejdkfu 9% ReversingLabs Linux.Coinminer.BitCoinMi ner /boot/ejdkfu 21% Virustotal Browse /boot/ejdkfu 11% Metadefender Browse /boot/ejdkfu 9% ReversingLabs Linux.Coinminer.BitCoinMi ner /ejdkfu 21% Virustotal Browse /ejdkfu 11% Metadefender Browse /ejdkfu 9% ReversingLabs Linux.Coinminer.BitCoinMi ner

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link 194.145.227.21/ 17% Virustotal Browse 194.145.227.21/ 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name Malicious Antivirus Detection Reputation 194.145.227.21/ true 17%, Virustotal, Browse unknown Avira URL Cloud: safe

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 184.188.161.110 unknown United States 53760 XT-NEWORLEANSUS false 199.213.215.143 unknown Canada 393952 GOANETCA false 79.67.224.250 unknown United Kingdom 9105 TISCALI- false UKTalkTalkCommunications LimitedGB 67.34.228.154 unknown United States 6389 BELLSOUTH-NET-BLKUS false 43.121.222.150 unknown Japan 4249 LILLY-ASUS false 208.7.233.28 unknown United States 19643 NETSYNUS false 103.215.93.26 unknown India 55933 CLOUDIE-AS- false APCloudieLimitedHK

Copyright Joe Security LLC 2021 Page 9 of 28 IP Domain Country Flag ASN ASN Name Malicious 144.53.183.175 unknown Australia 9983 ABS-AS- false APAustralianBureauofStatisti csAU 178.91.19.21 unknown Kazakhstan 9198 KAZTELECOM-ASKZ false 194.63.112.211 unknown United Kingdom 1273 CWVodafoneGroupPLCEU false 17.83.127.189 unknown United States 714 APPLE-ENGINEERINGUS false 185.41.19.214 unknown Norway 199900 ASN-BEDSYSNO false 103.254.97.102 unknown India 132941 IRIISNET- false ASIriisNetcommunicationPvt LtdIN 129.26.147.143 unknown Germany 680 DFNVereinzurFoerderungein false esDeutschenForschungsnetz ese 35.56.43.232 unknown United States 36375 UMICH-AS-5US false 155.183.159.148 unknown United States 37532 ZAMRENZM false 183.19.74.59 unknown China 4134 CHINANET- false BACKBONENo31Jin- rongStreetCN 138.152.5.222 unknown United States 721 DNIC-ASBLK-00721- false 00726US 182.206.133.254 unknown China 17799 CHINATELECOM-LN-AS- false APasnforLiaoningProvincialN etofCT 129.14.150.126 unknown United States 786 JANETJiscServicesLimitedG false B 111.191.173.69 unknown Japan 37903 EMOBILEYmobileCorporatio false nJP 167.244.146.149 unknown United States 13325 STOMIUS false 36.57.67.87 unknown China 4134 CHINANET- false BACKBONENo31Jin- rongStreetCN 61.150.155.165 unknown China 4134 CHINANET- false BACKBONENo31Jin- rongStreetCN 216.4.87.23 unknown United States 2828 XO-AS15US false 50.114.57.149 unknown United States 31715 ABTME-ASUS false 76.131.89.239 unknown United States 7922 COMCAST-7922US false 203.42.94.38 unknown Australia 1221 ASN- false TELSTRATelstraCorporation LtdAU 223.88.173.10 unknown China 24445 CMNET-V4HENAN-AS- false APHenanMobileCommunicat ionsCoLtdCN 20.232.217.249 unknown United States 8075 MICROSOFT-CORP-MSN- false AS-BLOCKUS 120.223.235.223 unknown China 24444 CMNET-V4SHANDONG-AS- false APShandongMobileCommun icationCompany 58.44.52.56 unknown China 4134 CHINANET- false BACKBONENo31Jin- rongStreetCN 199.119.115.237 unknown United States 22925 ALLIED-TELECOMUS false 159.227.160.165 unknown United States 7497 CSTNET-AS- false APComputerNetworkInforma tionCenterCN 24.219.2.210 unknown United States 8092 AMHUS false 167.68.197.136 unknown United States 4583 WESTPUB-AUS false 153.229.1.214 unknown Japan 4713 OCNNTTCommunicationsCo false rporationJP 161.10.197.19 unknown Colombia 3816 COLOMBIATELECOMUNIC false ACIONESSAESPCO 42.173.108.67 unknown China 4249 LILLY-ASUS false 39.151.40.230 unknown China 24445 CMNET-V4HENAN-AS- false APHenanMobileCommunicat ionsCoLtdCN 125.174.89.234 unknown Japan 4713 OCNNTTCommunicationsCo false rporationJP 192.46.120.132 unknown United States 5501 FRAUNHOFER-CLUSTER- false BWResearchInstitutesspread alloverGe 68.57.20.192 unknown United States 7922 COMCAST-7922US false 71.32.64.23 unknown United States 209 CENTURYLINK-US- false LEGACY-QWESTUS 196.134.79.139 unknown Egypt 36935 Vodafone-EG false

Copyright Joe Security LLC 2021 Page 10 of 28 IP Domain Country Flag ASN ASN Name Malicious 125.20.254.156 unknown India 9498 BBIL-APBHARTIAirtelLtdIN false 52.228.135.155 unknown United States 8075 MICROSOFT-CORP-MSN- false AS-BLOCKUS 211.77.181.226 unknown Taiwan; Republic of China 9674 FET- false (ROC) TWFarEastToneTelecommu nicationCoLtdTW 176.249.109.166 unknown United Kingdom 5607 BSKYB-BROADBAND- false ASGB 77.194.233.195 unknown France 15557 LDCOMNETFR false 139.41.97.69 unknown United States 9905 LINKNET-ID- false APLinknetASNID 121.159.7.95 unknown Korea Republic of 4766 KIXS-AS- false KRKoreaTelecomKR 146.219.30.47 unknown Spain 16153 SCS-ASES false 186.131.140.185 unknown Argentina 22927 TelefonicadeArgentinaAR false 125.221.43.242 unknown China 4538 ERX-CERNET- false BKBChinaEducationandRes earchNetworkCenter 94.116.117.156 unknown United Kingdom 41012 THECLOUDGB false 126.137.24.173 unknown Japan 17676 GIGAINFRASoftbankBBCorp false JP 110.47.133.251 unknown Korea Republic of 17839 DREAMPLUS-AS- false KRLGHelloVisionCorpKR 37.154.15.116 unknown Turkey 20978 TT_MOBILIstanbulTR false 95.36.120.151 unknown Netherlands 15670 BBNED-AS1NL false 65.228.61.88 unknown United States 6256 CELLCO-PARTUS false 115.28.63.144 unknown China 37963 CNNIC-ALIBABA-CN-NET- false APHangzhouAlibabaAdvertis ingCoLtd 23.164.250.20 unknown Reserved 393434 AL-DC-US false 153.239.164.181 unknown Japan 4713 OCNNTTCommunicationsCo false rporationJP 111.136.71.37 unknown China 134810 CMNET-JILIN-AS- false APChinaMobileGroupJiLinco mmunicationsco 222.174.206.251 unknown China 4134 CHINANET- false BACKBONENo31Jin- rongStreetCN 92.123.108.208 unknown European Union 16625 AKAMAI-ASUS false 81.120.198.47 unknown Italy 20959 TELECOM-ITALIA-DATA- false COMIT 23.82.106.113 unknown United States 15003 NOBIS-TECHUS false 185.230.237.17 unknown Spain 205093 ISLASTELECOMES false 138.126.133.80 unknown United States 8983 NOKIA-ASFI false 32.79.142.79 unknown United States 2686 ATGS-MMD-ASUS false 1.229.197.187 unknown Korea Republic of 9277 SKB-T-AS- false KRSKBroadbandCoLtdKR 83.58.127.142 unknown Spain 3352 TELEFONICA_DE_ESPANA false ES 126.156.230.103 unknown Japan 17676 GIGAINFRASoftbankBBCorp false JP 66.163.224.80 unknown United States 6597 CBDC-6597US false 105.24.140.198 unknown Mauritius 37100 SEACOM-ASMU false 201.102.131.192 unknown Mexico 8151 UninetSAdeCVMX false 133.151.173.88 unknown Japan 10021 KVHKVHCoLtdJP false 45.255.12.80 unknown China 132116 ANINETWORK- false INAniNetworkPvtLtdIN 79.245.184.251 unknown Germany 3320 DTAGInternetserviceprovider false operationsDE 202.144.210.123 unknown Taiwan; Republic of China 24157 VIBO-NET- false (ROC) ASTaiwanStarTelecomCorpo rationLimitedFormer 208.91.132.90 unknown United States 15085 IMMEDIONUS false 199.50.65.210 unknown United States 398192 ARDOT-NET-01US false 161.102.37.164 unknown United States 7582 UMAC-AS- false APUniversityofMacauMO 130.21.166.8 unknown United States 3428 ESNET-ASUS false 157.190.234.181 unknown Ireland 1213 HEANETIE false 24.12.70.170 unknown United States 7922 COMCAST-7922US false 36.192.174.115 unknown China 24138 CTTNETChinaTieTongTelec false ommunicationsCorporationC N

Copyright Joe Security LLC 2021 Page 11 of 28 IP Domain Country Flag ASN ASN Name Malicious 80.96.194.193 unknown Romania 21462 TERRALINK- false ASNICOLAEGOLESCU14R O 8.12.242.194 unknown United States 3356 LEVEL3US false 102.87.132.233 unknown Uganda 37075 ZAINUGASUG false 141.131.228.226 unknown United States 62 CONEUS false 24.88.133.207 unknown United States 11426 TWC-11426-CAROLINASUS false 109.4.187.66 unknown France 15557 LDCOMNETFR false 76.70.105.47 unknown Canada 577 BACOMCA false 60.199.72.152 unknown Taiwan; Republic of China 9924 TFN- false (ROC) TWTaiwanFixedNetworkTelc oandNetworkServiceProvi 76.65.142.53 unknown Canada 577 BACOMCA false 108.136.68.163 unknown United States 16509 AMAZON-02US false 124.124.192.95 unknown India 18101 RELIANCE- false COMMUNICATIONS- INRelianceCommunicationsL tdDAKC

Runtime Messages

Command: /tmp/recovered_bin2 Exit Code: Exit Code Info: Killed: True Standard Output: Standard Error: ...

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context GOANETCA Mozi.m Get hash malicious Browse 142.229.20 4.168 TISCALI- ldr.sh Get hash malicious Browse 79.67.247.69 UKTalkTalkCommunicationsLimitedGB rIbyGX66Op Get hash malicious Browse 79.73.229.27 YPJ9DZYIpO Get hash malicious Browse 88.106.183.202 bXSINeHUUZ.dll Get hash malicious Browse 79.75.73.181 mozi.a.zip Get hash malicious Browse 81.179.119.252 Check.vbs Get hash malicious Browse 79.70.65.28 HU3k8MU7wz.exe Get hash malicious Browse 79.69.10.135 BELLSOUTH-NET-BLKUS YPJ9DZYIpO Get hash malicious Browse 74.171.125.152 Mozi.m Get hash malicious Browse 72.159.64.151 NormhjTcQb.exe Get hash malicious Browse 70.158.117.234 xJbFpiVs1l Get hash malicious Browse 68.210.64.184 document-1692818639.xlsb Get hash malicious Browse 74.252.14.248 Sri Lanka - Globelink ( Agency Agreement ).xls Get hash malicious Browse 209.215.77.125 Sri Lanka - Globelink ( Agency Agreement ).xls Get hash malicious Browse 209.215.77.125 networkservice Get hash malicious Browse 65.12.40.104

JA3 Fingerprints

Copyright Joe Security LLC 2021 Page 12 of 28 No context

Dropped Files

No context

Created / dropped Files

/bin/ejdkfu

Process: /tmp/recovered_bin2 File Type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped Category: dropped Size (bytes): 3502980 Entropy (8bit): 7.999936944093804 Encrypted: true SSDEEP: 98304:WG2Dtk1IqfhUbeT46xdYJfXPrWpwFY7RMh5:p+4ybxkYJfPaHRMh5 MD5: 99CC0F1D0310922619C5BF55967969FA SHA1: 7D7CD6C71449BD50F2CE1EA26F6BA9BD8979BEBA SHA-256: 03E3859F2109215E347B93C4DF95BB1A2D402280A5EC870C4C74422DB83D7FFB SHA-512: 97CA3E3BDADA4CA556C1788BB1B8BAFDDEB4E09DA70ED13F07FA8B30FAD9AF70E549D0769CF52E4439D340F7D1D538155F37023E8FDC3AC99FD676BE18CD9 128 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 21%, Browse Antivirus: Metadefender, Detection: 11%, Browse Antivirus: ReversingLabs, Detection: 9% Reputation: low Preview: .ELF...... >...... `u.....@...... @.8...@...... @...... @...... s5...... s5...... u...... u...... X...... Q.td...... l.UPX!...... ?.E.h=.....N..I..!$@...{FFk..in...?V..A..<.a.M.N.q?R...PC....V2...... k...N..!|...]QB...... 5l(~w...(..<..".i.~z.i.....=.0.N....IF.....nXH,)....r/.B ..j..H_f Xk..b.$.?...<.T.G...gm.fv../h..O....t...ia...>..O.;...f.,w.d.u....hB..1../..+.}:}....A..<....6\w.39I.y.9..o...... _*h.a.~"`.c.iJ...V../...... F~Y.w...... T+F...... %.e...V.6.%.=...... o.x6..6w.B.1..k...... ]...... V.dr.R?..R(....J...,E3...H...aP`.m.h.sP...O...K$KqU..I...=.....4b.6R...... S.^.-...... {.!.4O..n..#b./,w...K...... k..eZ..].w.R...... _..jx.n2..^i1..|.=hi=!-

/boot/ejdkfu

Process: /tmp/recovered_bin2 File Type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped Category: dropped Size (bytes): 3502980 Entropy (8bit): 7.999936944093804 Encrypted: true SSDEEP: 98304:WG2Dtk1IqfhUbeT46xdYJfXPrWpwFY7RMh5:p+4ybxkYJfPaHRMh5 MD5: 99CC0F1D0310922619C5BF55967969FA SHA1: 7D7CD6C71449BD50F2CE1EA26F6BA9BD8979BEBA SHA-256: 03E3859F2109215E347B93C4DF95BB1A2D402280A5EC870C4C74422DB83D7FFB SHA-512: 97CA3E3BDADA4CA556C1788BB1B8BAFDDEB4E09DA70ED13F07FA8B30FAD9AF70E549D0769CF52E4439D340F7D1D538155F37023E8FDC3AC99FD676BE18CD9 128 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 21%, Browse Antivirus: Metadefender, Detection: 11%, Browse Antivirus: ReversingLabs, Detection: 9% Reputation: low Preview: .ELF...... >...... `u.....@...... @.8...@...... @...... @...... s5...... s5...... u...... u...... X...... Q.td...... l.UPX!...... ?.E.h=.....N..I..!$@...{FFk..in...?V..A..<.a.M.N.q?R...PC....V2...... k...N..!|...]QB...... 5l(~w...(..<..".i.~z.i.....=.0.N....IF.....nXH,)....r/.B ..j..H_f Xk..b.$.?...<.T.G...gm.fv../h..O....t...ia...>..O.;...f.,w.d.u....hB..1../..+.}:}....A..<....6\w.39I.y.9..o...... _*h.a.~"`.c.iJ...V../...... F~Y.w...... T+F...... %.e...V.6.%.=...... o.x6..6w.B.1..k...... ]...... V.dr.R?..R(....J...,E3...H...aP`.m.h.sP...O...K$KqU..I...=.....4b.6R...... S.^.-...... {.!.4O..n..#b./,w...K...... k..eZ..].w.R...... _..jx.n2..^i1..|.=hi=!-

/ejdkfu

Process: /tmp/recovered_bin2 File Type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped Category: dropped Size (bytes): 3502980 Entropy (8bit): 7.999936944093804 Encrypted: true SSDEEP: 98304:WG2Dtk1IqfhUbeT46xdYJfXPrWpwFY7RMh5:p+4ybxkYJfPaHRMh5 MD5: 99CC0F1D0310922619C5BF55967969FA

Copyright Joe Security LLC 2021 Page 13 of 28 /ejdkfu

SHA1: 7D7CD6C71449BD50F2CE1EA26F6BA9BD8979BEBA SHA-256: 03E3859F2109215E347B93C4DF95BB1A2D402280A5EC870C4C74422DB83D7FFB SHA-512: 97CA3E3BDADA4CA556C1788BB1B8BAFDDEB4E09DA70ED13F07FA8B30FAD9AF70E549D0769CF52E4439D340F7D1D538155F37023E8FDC3AC99FD676BE18CD9 128 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 21%, Browse Antivirus: Metadefender, Detection: 11%, Browse Antivirus: ReversingLabs, Detection: 9% Reputation: low Preview: .ELF...... >...... `u.....@...... @.8...@...... @...... @...... s5...... s5...... u...... u...... X...... Q.td...... l.UPX!...... ?.E.h=.....N..I..!$@...{FFk..in...?V..A..<.a.M.N.q?R...PC....V2...... k...N..!|...]QB...... 5l(~w...(..<..".i.~z.i.....=.0.N....IF.....nXH,)....r/.B ..j..H_f Xk..b.$.?...<.T.G...gm.fv../h..O....t...ia...>..O.;...f.,w.d.u....hB..1../..+.}:}....A..<....6\w.39I.y.9..o...... _*h.a.~"`.c.iJ...V../...... F~Y.w...... T+F...... %.e...V.6.%.=...... o.x6..6w.B.1..k...... ]...... V.dr.R?..R(....J...,E3...H...aP`.m.h.sP...O...K$KqU..I...=.....4b.6R...... S.^.-...... {.!.4O..n..#b./,w...K...... k..eZ..].w.R...... _..jx.n2..^i1..|.=hi=!-

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages Process: kthreaddk File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 6 Entropy (8bit): 1.9182958340544893 Encrypted: false SSDEEP: 3:OdUM:OJ MD5: 1054DD099E3998ACB4C217F5AE41D8C8 SHA1: 9F649342B81C46321145FB8F13EDD0F61487F1B4 SHA-256: 498A8E5240652961A0C8BCE6BBAB33A705253FF3B4E81403E5CFE3B779263A5A SHA-512: 03070B43582647A6344B3FFB462DFB4F77814D6ABB77E162A42486B07A13CF0AEBAEB1F2E25003C104808AB9D7ECF6E70EC686C9078F7183BA3E2823216EF4B7 Malicious: false Reputation: moderate, very likely benign file Preview: 128129

/var/spool/cron/crontabs/tmp.fY5a0S

Process: /usr/bin/crontab File Type: ASCII text Category: dropped Size (bytes): 209 Entropy (8bit): 5.117235894444285 Encrypted: false SSDEEP: 6:SUrpqoqQjEOP1KmREJOBFQLxFHOfmGMQ5UYLtCFt39Y1wTg:8QjHig8lFHsAeHLU9YOk MD5: 3658D0CC9AFAFF67EAA87D454167D9DE SHA1: ACBEAA520F138B72C2C342BDD8549D7A4E40F399 SHA-256: 9D87FE0FB0684135D5E16F2F8F72F56073125AF7D530019EB2368B45E75E6783 SHA-512: 93035B6B74AEFB7D27633A386E769A070D1699C3AC19B1E307666DD417F80878F961E2DDF9CE06F8F97213D01140DB9C3DB486CD7004C06F525144AC2E831AA0 Malicious: true Reputation: low Preview: # DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Jul 8 20:10:01 2021).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).* * * * * /etc/apm/event.d/ejdkfu.

Static File Info

General File type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped Entropy (8bit): 7.999936944093804 TrID: ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84% File name: recovered_bin2 File size: 3502980 MD5: 99cc0f1d0310922619c5bf55967969fa SHA1: 7d7cd6c71449bd50f2ce1ea26f6ba9bd8979beba

Copyright Joe Security LLC 2021 Page 14 of 28 General SHA256: 03e3859f2109215e347b93c4df95bb1a2d402280a5ec870 c4c74422db83d7ffb SHA512: 97ca3e3bdada4ca556c1788bb1b8bafddeb4e09da70ed1 3f07fa8b30fad9af70e549d0769cf52e4439d340f7d1d538 155f37023e8fdc3ac99fd676be18cd9128 SSDEEP: 98304:WG2Dtk1IqfhUbeT46xdYJfXPrWpwFY7RMh5:p+ 4ybxkYJfPaHRMh5 File Content Preview: .ELF...... >...... `u.....@...... @.8...@...... @...... @...... s5...... s5...... u...... u...... X...... Q.td...... l. UPX!......

Static ELF Info

ELF header Class: ELF64 Data: 2's complement, little endian Version: 1 (current) Machine: Advanced Micro Devices X86-64 Version Number: 0x1 Type: EXEC (Executable file) OS/ABI: UNIX - System V ABI Version: 0 Entry Point Address: 0x756088 Flags: 0x0 ELF Header Size: 64 Program Header Offset: 64 Program Header Size: 56 Number of Program Headers: 3 Section Header Offset: 0 Section Header Size: 64 Number of Section Headers: 0 Header String Table Index: 0

Program Segments

Physical Memory Flags Type Offset Virtual Address Address File Size Size Entropy Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x400000 0x400000 0x35731c 0x35731c 3.9988 0x5 R E 0x1000 LOAD 0x0 0x758000 0x758000 0x0 0x819b58 0.0000 0x6 RW 0x1000 GNU_STACK 0x0 0x0 0x0 0x0 0x0 0.0000 0x6 RW 0x8

Network Behavior

TCP Packets

HTTP Request Dependency Graph

194.145.227.21

System Behavior

Analysis Process: recovered_bin2 PID: 4571 Parent PID: 4500

General

Copyright Joe Security LLC 2021 Page 15 of 28 Start time: 18:09:58 Start date: 08/07/2021 Path: /tmp/recovered_bin2 Arguments: /tmp/recovered_bin2 File size: 3502980 bytes MD5 hash: 99cc0f1d0310922619c5bf55967969fa

File Activities

File Deleted

File Read

File Written

Directory Enumerated

Directory Created

Permission Modified

Analysis Process: recovered_bin2 PID: 4590 Parent PID: 4571

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /tmp/recovered_bin2 Arguments: n/a File size: 3502980 bytes MD5 hash: 99cc0f1d0310922619c5bf55967969fa

Analysis Process: sh PID: 4590 Parent PID: 4571

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: /bin/sh -c "netstat -anp | grep '51255' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v \"-\" | xargs -I % kill -9 %" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4591 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes

Copyright Joe Security LLC 2021 Page 16 of 28 MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: netstat PID: 4591 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/netstat Arguments: netstat -anp File size: 119624 bytes MD5 hash: 78d9a4b9c73de4d9fb0257c5588d67b1

File Activities

File Read

Directory Enumerated

Analysis Process: sh PID: 4592 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: grep PID: 4592 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/grep Arguments: grep 51255 File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427

File Activities

File Read

Analysis Process: sh PID: 4593 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes

Copyright Joe Security LLC 2021 Page 17 of 28 MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: awk PID: 4593 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /usr/bin/awk Arguments: awk "{print $7}" File size: 21 bytes MD5 hash: 1bb5d753c2edd5bae269563a5ec6d0fe

File Activities

File Read

Analysis Process: sh PID: 4594 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: awk PID: 4594 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /usr/bin/awk Arguments: awk -F[/] "{print $1}" File size: 21 bytes MD5 hash: 1bb5d753c2edd5bae269563a5ec6d0fe

File Activities

File Read

Analysis Process: sh PID: 4595 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Copyright Joe Security LLC 2021 Page 18 of 28 Analysis Process: grep PID: 4595 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/grep Arguments: grep -v - File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427

File Activities

File Read

Analysis Process: sh PID: 4596 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: xargs PID: 4596 Parent PID: 4590

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /usr/bin/xargs Arguments: xargs -I % kill -9 % File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c

File Activities

File Read

Directory Enumerated

Analysis Process: recovered_bin2 PID: 4655 Parent PID: 4571

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /tmp/recovered_bin2 Arguments: n/a File size: 3502980 bytes MD5 hash: 99cc0f1d0310922619c5bf55967969fa

Copyright Joe Security LLC 2021 Page 19 of 28 Analysis Process: sh PID: 4655 Parent PID: 4571

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: /bin/sh -c "netstat -anp | grep '51951' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v \"-\" | xargs -I % kill -9 %" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4656 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: netstat PID: 4656 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/netstat Arguments: netstat -anp File size: 119624 bytes MD5 hash: 78d9a4b9c73de4d9fb0257c5588d67b1

File Activities

File Read

Directory Enumerated

Analysis Process: sh PID: 4657 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Copyright Joe Security LLC 2021 Page 20 of 28 Analysis Process: grep PID: 4657 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/grep Arguments: grep 51951 File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427

File Activities

File Read

Analysis Process: sh PID: 4658 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: awk PID: 4658 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /usr/bin/awk Arguments: awk "{print $7}" File size: 21 bytes MD5 hash: 1bb5d753c2edd5bae269563a5ec6d0fe

File Activities

File Read

Analysis Process: sh PID: 4659 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: awk PID: 4659 Parent PID: 4655

Copyright Joe Security LLC 2021 Page 21 of 28 General

Start time: 18:09:59 Start date: 08/07/2021 Path: /usr/bin/awk Arguments: awk -F[/] "{print $1}" File size: 21 bytes MD5 hash: 1bb5d753c2edd5bae269563a5ec6d0fe

File Activities

File Read

Analysis Process: sh PID: 4660 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: grep PID: 4660 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/grep Arguments: grep -v - File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427

File Activities

File Read

Analysis Process: sh PID: 4661 Parent PID: 4655

General

Start time: 18:09:59 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: xargs PID: 4661 Parent PID: 4655

General

Start time: 18:09:59

Copyright Joe Security LLC 2021 Page 22 of 28 Start date: 08/07/2021 Path: /usr/bin/xargs Arguments: xargs -I % kill -9 % File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c

File Activities

File Read

Directory Enumerated

Analysis Process: recovered_bin2 PID: 4718 Parent PID: 4571

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /tmp/recovered_bin2 Arguments: n/a File size: 3502980 bytes MD5 hash: 99cc0f1d0310922619c5bf55967969fa

Analysis Process: kthreaddk PID: 4718 Parent PID: 4571

General

Start time: 18:10:01 Start date: 08/07/2021 Path: kthreaddk Arguments: kthreaddk File size: 0 bytes MD5 hash: unknown

File Activities

File Read

Directory Enumerated

Analysis Process: kthreaddk PID: 4721 Parent PID: 4718

General

Start time: 18:10:01 Start date: 08/07/2021 Path: kthreaddk Arguments: n/a File size: 0 bytes MD5 hash: unknown

File Activities

File Read

File Written

Copyright Joe Security LLC 2021 Page 23 of 28 Directory Enumerated

Analysis Process: kthreaddk PID: 4739 Parent PID: 4721

General

Start time: 18:10:01 Start date: 08/07/2021 Path: kthreaddk Arguments: n/a File size: 0 bytes MD5 hash: unknown

Analysis Process: sh PID: 4739 Parent PID: 4721

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: sh -c "/sbin/modprobe msr > /dev/null 2>&1" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4740 Parent PID: 4739

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: modprobe PID: 4740 Parent PID: 4739

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /sbin/modprobe Arguments: /sbin/modprobe msr File size: 9 bytes MD5 hash: 3d0e6fb594a9ad9c854ace3e507f86c5

File Activities

File Read

Copyright Joe Security LLC 2021 Page 24 of 28 Directory Enumerated

Analysis Process: recovered_bin2 PID: 4733 Parent PID: 4571

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /tmp/recovered_bin2 Arguments: n/a File size: 3502980 bytes MD5 hash: 99cc0f1d0310922619c5bf55967969fa

Analysis Process: sh PID: 4733 Parent PID: 4571

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: /bin/sh -c "chattr -R -ia /var/spool/cron\nchattr -ia /etc/crontab\nchattr -R -ia /var/spool/cron/crontabs\nchattr -R -ia /etc/cron.d" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

Analysis Process: sh PID: 4734 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: chattr PID: 4734 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /usr/bin/chattr Arguments: chattr -R -ia /var/spool/cron File size: 10592 bytes MD5 hash: 8aa970e89963faf71434e3a37222cc49

File Activities

File Read

Copyright Joe Security LLC 2021 Page 25 of 28 Directory Enumerated

Analysis Process: sh PID: 4743 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: chattr PID: 4743 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /usr/bin/chattr Arguments: chattr -ia /etc/crontab File size: 10592 bytes MD5 hash: 8aa970e89963faf71434e3a37222cc49

File Activities

File Read

Analysis Process: sh PID: 4752 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: chattr PID: 4752 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /usr/bin/chattr Arguments: chattr -R -ia /var/spool/cron/crontabs File size: 10592 bytes MD5 hash: 8aa970e89963faf71434e3a37222cc49

File Activities

File Read

Copyright Joe Security LLC 2021 Page 26 of 28 Directory Enumerated

Analysis Process: sh PID: 4756 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: chattr PID: 4756 Parent PID: 4733

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /usr/bin/chattr Arguments: chattr -R -ia /etc/cron.d File size: 10592 bytes MD5 hash: 8aa970e89963faf71434e3a37222cc49

File Activities

File Read

Directory Enumerated

Analysis Process: recovered_bin2 PID: 4763 Parent PID: 4571

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /tmp/recovered_bin2 Arguments: n/a File size: 3502980 bytes MD5 hash: 99cc0f1d0310922619c5bf55967969fa

Analysis Process: sh PID: 4763 Parent PID: 4571

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: /bin/sh -c "echo '* * * * * /etc/apm/event.d/ejdkfu' | /usr/bin/crontab -" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

Copyright Joe Security LLC 2021 Page 27 of 28 File Read

Analysis Process: sh PID: 4766 Parent PID: 4763

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: sh PID: 4767 Parent PID: 4763

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: crontab PID: 4767 Parent PID: 4763

General

Start time: 18:10:01 Start date: 08/07/2021 Path: /usr/bin/crontab Arguments: /usr/bin/crontab - File size: 36080 bytes MD5 hash: ff68fd30f0037fd7e9c1fdf5a035f739

File Activities

File Read

File Written

File Moved

Permission Modified

Copyright Joe Security LLC 2021

Copyright Joe Security LLC 2021 Page 28 of 28