analysis: prctl sample

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/README.md

@@ -0,0 +1,64 @@
+# Sample Information
+
+<table>
+  <tr>
+    <td><b>VirusTotal Threat Label</b></td>
+    <td><b><span style="color: red">trojan.perfctl/expl</span></b></td>
+  </tr>
+  <tr>
+    <td><b>md5</b></td>
+    <td>656e22c65bf7c04d87b5afbe52b8d800</td>
+  </tr>
+  <tr>
+    <td><b>sha1</b></td>
+    <td>0fd199053171fec86be186106eac717c4edae2ad</td>
+  </tr>
+  <tr>
+    <td><b>sha256</b></td>
+    <td>22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13</td>
+  </tr>
+  <tr>
+    <td><b>sha512</b></td>
+    <td>697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183</td>
+  </tr>
+</table>
+
+**VirusTotal**: https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
+
+## Analysis
+
+![analysis](analysis/sample.svg)
+
+## Detection Names
+
+a variant of Linux/Exploit.CVE-2021-4034.S  
+Detected  
+E64/ABRisk.TMMV-18  
+ELF:Agent-DBG [Expl]  
+Elf.Perfctl.49115.GC  
+ELF/TrojanGen.A  
+elf.trojan.perfctl  
+EXP/AVI.CVE.suebo  
+Exp:Linux/CVE.2021.4034  
+Exploit.CVE-2021-4034  
+Exploit.CVE-2021-4034!8.131F2 (CLOUD)  
+Exploit.EXP/AVI.CVE.suebo  
+Exploit/Linux.CVE-2021-4034.b  
+Generic trojan.abb  
+Linux.MulDrop.137  
+Linux.Risktool.Bitcoinminer.Etgl  
+Linux.Troj.Undef.a  
+Mal/Generic-S  
+Malicious_Behavior.SB  
+Malicious (score: 99)  
+not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.gen  
+PUA.Gen.2  
+RiskTool.Linux.dxq  
+Riskware.Elf64.AVI.kpwgpj  
+Trojan.Linux.Generic.324520  
+Trojan.Linux.Generic.324520 (B)  
+Trojan.Linux.Generic.D4F3A8  
+Trojan.Linux.PERFCTL.A  
+Trojan:Linux/Perfctl!MTB  
+Trojan/Win64.CoinMiner.xmr  
+Unix.Exploit.Generic-10016938-0  

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/analysis.yaml

@@ -0,0 +1,17 @@
+analysis:
+  duration_sec: 60
+  timestamp: '2024-11-06T21:19:19.608959+00:00'
+kunai:
+  args:
+  - run
+  - --include=all
+  - --harden
+  - --max-buffered-events=2048
+  - --send-data-min-len=0
+  version: kunai 0.3.0
+sample:
+  args: []
+system:
+  kernel: 6.1.0-21-cloud-amd64
+  uname: 'Linux kunai-sandbox 6.1.0-21-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1
+    (2024-05-03) x86_64 GNU/Linux'

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/06f6cffd-5c83-503f-21d7-1746a635b6bc/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/usr/bin/perfcc"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "06f6cffd-5c83-503f-21d7-1746a635b6bc",
+      "batch": 1688
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2902,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:41.619130049Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/24ae447c-4854-2fef-9833-2b327af557b2/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/ver"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "24ae447c-4854-2fef-9833-2b327af557b2",
+      "batch": 699
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.050032528Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/24ae447c-4854-2fef-9833-2b327af557b2/file.bin

@@ -0,0 +1 @@
+az-v4.1-6-gb108b16

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/30b094fa-f0c0-4a68-b0a5-9854274ccead/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/int/.e.lock"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "30b094fa-f0c0-4a68-b0a5-9854274ccead",
+      "batch": 699
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.050055012Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/30b094fa-f0c0-4a68-b0a5-9854274ccead/file.bin

@@ -0,0 +1 @@
+2893

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/34ab7937-fe05-16ef-5940-0442713e8ce5/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/p"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "34ab7937-fe05-16ef-5940-0442713e8ce5",
+      "batch": 698
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.049992681Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/34ab7937-fe05-16ef-5940-0442713e8ce5/file.bin

@@ -0,0 +1 @@
+2893

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/3922ac4e-cb7c-8c1a-f5a1-7343a6fa19e8/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/cp"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "3922ac4e-cb7c-8c1a-f5a1-7343a6fa19e8",
+      "batch": 699
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.050074119Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/3922ac4e-cb7c-8c1a-f5a1-7343a6fa19e8/file.bin

@@ -0,0 +1 @@
+/tmp/.perf.c/oom_reaper

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/4f50eca8-2a34-4f07-6f9e-d3568d86ae76/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/hroot/hscheck"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "4f50eca8-2a34-4f07-6f9e-d3568d86ae76",
+      "batch": 917
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:32.485591052Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/4f50eca8-2a34-4f07-6f9e-d3568d86ae76/file.bin

@@ -0,0 +1 @@
+hscheck

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/4f748386-b19a-6425-b537-6de09b457e14/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/tordata/cached-microdescs.new"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "4f748386-b19a-6425-b537-6de09b457e14",
+      "batch": 1473
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:39.097536513Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/4fc1fdad-435d-c5cf-f2fd-d952522884b4/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.perf.c/perfctl"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "4fc1fdad-435d-c5cf-f2fd-d952522884b4",
+      "batch": 1667
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2911,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:41.387411298Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/6321c6b8-c82c-855d-945f-66377c4318cb/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/hs.txt"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "6321c6b8-c82c-855d-945f-66377c4318cb",
+      "batch": 2179
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2908,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:47.518310305Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/6321c6b8-c82c-855d-945f-66377c4318cb/file.bin

@@ -0,0 +1 @@
+6ka66xoicqpmvejtmlskmz56ax23hof5zw44dhn7w3pvn433k3lrbwad/LA5kIkQNIp

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/709157d9-6892-69f5-3985-ecbb0fff5d03/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/uid"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "709157d9-6892-69f5-3985-ecbb0fff5d03",
+      "batch": 699
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.050013277Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/709157d9-6892-69f5-3985-ecbb0fff5d03/file.bin

@@ -0,0 +1 @@
+0

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/71eedc79-8d87-5d4f-d5b2-7e4889fc4fd0/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/usr/bin/.local/bin/top"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "71eedc79-8d87-5d4f-d5b2-7e4889fc4fd0",
+      "batch": 711
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.157006389Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/7200541d-186d-b4bd-e222-ad70f4e25f4f/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/etc/ld.so.preload"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "7200541d-186d-b4bd-e222-ad70f4e25f4f",
+      "batch": 713
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2911,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400040"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.289529339Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/7200541d-186d-b4bd-e222-ad70f4e25f4f/file.bin

@@ -0,0 +1 @@
+/lib/libgcwrap.so

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/7907f0c8-12f1-6ee0-a51f-b896e0a85dfe/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/bin/sudo",
+    "command_line": "/tmp/sample.bin",
+    "exe": {
+      "path": "/tmp/sample.bin"
+    },
+    "path": "/tmp/.xdiag/elog"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "7907f0c8-12f1-6ee0-a51f-b896e0a85dfe",
+      "batch": 354
+    },
+    "task": {
+      "name": "sample.bin",
+      "pid": 2870,
+      "tgid": 2870,
+      "guuid": "fe8126fb-1200-0000-4c09-d804360b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "parent_task": {
+      "name": "sudo",
+      "pid": 2869,
+      "tgid": 2869,
+      "guuid": "7a5427f8-1200-0000-4c09-d804350b0000",
+      "uid": 1000,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:26.872503898Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/7907f0c8-12f1-6ee0-a51f-b896e0a85dfe/file.bin

@@ -0,0 +1,3 @@
+11-06-2024 21:19:26.7552 0  2869:2870
+11-06-2024 21:19:26.8369 0  1:2880
+11-06-2024 21:19:26.9497 0  1:2893

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/7c80bc8e-ce81-a706-2755-fd5a5a7193a5/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/usr/bin/.local/bin/strace"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "7c80bc8e-ce81-a706-2755-fd5a5a7193a5",
+      "batch": 710
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.158398811Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/7dbdfd39-a84c-7223-b29f-10b97ff48b26/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/root/.config/cron/perfcc"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "7dbdfd39-a84c-7223-b29f-10b97ff48b26",
+      "batch": 701
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.051505190Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/97ee73de-0369-9fa0-9ebd-867e4765a320/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/exi"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "97ee73de-0369-9fa0-9ebd-867e4765a320",
+      "batch": 1691
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2911,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:41.695714932Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/97ee73de-0369-9fa0-9ebd-867e4765a320/file.bin

@@ -0,0 +1 @@
+92.223.89.148

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/b5bfa68a-2048-f4b0-9aa3-ae4e7b0c4711/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/cty"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "b5bfa68a-2048-f4b0-9aa3-ae4e7b0c4711",
+      "batch": 2179
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2908,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:47.518264767Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/b5bfa68a-2048-f4b0-9aa3-ae4e7b0c4711/file.bin

@@ -0,0 +1 @@
+direct

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/c9d3beb1-aafb-671e-173a-7a049a5f5f3c/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd|/tmp/.perf.c/oom_reaper",
+    "command_line": "/bin/sh -c echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern",
+    "exe": {
+      "path": "/usr/bin/dash"
+    },
+    "path": "/proc/sys/kernel/core_pattern"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "c9d3beb1-aafb-671e-173a-7a049a5f5f3c",
+      "batch": 718
+    },
+    "task": {
+      "name": "sh",
+      "pid": 2985,
+      "tgid": 2985,
+      "guuid": "68be710b-1400-0000-4c09-d804a90b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400000"
+    },
+    "parent_task": {
+      "name": "oom_reaper",
+      "pid": 2911,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "utc_time": "2024-11-06T21:19:31.408976531Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/c9d3beb1-aafb-671e-173a-7a049a5f5f3c/file.bin

@@ -0,0 +1 @@
+/etc/coredumps/%e.%p.%u.%t

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/ca9fc536-376d-8283-412d-ce0eea03cd24/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/tordata/ts"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "ca9fc536-376d-8283-412d-ce0eea03cd24",
+      "batch": 2178
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2908,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:47.518208553Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/ca9fc536-376d-8283-412d-ce0eea03cd24/file.bin

@@ -0,0 +1 @@
+1730927987

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/cb4ecd54-67cc-c18e-3f9a-f3f506ad021b/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/usr/bin/.local/bin/ldd"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "cb4ecd54-67cc-c18e-3f9a-f3f506ad021b",
+      "batch": 711
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.157558175Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/cdd8a2a6-a0a1-76ab-8743-2174e8cda10d/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/usr/bin/wizlmsh"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "cdd8a2a6-a0a1-76ab-8743-2174e8cda10d",
+      "batch": 701
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.051527529Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/def13e00-6a38-9f86-1b8b-ce17a590de25/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/usr/lib/libgcwrap.so"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "def13e00-6a38-9f86-1b8b-ce17a590de25",
+      "batch": 712
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2911,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400040"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.289316718Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/f0e11bb1-2c57-8d00-dc7d-85a85f68d0e6/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd|/tmp/.perf.c/perfctl",
+    "command_line": "perfctl",
+    "exe": {
+      "path": "/tmp/.perf.c/perfctl"
+    },
+    "path": "/tmp/.apid"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "f0e11bb1-2c57-8d00-dc7d-85a85f68d0e6",
+      "batch": 2505
+    },
+    "task": {
+      "name": "perfctl",
+      "pid": 3149,
+      "tgid": 3149,
+      "guuid": "d9fbb7bb-1800-0000-4c09-d8044d0c0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400040"
+    },
+    "parent_task": {
+      "name": "perfctl",
+      "pid": 3148,
+      "tgid": 3148,
+      "guuid": "193b37b9-1800-0000-4c09-d8044c0c0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400000"
+    },
+    "utc_time": "2024-11-06T21:19:51.495643767Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/f0e11bb1-2c57-8d00-dc7d-85a85f68d0e6/file.bin

@@ -0,0 +1 @@
+3149

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/fa24a9f0-080e-ac5c-158f-56e8743b3374/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/etc/profile"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "fa24a9f0-080e-ac5c-158f-56e8743b3374",
+      "batch": 711
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2911,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400040"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:31.161568952Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/fa24a9f0-080e-ac5c-158f-56e8743b3374/file.bin

@@ -0,0 +1,36 @@
+# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
+# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
+
+if [ "$(id -u)" -eq 0 ]; then
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+fi
+export PATH
+
+if [ "${PS1-}" ]; then
+  if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
+    # The file bash.bashrc already sets the default PS1.
+    # PS1='\h:\w\$ '
+    if [ -f /etc/bash.bashrc ]; then
+      . /etc/bash.bashrc
+    fi
+  else
+    if [ "$(id -u)" -eq 0 ]; then
+      PS1='# '
+    else
+      PS1='$ '
+    fi
+  fi
+fi
+
+if [ -d /etc/profile.d ]; then
+  for i in /etc/profile.d/*.sh; do
+    if [ -r $i ]; then
+      . $i
+    fi
+  done
+  unset i
+fi
+
+export PATH=/bin/.local/bin:$PATH

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/fa39e586-4d7e-6f37-0361-2bff75563474/event.json

@@ -0,0 +1,49 @@
+{
+  "data": {
+    "ancestors": "/usr/lib/systemd/systemd",
+    "command_line": "oom_reaper -d",
+    "exe": {
+      "path": "/tmp/.perf.c/oom_reaper"
+    },
+    "path": "/tmp/.xdiag/hroot/cp"
+  },
+  "info": {
+    "host": {
+      "uuid": "3eff9364-90b8-5293-9f42-0ea09fbefe18",
+      "name": "kunai-sandbox",
+      "container": null
+    },
+    "event": {
+      "source": "kunai",
+      "id": 87,
+      "name": "write_close",
+      "uuid": "fa39e586-4d7e-6f37-0361-2bff75563474",
+      "batch": 917
+    },
+    "task": {
+      "name": "oom_reaper",
+      "pid": 2896,
+      "tgid": 2893,
+      "guuid": "9fe1c606-1300-0000-4c09-d8044d0b0000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400140"
+    },
+    "parent_task": {
+      "name": "systemd",
+      "pid": 1,
+      "tgid": 1,
+      "guuid": "62601609-0000-0000-4c09-d80401000000",
+      "uid": 0,
+      "gid": 0,
+      "namespaces": {
+        "mnt": 4026531841
+      },
+      "flags": "0x400100"
+    },
+    "utc_time": "2024-11-06T21:19:32.485611769Z"
+  }
+}

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/dropped/fa39e586-4d7e-6f37-0361-2bff75563474/file.bin

@@ -0,0 +1 @@
+/tmp/.perf.c/oom_reaper

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/analysis/kunai.stderr

@@ -0,0 +1,2 @@
+[2024-11-06T21:19:21Z WARN  kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=6.1.0
+[2024-11-06T21:19:22Z WARN  kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=6.1.0

linux/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/virustotal.json

@@ -0,0 +1,610 @@
+{
+  "ALYac": {
+    "category": "malicious",
+    "engine_name": "ALYac",
+    "engine_update": "20241031",
+    "engine_version": "2.0.0.10",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520"
+  },
+  "APEX": {
+    "category": "type-unsupported",
+    "engine_name": "APEX",
+    "engine_update": "20241031",
+    "engine_version": "6.589",
+    "method": "blacklist",
+    "result": null
+  },
+  "AVG": {
+    "category": "malicious",
+    "engine_name": "AVG",
+    "engine_update": "20241031",
+    "engine_version": "23.9.8494.0",
+    "method": "blacklist",
+    "result": "ELF:Agent-DBG [Expl]"
+  },
+  "Acronis": {
+    "category": "undetected",
+    "engine_name": "Acronis",
+    "engine_update": "20240328",
+    "engine_version": "1.2.0.121",
+    "method": "blacklist",
+    "result": null
+  },
+  "AhnLab-V3": {
+    "category": "undetected",
+    "engine_name": "AhnLab-V3",
+    "engine_update": "20241031",
+    "engine_version": "3.26.1.10507",
+    "method": "blacklist",
+    "result": null
+  },
+  "Alibaba": {
+    "category": "type-unsupported",
+    "engine_name": "Alibaba",
+    "engine_update": "20190527",
+    "engine_version": "0.3.0.5",
+    "method": "blacklist",
+    "result": null
+  },
+  "Antiy-AVL": {
+    "category": "malicious",
+    "engine_name": "Antiy-AVL",
+    "engine_update": "20241031",
+    "engine_version": "3.0",
+    "method": "blacklist",
+    "result": "Trojan/Win64.CoinMiner.xmr"
+  },
+  "Arcabit": {
+    "category": "malicious",
+    "engine_name": "Arcabit",
+    "engine_update": "20241031",
+    "engine_version": "2022.0.0.18",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.D4F3A8"
+  },
+  "Avast": {
+    "category": "malicious",
+    "engine_name": "Avast",
+    "engine_update": "20241031",
+    "engine_version": "23.9.8494.0",
+    "method": "blacklist",
+    "result": "ELF:Agent-DBG [Expl]"
+  },
+  "Avast-Mobile": {
+    "category": "undetected",
+    "engine_name": "Avast-Mobile",
+    "engine_update": "20241031",
+    "engine_version": "241031-00",
+    "method": "blacklist",
+    "result": null
+  },
+  "Avira": {
+    "category": "malicious",
+    "engine_name": "Avira",
+    "engine_update": "20241031",
+    "engine_version": "8.3.3.20",
+    "method": "blacklist",
+    "result": "EXP/AVI.CVE.suebo"
+  },
+  "Baidu": {
+    "category": "undetected",
+    "engine_name": "Baidu",
+    "engine_update": "20190318",
+    "engine_version": "1.0.0.2",
+    "method": "blacklist",
+    "result": null
+  },
+  "BitDefender": {
+    "category": "malicious",
+    "engine_name": "BitDefender",
+    "engine_update": "20241031",
+    "engine_version": "7.2",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520"
+  },
+  "BitDefenderFalx": {
+    "category": "type-unsupported",
+    "engine_name": "BitDefenderFalx",
+    "engine_update": "20241018",
+    "engine_version": "2.0.936",
+    "method": "blacklist",
+    "result": null
+  },
+  "Bkav": {
+    "category": "undetected",
+    "engine_name": "Bkav",
+    "engine_update": "20241031",
+    "engine_version": "2.0.0.1",
+    "method": "blacklist",
+    "result": null
+  },
+  "CAT-QuickHeal": {
+    "category": "malicious",
+    "engine_name": "CAT-QuickHeal",
+    "engine_update": "20241030",
+    "engine_version": "22.00",
+    "method": "blacklist",
+    "result": "Elf.Perfctl.49115.GC"
+  },
+  "CMC": {
+    "category": "undetected",
+    "engine_name": "CMC",
+    "engine_update": "20241030",
+    "engine_version": "2.4.2022.1",
+    "method": "blacklist",
+    "result": null
+  },
+  "CTX": {
+    "category": "malicious",
+    "engine_name": "CTX",
+    "engine_update": "20241031",
+    "engine_version": "2024.8.29.1",
+    "method": "blacklist",
+    "result": "elf.trojan.perfctl"
+  },
+  "ClamAV": {
+    "category": "malicious",
+    "engine_name": "ClamAV",
+    "engine_update": "20241031",
+    "engine_version": "1.4.1.0",
+    "method": "blacklist",
+    "result": "Unix.Exploit.Generic-10016938-0"
+  },
+  "CrowdStrike": {
+    "category": "undetected",
+    "engine_name": "CrowdStrike",
+    "engine_update": "20230417",
+    "engine_version": "1.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "Cylance": {
+    "category": "type-unsupported",
+    "engine_name": "Cylance",
+    "engine_update": "20241030",
+    "engine_version": "3.0.0.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "Cynet": {
+    "category": "malicious",
+    "engine_name": "Cynet",
+    "engine_update": "20241031",
+    "engine_version": "4.0.1.1",
+    "method": "blacklist",
+    "result": "Malicious (score: 99)"
+  },
+  "DeepInstinct": {
+    "category": "type-unsupported",
+    "engine_name": "DeepInstinct",
+    "engine_update": "20241029",
+    "engine_version": "5.0.0.8",
+    "method": "blacklist",
+    "result": null
+  },
+  "DrWeb": {
+    "category": "malicious",
+    "engine_name": "DrWeb",
+    "engine_update": "20241031",
+    "engine_version": "7.0.65.5230",
+    "method": "blacklist",
+    "result": "Linux.MulDrop.137"
+  },
+  "ESET-NOD32": {
+    "category": "malicious",
+    "engine_name": "ESET-NOD32",
+    "engine_update": "20241031",
+    "engine_version": "30144",
+    "method": "blacklist",
+    "result": "a variant of Linux/Exploit.CVE-2021-4034.S"
+  },
+  "Elastic": {
+    "category": "failure",
+    "engine_name": "Elastic",
+    "engine_update": "20241030",
+    "engine_version": null,
+    "method": "blacklist",
+    "result": null
+  },
+  "Emsisoft": {
+    "category": "malicious",
+    "engine_name": "Emsisoft",
+    "engine_update": "20241031",
+    "engine_version": "2024.1.0.53752",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520 (B)"
+  },
+  "F-Secure": {
+    "category": "malicious",
+    "engine_name": "F-Secure",
+    "engine_update": "20241031",
+    "engine_version": "18.10.1547.307",
+    "method": "blacklist",
+    "result": "Exploit.EXP/AVI.CVE.suebo"
+  },
+  "FireEye": {
+    "category": "malicious",
+    "engine_name": "FireEye",
+    "engine_update": "20241031",
+    "engine_version": "35.47.0.0",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520"
+  },
+  "Fortinet": {
+    "category": "malicious",
+    "engine_name": "Fortinet",
+    "engine_update": "20241031",
+    "engine_version": "None",
+    "method": "blacklist",
+    "result": "Malicious_Behavior.SB"
+  },
+  "GData": {
+    "category": "malicious",
+    "engine_name": "GData",
+    "engine_update": "20241031",
+    "engine_version": "A:25.39167B:27.38011",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520"
+  },
+  "Google": {
+    "category": "malicious",
+    "engine_name": "Google",
+    "engine_update": "20241031",
+    "engine_version": "1730374239",
+    "method": "blacklist",
+    "result": "Detected"
+  },
+  "Gridinsoft": {
+    "category": "undetected",
+    "engine_name": "Gridinsoft",
+    "engine_update": "20241031",
+    "engine_version": "1.0.195.174",
+    "method": "blacklist",
+    "result": null
+  },
+  "Ikarus": {
+    "category": "malicious",
+    "engine_name": "Ikarus",
+    "engine_update": "20241031",
+    "engine_version": "6.3.23.0",
+    "method": "blacklist",
+    "result": "Exploit.CVE-2021-4034"
+  },
+  "Jiangmin": {
+    "category": "malicious",
+    "engine_name": "Jiangmin",
+    "engine_update": "20241030",
+    "engine_version": "16.0.100",
+    "method": "blacklist",
+    "result": "RiskTool.Linux.dxq"
+  },
+  "K7AntiVirus": {
+    "category": "undetected",
+    "engine_name": "K7AntiVirus",
+    "engine_update": "20241031",
+    "engine_version": "12.196.53733",
+    "method": "blacklist",
+    "result": null
+  },
+  "K7GW": {
+    "category": "undetected",
+    "engine_name": "K7GW",
+    "engine_update": "20241031",
+    "engine_version": "12.196.53735",
+    "method": "blacklist",
+    "result": null
+  },
+  "Kaspersky": {
+    "category": "malicious",
+    "engine_name": "Kaspersky",
+    "engine_update": "20241031",
+    "engine_version": "22.0.1.28",
+    "method": "blacklist",
+    "result": "not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.gen"
+  },
+  "Kingsoft": {
+    "category": "malicious",
+    "engine_name": "Kingsoft",
+    "engine_update": "20241023",
+    "engine_version": "None",
+    "method": "blacklist",
+    "result": "Linux.Troj.Undef.a"
+  },
+  "Lionic": {
+    "category": "timeout",
+    "engine_name": "Lionic",
+    "engine_update": "20241031",
+    "engine_version": "8.16",
+    "method": "blacklist",
+    "result": null
+  },
+  "Malwarebytes": {
+    "category": "undetected",
+    "engine_name": "Malwarebytes",
+    "engine_update": "20241031",
+    "engine_version": "4.5.5.54",
+    "method": "blacklist",
+    "result": null
+  },
+  "MaxSecure": {
+    "category": "undetected",
+    "engine_name": "MaxSecure",
+    "engine_update": "20241029",
+    "engine_version": "1.0.0.1",
+    "method": "blacklist",
+    "result": null
+  },
+  "McAfee": {
+    "category": "undetected",
+    "engine_name": "McAfee",
+    "engine_update": "20241031",
+    "engine_version": "6.0.6.653",
+    "method": "blacklist",
+    "result": null
+  },
+  "McAfeeD": {
+    "category": "type-unsupported",
+    "engine_name": "McAfeeD",
+    "engine_update": "20241031",
+    "engine_version": "1.2.0.7977",
+    "method": "blacklist",
+    "result": null
+  },
+  "MicroWorld-eScan": {
+    "category": "malicious",
+    "engine_name": "MicroWorld-eScan",
+    "engine_update": "20241031",
+    "engine_version": "14.0.409.0",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520"
+  },
+  "Microsoft": {
+    "category": "malicious",
+    "engine_name": "Microsoft",
+    "engine_update": "20241031",
+    "engine_version": "1.1.24090.11",
+    "method": "blacklist",
+    "result": "Trojan:Linux/Perfctl!MTB"
+  },
+  "NANO-Antivirus": {
+    "category": "malicious",
+    "engine_name": "NANO-Antivirus",
+    "engine_update": "20241031",
+    "engine_version": "1.0.146.25796",
+    "method": "blacklist",
+    "result": "Riskware.Elf64.AVI.kpwgpj"
+  },
+  "Paloalto": {
+    "category": "type-unsupported",
+    "engine_name": "Paloalto",
+    "engine_update": "20241031",
+    "engine_version": "0.9.0.1003",
+    "method": "blacklist",
+    "result": null
+  },
+  "Panda": {
+    "category": "malicious",
+    "engine_name": "Panda",
+    "engine_update": "20241030",
+    "engine_version": "4.6.4.2",
+    "method": "blacklist",
+    "result": "ELF/TrojanGen.A"
+  },
+  "Rising": {
+    "category": "malicious",
+    "engine_name": "Rising",
+    "engine_update": "20241031",
+    "engine_version": "25.0.0.28",
+    "method": "blacklist",
+    "result": "Exploit.CVE-2021-4034!8.131F2 (CLOUD)"
+  },
+  "SUPERAntiSpyware": {
+    "category": "undetected",
+    "engine_name": "SUPERAntiSpyware",
+    "engine_update": "20241030",
+    "engine_version": "5.6.0.1032",
+    "method": "blacklist",
+    "result": null
+  },
+  "SentinelOne": {
+    "category": "undetected",
+    "engine_name": "SentinelOne",
+    "engine_update": "20240417",
+    "engine_version": "24.2.1.1",
+    "method": "blacklist",
+    "result": null
+  },
+  "Skyhigh": {
+    "category": "malicious",
+    "engine_name": "Skyhigh",
+    "engine_update": "20241030",
+    "engine_version": "v2021.2.0+4045",
+    "method": "blacklist",
+    "result": "Generic trojan.abb"
+  },
+  "Sophos": {
+    "category": "malicious",
+    "engine_name": "Sophos",
+    "engine_update": "20241031",
+    "engine_version": "2.5.5.0",
+    "method": "blacklist",
+    "result": "Mal/Generic-S"
+  },
+  "Symantec": {
+    "category": "malicious",
+    "engine_name": "Symantec",
+    "engine_update": "20241031",
+    "engine_version": "1.22.0.0",
+    "method": "blacklist",
+    "result": "PUA.Gen.2"
+  },
+  "SymantecMobileInsight": {
+    "category": "type-unsupported",
+    "engine_name": "SymantecMobileInsight",
+    "engine_update": "20241017",
+    "engine_version": "2.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "TACHYON": {
+    "category": "undetected",
+    "engine_name": "TACHYON",
+    "engine_update": "20241031",
+    "engine_version": "2024-10-31.02",
+    "method": "blacklist",
+    "result": null
+  },
+  "Tencent": {
+    "category": "malicious",
+    "engine_name": "Tencent",
+    "engine_update": "20241031",
+    "engine_version": "1.0.0.1",
+    "method": "blacklist",
+    "result": "Linux.Risktool.Bitcoinminer.Etgl"
+  },
+  "Trapmine": {
+    "category": "type-unsupported",
+    "engine_name": "Trapmine",
+    "engine_update": "20241004",
+    "engine_version": "4.0.16.240",
+    "method": "blacklist",
+    "result": null
+  },
+  "TrendMicro": {
+    "category": "malicious",
+    "engine_name": "TrendMicro",
+    "engine_update": "20241031",
+    "engine_version": "11.0.0.1006",
+    "method": "blacklist",
+    "result": "Trojan.Linux.PERFCTL.A"
+  },
+  "TrendMicro-HouseCall": {
+    "category": "malicious",
+    "engine_name": "TrendMicro-HouseCall",
+    "engine_update": "20241031",
+    "engine_version": "10.0.0.1040",
+    "method": "blacklist",
+    "result": "Trojan.Linux.PERFCTL.A"
+  },
+  "Trustlook": {
+    "category": "type-unsupported",
+    "engine_name": "Trustlook",
+    "engine_update": "20241031",
+    "engine_version": "1.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "VBA32": {
+    "category": "undetected",
+    "engine_name": "VBA32",
+    "engine_update": "20241031",
+    "engine_version": "5.0.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "VIPRE": {
+    "category": "malicious",
+    "engine_name": "VIPRE",
+    "engine_update": "20241031",
+    "engine_version": "6.0.0.35",
+    "method": "blacklist",
+    "result": "Trojan.Linux.Generic.324520"
+  },
+  "Varist": {
+    "category": "malicious",
+    "engine_name": "Varist",
+    "engine_update": "20241031",
+    "engine_version": "6.6.1.3",
+    "method": "blacklist",
+    "result": "E64/ABRisk.TMMV-18"
+  },
+  "ViRobot": {
+    "category": "undetected",
+    "engine_name": "ViRobot",
+    "engine_update": "20241031",
+    "engine_version": "2014.3.20.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "VirIT": {
+    "category": "undetected",
+    "engine_name": "VirIT",
+    "engine_update": "20241031",
+    "engine_version": "9.5.821",
+    "method": "blacklist",
+    "result": null
+  },
+  "Webroot": {
+    "category": "type-unsupported",
+    "engine_name": "Webroot",
+    "engine_update": "20240910",
+    "engine_version": "1.9.0.8",
+    "method": "blacklist",
+    "result": null
+  },
+  "Xcitium": {
+    "category": "undetected",
+    "engine_name": "Xcitium",
+    "engine_update": "20241031",
+    "engine_version": "37176",
+    "method": "blacklist",
+    "result": null
+  },
+  "Yandex": {
+    "category": "undetected",
+    "engine_name": "Yandex",
+    "engine_update": "20241031",
+    "engine_version": "5.5.2.24",
+    "method": "blacklist",
+    "result": null
+  },
+  "Zillya": {
+    "category": "undetected",
+    "engine_name": "Zillya",
+    "engine_update": "20241030",
+    "engine_version": "2.0.0.5227",
+    "method": "blacklist",
+    "result": null
+  },
+  "ZoneAlarm": {
+    "category": "malicious",
+    "engine_name": "ZoneAlarm",
+    "engine_update": "20241008",
+    "engine_version": "1.0",
+    "method": "blacklist",
+    "result": "not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.gen"
+  },
+  "Zoner": {
+    "category": "undetected",
+    "engine_name": "Zoner",
+    "engine_update": "20241031",
+    "engine_version": "2.2.2.0",
+    "method": "blacklist",
+    "result": null
+  },
+  "alibabacloud": {
+    "category": "malicious",
+    "engine_name": "alibabacloud",
+    "engine_update": "20241030",
+    "engine_version": "2.2.0",
+    "method": "blacklist",
+    "result": "Exp:Linux/CVE.2021.4034"
+  },
+  "huorong": {
+    "category": "malicious",
+    "engine_name": "huorong",
+    "engine_update": "20241030",
+    "engine_version": "f357a89:f357a89:dcec8e0:dcec8e0",
+    "method": "blacklist",
+    "result": "Exploit/Linux.CVE-2021-4034.b"
+  },
+  "tehtris": {
+    "category": "undetected",
+    "engine_name": "tehtris",
+    "engine_update": "20241031",
+    "engine_version": null,
+    "method": "blacklist",
+    "result": null
+  }
+}