diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd similarity index 100% rename from linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd rename to linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/analysis.yaml b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/analysis.yaml new file mode 100644 index 0000000..49beda6 --- /dev/null +++ b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:34:43.803337+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/dump.pcap b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/dump.pcap new file mode 100644 index 0000000..bbd0a47 Binary files /dev/null and b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/dump.pcap differ diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/kunai.jsonl.gz b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..b1e3bdc Binary files /dev/null and b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/kunai.jsonl.gz differ diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/kunai.stderr b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/kunai.stderr new file mode 100644 index 0000000..d61efcd --- /dev/null +++ b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.stderr b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.stdout b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.stdout new file mode 100644 index 0000000..71d455e Binary files /dev/null and b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.stdout differ diff --git a/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.svg b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.svg new file mode 100644 index 0000000..dbc0b5b --- /dev/null +++ b/linux/15e67237cfda7a9b6cd6d27af76b315c79ad65daeec127f84128904b8c7757dd/analysis/sample.svg @@ -0,0 +1,195 @@ + + + + + + +%3 + + + +guuid=32bea02a-0b00-0000-482e-ff2759040000 pid=1113 + +/usr/bin/sudo + + + +guuid=dfa9562b-0b00-0000-482e-ff275a040000 pid=1114 + +/tmp/sample.bin + +net + + + +guuid=32bea02a-0b00-0000-482e-ff2759040000 pid=1113->guuid=dfa9562b-0b00-0000-482e-ff275a040000 pid=1114 + + +execve + + + +8.8.8.8 + +8.8.8.8 + + + +guuid=dfa9562b-0b00-0000-482e-ff275a040000 pid=1114->8.8.8.8 + + +con + + + +guuid=43756c2b-0b00-0000-482e-ff275b040000 pid=1115 + +/tmp/sample.bin + + + +guuid=dfa9562b-0b00-0000-482e-ff275a040000 pid=1114->guuid=43756c2b-0b00-0000-482e-ff275b040000 pid=1115 + + +clone + + + +guuid=365a6d2b-0b00-0000-482e-ff275c040000 pid=1116 + +/tmp/sample.bin + + + +guuid=dfa9562b-0b00-0000-482e-ff275a040000 pid=1114->guuid=365a6d2b-0b00-0000-482e-ff275c040000 pid=1116 + + +clone + + + +guuid=c6da6e2b-0b00-0000-482e-ff275d040000 pid=1117 + +/tmp/sample.bin + +net + +zombie + + + +guuid=dfa9562b-0b00-0000-482e-ff275a040000 pid=1114->guuid=c6da6e2b-0b00-0000-482e-ff275d040000 pid=1117 + + +clone + + + +66.23.233.179 + +66.23.233.179 + + + +guuid=c6da6e2b-0b00-0000-482e-ff275d040000 pid=1117->66.23.233.179 + + +con + + + +guuid=ef4bc12b-0b00-0000-482e-ff275e040000 pid=1118 + +/tmp/sample.bin + + + +guuid=c6da6e2b-0b00-0000-482e-ff275d040000 pid=1117->guuid=ef4bc12b-0b00-0000-482e-ff275e040000 pid=1118 + + +clone + + + +guuid=6cc4cd2b-0b00-0000-482e-ff275f040000 pid=1119 + +/tmp/sample.bin + + + +guuid=c6da6e2b-0b00-0000-482e-ff275d040000 pid=1117->guuid=6cc4cd2b-0b00-0000-482e-ff275f040000 pid=1119 + + +clone + + + +guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120 + +/tmp/sample.bin + +net + +net-scan + +send-data + + + +guuid=c6da6e2b-0b00-0000-482e-ff275d040000 pid=1117->guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120 + + +clone + + + +guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120->8.8.8.8 + + +con + + + +66.242.136.229 + +66.242.136.229 + + + +guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120->66.242.136.229 + + +send: 40B + + + +197.158.12.78 + +197.158.12.78 + + + +guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120->197.158.12.78 + + +send: 40B + + + +guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120|send-data + +send-data to 9280 IP addresses +review logs to see them all + + + +guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120->guuid=0ea3ce2b-0b00-0000-482e-ff2760040000 pid=1120|send-data + + +send + + + diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c new file mode 100644 index 0000000..6ccbb56 Binary files /dev/null and b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c differ diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/analysis.yaml b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/analysis.yaml new file mode 100644 index 0000000..23427df --- /dev/null +++ b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:35:54.333976+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/dump.pcap b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/dump.pcap new file mode 100644 index 0000000..651ac15 Binary files /dev/null and b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/dump.pcap differ diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/kunai.jsonl.gz b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..dd8f874 Binary files /dev/null and b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/kunai.jsonl.gz differ diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/kunai.stderr b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/kunai.stderr new file mode 100644 index 0000000..92d6925 --- /dev/null +++ b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.stderr b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.stdout b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.stdout new file mode 100644 index 0000000..e69de29 diff --git a/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.svg b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.svg new file mode 100644 index 0000000..583424e --- /dev/null +++ b/linux/17d8569d683f39d71f051cc0d2d33a662e549635cd74460c72ba1e49224bc35c/analysis/sample.svg @@ -0,0 +1,531 @@ + + + + + + +%3 + + + +guuid=1b8c051f-0b00-0000-2b3c-d78659040000 pid=1113 + +/usr/bin/sudo + + + +guuid=c84cc31f-0b00-0000-2b3c-d7865a040000 pid=1114 + +/tmp/sample.bin + + + +guuid=1b8c051f-0b00-0000-2b3c-d78659040000 pid=1113->guuid=c84cc31f-0b00-0000-2b3c-d7865a040000 pid=1114 + + +execve + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115 + +/tmp/sample.bin + +write-config + +write-file + +zombie + + + +guuid=c84cc31f-0b00-0000-2b3c-d7865a040000 pid=1114->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115 + + +clone + + + +guuid=87e09cd9-0b00-0000-2b3c-d7865d040000 pid=1117 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=87e09cd9-0b00-0000-2b3c-d7865d040000 pid=1117 + + +execve + + + +guuid=d438d0d9-0b00-0000-2b3c-d7865f040000 pid=1119 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=d438d0d9-0b00-0000-2b3c-d7865f040000 pid=1119 + + +execve + + + +guuid=4b9423da-0b00-0000-2b3c-d78661040000 pid=1121 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=4b9423da-0b00-0000-2b3c-d78661040000 pid=1121 + + +execve + + + +guuid=1e3463da-0b00-0000-2b3c-d78663040000 pid=1123 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=1e3463da-0b00-0000-2b3c-d78663040000 pid=1123 + + +execve + + + +guuid=296496da-0b00-0000-2b3c-d78665040000 pid=1125 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=296496da-0b00-0000-2b3c-d78665040000 pid=1125 + + +execve + + + +guuid=70b90e52-0c00-0000-2b3c-d78667040000 pid=1127 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=70b90e52-0c00-0000-2b3c-d78667040000 pid=1127 + + +execve + + + +guuid=01208c52-0c00-0000-2b3c-d78669040000 pid=1129 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=01208c52-0c00-0000-2b3c-d78669040000 pid=1129 + + +execve + + + +guuid=4838b08e-0c00-0000-2b3c-d7866b040000 pid=1131 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=4838b08e-0c00-0000-2b3c-d7866b040000 pid=1131 + + +clone + + + +guuid=52f85d8f-0c00-0000-2b3c-d7866e040000 pid=1134 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=52f85d8f-0c00-0000-2b3c-d7866e040000 pid=1134 + + +execve + + + +guuid=eb8f0390-0c00-0000-2b3c-d78670040000 pid=1136 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=eb8f0390-0c00-0000-2b3c-d78670040000 pid=1136 + + +execve + + + +guuid=31bb38cc-0c00-0000-2b3c-d78672040000 pid=1138 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=31bb38cc-0c00-0000-2b3c-d78672040000 pid=1138 + + +clone + + + +guuid=c9df14cd-0c00-0000-2b3c-d78676040000 pid=1142 + +/usr/bin/dash + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=c9df14cd-0c00-0000-2b3c-d78676040000 pid=1142 + + +execve + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1144 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1144 + + +clone + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1145 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1145 + + +clone + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1146 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1146 + + +clone + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1147 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1147 + + +clone + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1148 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1148 + + +clone + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1149 + +/tmp/sample.bin + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1149 + + +clone + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1150 + +/tmp/sample.bin + +send-data + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1115->guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1150 + + +clone + + + +guuid=6dddb3d9-0b00-0000-2b3c-d7865e040000 pid=1118 + +/usr/bin/ln + + + +guuid=87e09cd9-0b00-0000-2b3c-d7865d040000 pid=1117->guuid=6dddb3d9-0b00-0000-2b3c-d7865e040000 pid=1118 + + +execve + + + +guuid=17c205da-0b00-0000-2b3c-d78660040000 pid=1120 + +/usr/bin/ln + + + +guuid=d438d0d9-0b00-0000-2b3c-d7865f040000 pid=1119->guuid=17c205da-0b00-0000-2b3c-d78660040000 pid=1120 + + +execve + + + +guuid=1c573bda-0b00-0000-2b3c-d78662040000 pid=1122 + +/usr/bin/ln + + + +guuid=4b9423da-0b00-0000-2b3c-d78661040000 pid=1121->guuid=1c573bda-0b00-0000-2b3c-d78662040000 pid=1122 + + +execve + + + +guuid=29a876da-0b00-0000-2b3c-d78664040000 pid=1124 + +/usr/bin/ln + + + +guuid=1e3463da-0b00-0000-2b3c-d78663040000 pid=1123->guuid=29a876da-0b00-0000-2b3c-d78664040000 pid=1124 + + +execve + + + +guuid=66aeacda-0b00-0000-2b3c-d78666040000 pid=1126 + +/usr/bin/ln + + + +guuid=296496da-0b00-0000-2b3c-d78665040000 pid=1125->guuid=66aeacda-0b00-0000-2b3c-d78666040000 pid=1126 + + +execve + + + +guuid=44c93052-0c00-0000-2b3c-d78668040000 pid=1128 + +/usr/bin/mkdir + + + +guuid=70b90e52-0c00-0000-2b3c-d78667040000 pid=1127->guuid=44c93052-0c00-0000-2b3c-d78668040000 pid=1128 + + +execve + + + +guuid=9842b152-0c00-0000-2b3c-d7866a040000 pid=1130 + +/usr/bin/cp + +write-file + + + +guuid=01208c52-0c00-0000-2b3c-d78669040000 pid=1129->guuid=9842b152-0c00-0000-2b3c-d7866a040000 pid=1130 + + +execve + + + +guuid=e280bd8e-0c00-0000-2b3c-d7866c040000 pid=1132 + +/usr/bin/dash + + + +guuid=4838b08e-0c00-0000-2b3c-d7866b040000 pid=1131->guuid=e280bd8e-0c00-0000-2b3c-d7866c040000 pid=1132 + + +execve + + + +guuid=1be4308f-0c00-0000-2b3c-d7866d040000 pid=1133 + +/usr/bin/dash + + + +guuid=e280bd8e-0c00-0000-2b3c-d7866c040000 pid=1132->guuid=1be4308f-0c00-0000-2b3c-d7866d040000 pid=1133 + + +clone + + + +guuid=ce4f9f8f-0c00-0000-2b3c-d7866f040000 pid=1135 + +/usr/bin/mkdir + + + +guuid=52f85d8f-0c00-0000-2b3c-d7866e040000 pid=1134->guuid=ce4f9f8f-0c00-0000-2b3c-d7866f040000 pid=1135 + + +execve + + + +guuid=2bdb2c90-0c00-0000-2b3c-d78671040000 pid=1137 + +/usr/bin/cp + +write-file + + + +guuid=eb8f0390-0c00-0000-2b3c-d78670040000 pid=1136->guuid=2bdb2c90-0c00-0000-2b3c-d78671040000 pid=1137 + + +execve + + + +guuid=71ab3bcc-0c00-0000-2b3c-d78673040000 pid=1139 + +/usr/bin/dash + + + +guuid=31bb38cc-0c00-0000-2b3c-d78672040000 pid=1138->guuid=71ab3bcc-0c00-0000-2b3c-d78673040000 pid=1139 + + +execve + + + +guuid=e97f4fcc-0c00-0000-2b3c-d78674040000 pid=1140 + +/usr/bin/oracle + + + +guuid=71ab3bcc-0c00-0000-2b3c-d78673040000 pid=1139->guuid=e97f4fcc-0c00-0000-2b3c-d78674040000 pid=1140 + + +execve + + + +guuid=00ebffcc-0c00-0000-2b3c-d78675040000 pid=1141 + +/usr/bin/oracle + +delete-file + +write-file + +zombie + + + +guuid=e97f4fcc-0c00-0000-2b3c-d78674040000 pid=1140->guuid=00ebffcc-0c00-0000-2b3c-d78675040000 pid=1141 + + +clone + + + +guuid=00ebffcc-0c00-0000-2b3c-d78675040000 pid=1151 + +/usr/bin/oracle + + + +guuid=00ebffcc-0c00-0000-2b3c-d78675040000 pid=1141->guuid=00ebffcc-0c00-0000-2b3c-d78675040000 pid=1151 + + +clone + + + +guuid=185226cd-0c00-0000-2b3c-d78677040000 pid=1143 + +/usr/bin/kmod + + + +guuid=c9df14cd-0c00-0000-2b3c-d78676040000 pid=1142->guuid=185226cd-0c00-0000-2b3c-d78677040000 pid=1143 + + +execve + + + +10.0.2.3 + +10.0.2.3 + + + +guuid=0a03d020-0b00-0000-2b3c-d7865b040000 pid=1150->10.0.2.3 + + +send: 1734B + + + diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe new file mode 100644 index 0000000..4ee09bf Binary files /dev/null and b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe differ diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/analysis.yaml b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/analysis.yaml new file mode 100644 index 0000000..fba92e9 --- /dev/null +++ b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:37:03.126703+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/dump.pcap b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/dump.pcap new file mode 100644 index 0000000..168b903 Binary files /dev/null and b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/dump.pcap differ diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/kunai.jsonl.gz b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..341f32d Binary files /dev/null and b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/kunai.jsonl.gz differ diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/kunai.stderr b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/kunai.stderr new file mode 100644 index 0000000..1ecd289 --- /dev/null +++ b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/kunai.stderr @@ -0,0 +1,24 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:56Z ERROR kunai] some events have been lost in the way from kernel read=707 lost=421: consider filtering out some events or increase the number of buffered events in configuration +[2024-06-17T10:05:56Z ERROR kunai] stats execve: 11 +[2024-06-17T10:05:56Z ERROR kunai] stats execve_script: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats task_sched: 27 +[2024-06-17T10:05:56Z ERROR kunai] stats exit: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats exit_group: 7 +[2024-06-17T10:05:56Z ERROR kunai] stats clone: 15 +[2024-06-17T10:05:56Z ERROR kunai] stats prctl: 5 +[2024-06-17T10:05:56Z ERROR kunai] stats init_module: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats bpf_prog_load: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats bpf_socket_filter: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats mprotect_exec: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats mmap_exec: 81 +[2024-06-17T10:05:56Z ERROR kunai] stats connect: 8 +[2024-06-17T10:05:56Z ERROR kunai] stats dns_query: 1 +[2024-06-17T10:05:56Z ERROR kunai] stats send_data: 5714 +[2024-06-17T10:05:56Z ERROR kunai] stats read: 121 +[2024-06-17T10:05:56Z ERROR kunai] stats read_config: 52 +[2024-06-17T10:05:56Z ERROR kunai] stats write: 21 +[2024-06-17T10:05:56Z ERROR kunai] stats write_config: 0 +[2024-06-17T10:05:56Z ERROR kunai] stats file_rename: 6 +[2024-06-17T10:05:56Z ERROR kunai] stats file_unlink: 0 diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.stderr b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.stdout b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.stdout new file mode 100644 index 0000000..d90d1dc Binary files /dev/null and b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.stdout differ diff --git a/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.svg b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.svg new file mode 100644 index 0000000..839c9be --- /dev/null +++ b/linux/233e29773d33eec0dcb43eb133d4595735e98d83cbf59d2533f1a88e286dcabe/analysis/sample.svg @@ -0,0 +1,193 @@ + + + + + + +%3 + + + +guuid=de5aab22-0b00-0000-2742-7dc259040000 pid=1113 + +/usr/bin/sudo + + + +guuid=ce196323-0b00-0000-2742-7dc25a040000 pid=1114 + +/tmp/sample.bin + +net + + + +guuid=de5aab22-0b00-0000-2742-7dc259040000 pid=1113->guuid=ce196323-0b00-0000-2742-7dc25a040000 pid=1114 + + +execve + + + +8.8.8.8 + +8.8.8.8 + + + +guuid=ce196323-0b00-0000-2742-7dc25a040000 pid=1114->8.8.8.8 + + +con + + + +guuid=52b87523-0b00-0000-2742-7dc25b040000 pid=1115 + +/tmp/sample.bin + + + +guuid=ce196323-0b00-0000-2742-7dc25a040000 pid=1114->guuid=52b87523-0b00-0000-2742-7dc25b040000 pid=1115 + + +clone + + + +guuid=1a137723-0b00-0000-2742-7dc25c040000 pid=1116 + +/tmp/sample.bin + + + +guuid=ce196323-0b00-0000-2742-7dc25a040000 pid=1114->guuid=1a137723-0b00-0000-2742-7dc25c040000 pid=1116 + + +clone + + + +guuid=66368023-0b00-0000-2742-7dc25d040000 pid=1117 + +/tmp/sample.bin + +dns + +net + +send-data + +zombie + + + +guuid=ce196323-0b00-0000-2742-7dc25a040000 pid=1114->guuid=66368023-0b00-0000-2742-7dc25d040000 pid=1117 + + +clone + + + +guuid=66368023-0b00-0000-2742-7dc25d040000 pid=1117->8.8.8.8 + + +send: 264B + + + +pty.su + +pty.su + + + +guuid=66368023-0b00-0000-2742-7dc25d040000 pid=1117->pty.su + + +con + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118 + +/tmp/sample.bin + +net + +net-scan + +send-data + + + +guuid=66368023-0b00-0000-2742-7dc25d040000 pid=1117->guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118 + + +clone + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118->8.8.8.8 + + +con + + + +197.15.8.245 + +197.15.8.245 + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118->197.15.8.245 + + +send: 40B + + + +94.121.73.170 + +94.121.73.170 + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118->94.121.73.170 + + +send: 40B + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118|send-data + +send-data to 307377 IP addresses +review logs to see them all + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118->guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118|send-data + + +send + + + +guuid=78439723-0b00-0000-2742-7dc25f040000 pid=1119 + +/tmp/sample.bin + + + +guuid=e72c8d23-0b00-0000-2742-7dc25e040000 pid=1118->guuid=78439723-0b00-0000-2742-7dc25f040000 pid=1119 + + +clone + + + diff --git a/linux/43e4589a894146664907f21c8817d16b02d353d0d9af02bd8db67c21891b8c08 b/linux/43e4589a894146664907f21c8817d16b02d353d0d9af02bd8db67c21891b8c08/43e4589a894146664907f21c8817d16b02d353d0d9af02bd8db67c21891b8c08 similarity index 100% rename from linux/43e4589a894146664907f21c8817d16b02d353d0d9af02bd8db67c21891b8c08 rename to linux/43e4589a894146664907f21c8817d16b02d353d0d9af02bd8db67c21891b8c08/43e4589a894146664907f21c8817d16b02d353d0d9af02bd8db67c21891b8c08 diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775 b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775 similarity index 100% rename from linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775 rename to linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775 diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/analysis.yaml b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/analysis.yaml new file mode 100644 index 0000000..8298e43 --- /dev/null +++ b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:27:43.043251+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/dump.pcap b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/dump.pcap new file mode 100644 index 0000000..f8f6fd7 Binary files /dev/null and b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/dump.pcap differ diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/kunai.jsonl.gz b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..841071f Binary files /dev/null and b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/kunai.jsonl.gz differ diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/kunai.stderr b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/kunai.stderr new file mode 100644 index 0000000..92d6925 --- /dev/null +++ b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.stderr b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.stdout b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.stdout new file mode 100644 index 0000000..e008a44 --- /dev/null +++ b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.stdout @@ -0,0 +1 @@ +Infected diff --git a/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.svg b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.svg new file mode 100644 index 0000000..9179a39 --- /dev/null +++ b/linux/44c21f98d1fe78e1466ddc9dfd1113e1e416934b6a0eb2b1da0bcf27535f7775/analysis/sample.svg @@ -0,0 +1,215 @@ + + + + + + +%3 + + + +guuid=01272926-0b00-0000-79d1-e3c959040000 pid=1113 + +/usr/bin/sudo + + + +guuid=bbcd9627-0b00-0000-79d1-e3c95a040000 pid=1114 + +/tmp/sample.bin + +net + + + +guuid=01272926-0b00-0000-79d1-e3c959040000 pid=1113->guuid=bbcd9627-0b00-0000-79d1-e3c95a040000 pid=1114 + + +execve + + + +8.8.8.8 + +8.8.8.8 + + + +guuid=bbcd9627-0b00-0000-79d1-e3c95a040000 pid=1114->8.8.8.8 + + +con + + + +guuid=f725dd27-0b00-0000-79d1-e3c95b040000 pid=1115 + +/tmp/sample.bin + +net + +net-scan + +send-data + +zombie + + + +guuid=bbcd9627-0b00-0000-79d1-e3c95a040000 pid=1114->guuid=f725dd27-0b00-0000-79d1-e3c95b040000 pid=1115 + + +clone + + + +guuid=bb4e4328-0b00-0000-79d1-e3c95c040000 pid=1116 + +/tmp/sample.bin + + + +guuid=bbcd9627-0b00-0000-79d1-e3c95a040000 pid=1114->guuid=bb4e4328-0b00-0000-79d1-e3c95c040000 pid=1116 + + +clone + + + +guuid=f725dd27-0b00-0000-79d1-e3c95b040000 pid=1115->8.8.8.8 + + +con + + + +guuid=f725dd27-0b00-0000-79d1-e3c95b040000 pid=1115|send-data + +send-data to 40919 IP addresses +review logs to see them all + + + +guuid=f725dd27-0b00-0000-79d1-e3c95b040000 pid=1115->guuid=f725dd27-0b00-0000-79d1-e3c95b040000 pid=1115|send-data + + +send + + + +guuid=399b5128-0b00-0000-79d1-e3c95d040000 pid=1117 + +/tmp/sample.bin + + + +guuid=bb4e4328-0b00-0000-79d1-e3c95c040000 pid=1116->guuid=399b5128-0b00-0000-79d1-e3c95d040000 pid=1117 + + +clone + + + +guuid=aeec5228-0b00-0000-79d1-e3c95e040000 pid=1118 + +/tmp/sample.bin + + + +guuid=bb4e4328-0b00-0000-79d1-e3c95c040000 pid=1116->guuid=aeec5228-0b00-0000-79d1-e3c95e040000 pid=1118 + + +clone + + + +guuid=d1b1c2e1-0b00-0000-79d1-e3c961040000 pid=1121 + +/tmp/sample.bin + + + +guuid=399b5128-0b00-0000-79d1-e3c95d040000 pid=1117->guuid=d1b1c2e1-0b00-0000-79d1-e3c961040000 pid=1121 + + +clone + + + +guuid=3c3fbd28-0b00-0000-79d1-e3c95f040000 pid=1119 + +/tmp/sample.bin + +net + +zombie + + + +guuid=aeec5228-0b00-0000-79d1-e3c95e040000 pid=1118->guuid=3c3fbd28-0b00-0000-79d1-e3c95f040000 pid=1119 + + +clone + + + +85.239.34.203 + +85.239.34.203 + + + +guuid=3c3fbd28-0b00-0000-79d1-e3c95f040000 pid=1119->85.239.34.203 + + +con + + + +255.255.255.255 + +255.255.255.255 + + + +guuid=3c3fbd28-0b00-0000-79d1-e3c95f040000 pid=1119->255.255.255.255 + + +con + + + +guuid=36d3c4e1-0b00-0000-79d1-e3c962040000 pid=1122 + +/tmp/sample.bin + +net + +zombie + + + +guuid=d1b1c2e1-0b00-0000-79d1-e3c961040000 pid=1121->guuid=36d3c4e1-0b00-0000-79d1-e3c962040000 pid=1122 + + +clone + + + +guuid=36d3c4e1-0b00-0000-79d1-e3c962040000 pid=1122->85.239.34.203 + + +con + + + +guuid=36d3c4e1-0b00-0000-79d1-e3c962040000 pid=1122->255.255.255.255 + + +con + + + diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04 b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04 new file mode 100644 index 0000000..9e8d0d7 Binary files /dev/null and b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04 differ diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/analysis.yaml b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/analysis.yaml new file mode 100644 index 0000000..1cfd426 --- /dev/null +++ b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:31:17.011929+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/dump.pcap b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/dump.pcap new file mode 100644 index 0000000..2200dd9 Binary files /dev/null and b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/dump.pcap differ diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/kunai.jsonl.gz b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..ae6de42 Binary files /dev/null and b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/kunai.jsonl.gz differ diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/kunai.stderr b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/kunai.stderr new file mode 100644 index 0000000..d61efcd --- /dev/null +++ b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.stderr b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.stderr new file mode 100644 index 0000000..148f1ac --- /dev/null +++ b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.stderr @@ -0,0 +1 @@ +!!! Must run as non-root. diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.stdout b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.stdout new file mode 100644 index 0000000..3d5fd72 --- /dev/null +++ b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.stdout @@ -0,0 +1,3 @@ +Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. +(see http://www.ksplice.com/uptrack/cve-2010-3081) + diff --git a/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.svg b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.svg new file mode 100644 index 0000000..09fd9ae --- /dev/null +++ b/linux/6420f5d7d48b75d687b8356e93c82721bb536c633d773f8985f74c8977425f04/analysis/sample.svg @@ -0,0 +1,32 @@ + + + + + + +%3 + + + +guuid=31486530-0b00-0000-d458-7b1f58040000 pid=1112 + +/usr/bin/sudo + + + +guuid=41fb7f31-0b00-0000-d458-7b1f59040000 pid=1113 + +/tmp/sample.bin + + + +guuid=31486530-0b00-0000-d458-7b1f58040000 pid=1112->guuid=41fb7f31-0b00-0000-d458-7b1f59040000 pid=1113 + + +execve + + + diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6 b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6 new file mode 100644 index 0000000..23231d0 Binary files /dev/null and b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6 differ diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/analysis.yaml b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/analysis.yaml new file mode 100644 index 0000000..fb1b341 --- /dev/null +++ b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:28:59.105345+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/dump.pcap b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/dump.pcap new file mode 100644 index 0000000..760f7ea Binary files /dev/null and b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/dump.pcap differ diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/kunai.jsonl.gz b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..172c71d Binary files /dev/null and b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/kunai.jsonl.gz differ diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/kunai.stderr b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/kunai.stderr new file mode 100644 index 0000000..d61efcd --- /dev/null +++ b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.stderr b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.stdout b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.stdout new file mode 100644 index 0000000..e69de29 diff --git a/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.svg b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.svg new file mode 100644 index 0000000..e2afdca --- /dev/null +++ b/linux/6ebf51d169240f1c233aaf49da07005eca3529ae4c9b19b9de78f906ad7527a6/analysis/sample.svg @@ -0,0 +1,1208 @@ + + + + + + +%3 + + + +guuid=65f09b2b-0b00-0000-e1c3-c49859040000 pid=1113 + +/usr/bin/sudo + + + +guuid=cb1b6f2c-0b00-0000-e1c3-c4985a040000 pid=1114 + +/tmp/sample.bin + + + +guuid=65f09b2b-0b00-0000-e1c3-c49859040000 pid=1113->guuid=cb1b6f2c-0b00-0000-e1c3-c4985a040000 pid=1114 + + +execve + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115 + +/tmp/sample.bin + +write-config + +write-file + +zombie + + + +guuid=cb1b6f2c-0b00-0000-e1c3-c4985a040000 pid=1114->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115 + + +clone + + + +guuid=af6afce5-0b00-0000-e1c3-c4985d040000 pid=1117 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=af6afce5-0b00-0000-e1c3-c4985d040000 pid=1117 + + +execve + + + +guuid=57c218e7-0b00-0000-e1c3-c4985f040000 pid=1119 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=57c218e7-0b00-0000-e1c3-c4985f040000 pid=1119 + + +execve + + + +guuid=f4b90ce8-0b00-0000-e1c3-c49861040000 pid=1121 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=f4b90ce8-0b00-0000-e1c3-c49861040000 pid=1121 + + +execve + + + +guuid=076263e8-0b00-0000-e1c3-c49863040000 pid=1123 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=076263e8-0b00-0000-e1c3-c49863040000 pid=1123 + + +execve + + + +guuid=0df1a2e8-0b00-0000-e1c3-c49865040000 pid=1125 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=0df1a2e8-0b00-0000-e1c3-c49865040000 pid=1125 + + +execve + + + +guuid=0a624160-0c00-0000-e1c3-c49867040000 pid=1127 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=0a624160-0c00-0000-e1c3-c49867040000 pid=1127 + + +execve + + + +guuid=ff48ba60-0c00-0000-e1c3-c49869040000 pid=1129 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=ff48ba60-0c00-0000-e1c3-c49869040000 pid=1129 + + +execve + + + +guuid=242bc99c-0c00-0000-e1c3-c4986b040000 pid=1131 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=242bc99c-0c00-0000-e1c3-c4986b040000 pid=1131 + + +clone + + + +guuid=9785e19d-0c00-0000-e1c3-c4986f040000 pid=1135 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=9785e19d-0c00-0000-e1c3-c4986f040000 pid=1135 + + +execve + + + +guuid=64f7639e-0c00-0000-e1c3-c49871040000 pid=1137 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=64f7639e-0c00-0000-e1c3-c49871040000 pid=1137 + + +execve + + + +guuid=69f678da-0c00-0000-e1c3-c49873040000 pid=1139 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=69f678da-0c00-0000-e1c3-c49873040000 pid=1139 + + +clone + + + +guuid=878132db-0c00-0000-e1c3-c49877040000 pid=1143 + +/usr/bin/dash + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=878132db-0c00-0000-e1c3-c49877040000 pid=1143 + + +execve + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1145 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1145 + + +clone + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1146 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1146 + + +clone + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1147 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1147 + + +clone + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1148 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1148 + + +clone + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1149 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1149 + + +clone + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1150 + +/tmp/sample.bin + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1150 + + +clone + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1151 + +/tmp/sample.bin + +send-data + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1115->guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1151 + + +clone + + + +guuid=e4434ce6-0b00-0000-e1c3-c4985e040000 pid=1118 + +/usr/bin/ln + + + +guuid=af6afce5-0b00-0000-e1c3-c4985d040000 pid=1117->guuid=e4434ce6-0b00-0000-e1c3-c4985e040000 pid=1118 + + +execve + + + +guuid=0e4ecde7-0b00-0000-e1c3-c49860040000 pid=1120 + +/usr/bin/ln + + + +guuid=57c218e7-0b00-0000-e1c3-c4985f040000 pid=1119->guuid=0e4ecde7-0b00-0000-e1c3-c49860040000 pid=1120 + + +execve + + + +guuid=e0d62de8-0b00-0000-e1c3-c49862040000 pid=1122 + +/usr/bin/ln + + + +guuid=f4b90ce8-0b00-0000-e1c3-c49861040000 pid=1121->guuid=e0d62de8-0b00-0000-e1c3-c49862040000 pid=1122 + + +execve + + + +guuid=3bdb7ce8-0b00-0000-e1c3-c49864040000 pid=1124 + +/usr/bin/ln + + + +guuid=076263e8-0b00-0000-e1c3-c49863040000 pid=1123->guuid=3bdb7ce8-0b00-0000-e1c3-c49864040000 pid=1124 + + +execve + + + +guuid=fa66bbe8-0b00-0000-e1c3-c49866040000 pid=1126 + +/usr/bin/ln + + + +guuid=0df1a2e8-0b00-0000-e1c3-c49865040000 pid=1125->guuid=fa66bbe8-0b00-0000-e1c3-c49866040000 pid=1126 + + +execve + + + +guuid=8b547e60-0c00-0000-e1c3-c49868040000 pid=1128 + +/usr/bin/mkdir + + + +guuid=0a624160-0c00-0000-e1c3-c49867040000 pid=1127->guuid=8b547e60-0c00-0000-e1c3-c49868040000 pid=1128 + + +execve + + + +guuid=023ed060-0c00-0000-e1c3-c4986a040000 pid=1130 + +/usr/bin/cp + +write-file + + + +guuid=ff48ba60-0c00-0000-e1c3-c49869040000 pid=1129->guuid=023ed060-0c00-0000-e1c3-c4986a040000 pid=1130 + + +execve + + + +guuid=7c49d29c-0c00-0000-e1c3-c4986c040000 pid=1132 + +/usr/bin/dash + + + +guuid=242bc99c-0c00-0000-e1c3-c4986b040000 pid=1131->guuid=7c49d29c-0c00-0000-e1c3-c4986c040000 pid=1132 + + +execve + + + +guuid=85d9229d-0c00-0000-e1c3-c4986d040000 pid=1133 + +/usr/bin/bsd-port/knerl + + + +guuid=7c49d29c-0c00-0000-e1c3-c4986c040000 pid=1132->guuid=85d9229d-0c00-0000-e1c3-c4986d040000 pid=1133 + + +execve + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134 + +/usr/bin/bsd-port/knerl + +write-config + +write-file + +zombie + + + +guuid=85d9229d-0c00-0000-e1c3-c4986d040000 pid=1133->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134 + + +clone + + + +guuid=91e9d4dd-0c00-0000-e1c3-c49880040000 pid=1152 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=91e9d4dd-0c00-0000-e1c3-c49880040000 pid=1152 + + +execve + + + +guuid=7e8b27de-0c00-0000-e1c3-c49882040000 pid=1154 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=7e8b27de-0c00-0000-e1c3-c49882040000 pid=1154 + + +execve + + + +guuid=1dfc48de-0c00-0000-e1c3-c49884040000 pid=1156 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=1dfc48de-0c00-0000-e1c3-c49884040000 pid=1156 + + +execve + + + +guuid=b7f165de-0c00-0000-e1c3-c49886040000 pid=1158 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=b7f165de-0c00-0000-e1c3-c49886040000 pid=1158 + + +execve + + + +guuid=db1887de-0c00-0000-e1c3-c49888040000 pid=1160 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=db1887de-0c00-0000-e1c3-c49888040000 pid=1160 + + +execve + + + +guuid=2a1bb2de-0c00-0000-e1c3-c4988a040000 pid=1162 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=2a1bb2de-0c00-0000-e1c3-c4988a040000 pid=1162 + + +execve + + + +guuid=d014e9de-0c00-0000-e1c3-c4988c040000 pid=1164 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=d014e9de-0c00-0000-e1c3-c4988c040000 pid=1164 + + +execve + + + +guuid=6abb5ddf-0c00-0000-e1c3-c4988e040000 pid=1166 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=6abb5ddf-0c00-0000-e1c3-c4988e040000 pid=1166 + + +execve + + + +guuid=49489ddf-0c00-0000-e1c3-c49890040000 pid=1168 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=49489ddf-0c00-0000-e1c3-c49890040000 pid=1168 + + +execve + + + +guuid=75f2e2df-0c00-0000-e1c3-c49892040000 pid=1170 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=75f2e2df-0c00-0000-e1c3-c49892040000 pid=1170 + + +execve + + + +guuid=55b10ae0-0c00-0000-e1c3-c49894040000 pid=1172 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=55b10ae0-0c00-0000-e1c3-c49894040000 pid=1172 + + +execve + + + +guuid=5aabcee0-0c00-0000-e1c3-c49896040000 pid=1174 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=5aabcee0-0c00-0000-e1c3-c49896040000 pid=1174 + + +execve + + + +guuid=8ea5f6e0-0c00-0000-e1c3-c49898040000 pid=1176 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=8ea5f6e0-0c00-0000-e1c3-c49898040000 pid=1176 + + +execve + + + +guuid=564b3ae1-0c00-0000-e1c3-c4989a040000 pid=1178 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=564b3ae1-0c00-0000-e1c3-c4989a040000 pid=1178 + + +execve + + + +guuid=487061e1-0c00-0000-e1c3-c4989c040000 pid=1180 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=487061e1-0c00-0000-e1c3-c4989c040000 pid=1180 + + +execve + + + +guuid=971693e1-0c00-0000-e1c3-c4989e040000 pid=1182 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=971693e1-0c00-0000-e1c3-c4989e040000 pid=1182 + + +execve + + + +guuid=5c6ee4e1-0c00-0000-e1c3-c498a0040000 pid=1184 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=5c6ee4e1-0c00-0000-e1c3-c498a0040000 pid=1184 + + +execve + + + +guuid=321002e2-0c00-0000-e1c3-c498a2040000 pid=1186 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=321002e2-0c00-0000-e1c3-c498a2040000 pid=1186 + + +execve + + + +guuid=663830e2-0c00-0000-e1c3-c498a4040000 pid=1188 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=663830e2-0c00-0000-e1c3-c498a4040000 pid=1188 + + +execve + + + +guuid=d2d373e2-0c00-0000-e1c3-c498a6040000 pid=1190 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=d2d373e2-0c00-0000-e1c3-c498a6040000 pid=1190 + + +execve + + + +guuid=0ee898e2-0c00-0000-e1c3-c498a8040000 pid=1192 + +/usr/bin/dash + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=0ee898e2-0c00-0000-e1c3-c498a8040000 pid=1192 + + +execve + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1194 + +/usr/bin/bsd-port/knerl + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1194 + + +clone + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1195 + +/usr/bin/bsd-port/knerl + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1195 + + +clone + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1196 + +/usr/bin/bsd-port/knerl + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1196 + + +clone + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1197 + +/usr/bin/bsd-port/knerl + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1197 + + +clone + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1198 + +/usr/bin/bsd-port/knerl + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1198 + + +clone + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1199 + +/usr/bin/bsd-port/knerl + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1199 + + +clone + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1200 + +/usr/bin/bsd-port/knerl + +send-data + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1134->guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1200 + + +clone + + + +guuid=99abf29d-0c00-0000-e1c3-c49870040000 pid=1136 + +/usr/bin/mkdir + + + +guuid=9785e19d-0c00-0000-e1c3-c4986f040000 pid=1135->guuid=99abf29d-0c00-0000-e1c3-c49870040000 pid=1136 + + +execve + + + +guuid=3d27a49e-0c00-0000-e1c3-c49872040000 pid=1138 + +/usr/bin/cp + +write-file + + + +guuid=64f7639e-0c00-0000-e1c3-c49871040000 pid=1137->guuid=3d27a49e-0c00-0000-e1c3-c49872040000 pid=1138 + + +execve + + + +guuid=849c82da-0c00-0000-e1c3-c49874040000 pid=1140 + +/usr/bin/dash + + + +guuid=69f678da-0c00-0000-e1c3-c49873040000 pid=1139->guuid=849c82da-0c00-0000-e1c3-c49874040000 pid=1140 + + +execve + + + +guuid=3ce9d8da-0c00-0000-e1c3-c49875040000 pid=1141 + +/usr/bin/pythno + + + +guuid=849c82da-0c00-0000-e1c3-c49874040000 pid=1140->guuid=3ce9d8da-0c00-0000-e1c3-c49875040000 pid=1141 + + +execve + + + +guuid=956300db-0c00-0000-e1c3-c49876040000 pid=1142 + +/usr/bin/pythno + +delete-file + +write-file + +zombie + + + +guuid=3ce9d8da-0c00-0000-e1c3-c49875040000 pid=1141->guuid=956300db-0c00-0000-e1c3-c49876040000 pid=1142 + + +clone + + + +guuid=956300db-0c00-0000-e1c3-c49876040000 pid=1201 + +/usr/bin/pythno + + + +guuid=956300db-0c00-0000-e1c3-c49876040000 pid=1142->guuid=956300db-0c00-0000-e1c3-c49876040000 pid=1201 + + +clone + + + +guuid=449388db-0c00-0000-e1c3-c49878040000 pid=1144 + +/usr/bin/kmod + + + +guuid=878132db-0c00-0000-e1c3-c49877040000 pid=1143->guuid=449388db-0c00-0000-e1c3-c49878040000 pid=1144 + + +execve + + + +10.0.2.3 + +10.0.2.3 + + + +guuid=93eb7f2c-0b00-0000-e1c3-c4985b040000 pid=1151->10.0.2.3 + + +send: 1479B + + + +guuid=90c812de-0c00-0000-e1c3-c49881040000 pid=1153 + +/usr/bin/ln + + + +guuid=91e9d4dd-0c00-0000-e1c3-c49880040000 pid=1152->guuid=90c812de-0c00-0000-e1c3-c49881040000 pid=1153 + + +execve + + + +guuid=c80135de-0c00-0000-e1c3-c49883040000 pid=1155 + +/usr/bin/ln + + + +guuid=7e8b27de-0c00-0000-e1c3-c49882040000 pid=1154->guuid=c80135de-0c00-0000-e1c3-c49883040000 pid=1155 + + +execve + + + +guuid=700c55de-0c00-0000-e1c3-c49885040000 pid=1157 + +/usr/bin/ln + + + +guuid=1dfc48de-0c00-0000-e1c3-c49884040000 pid=1156->guuid=700c55de-0c00-0000-e1c3-c49885040000 pid=1157 + + +execve + + + +guuid=99ea71de-0c00-0000-e1c3-c49887040000 pid=1159 + +/usr/bin/ln + + + +guuid=b7f165de-0c00-0000-e1c3-c49886040000 pid=1158->guuid=99ea71de-0c00-0000-e1c3-c49887040000 pid=1159 + + +execve + + + +guuid=ec349ade-0c00-0000-e1c3-c49889040000 pid=1161 + +/usr/bin/ln + + + +guuid=db1887de-0c00-0000-e1c3-c49888040000 pid=1160->guuid=ec349ade-0c00-0000-e1c3-c49889040000 pid=1161 + + +execve + + + +guuid=d0ebc0de-0c00-0000-e1c3-c4988b040000 pid=1163 + +/usr/bin/mkdir + + + +guuid=2a1bb2de-0c00-0000-e1c3-c4988a040000 pid=1162->guuid=d0ebc0de-0c00-0000-e1c3-c4988b040000 pid=1163 + + +execve + + + +guuid=664cf9de-0c00-0000-e1c3-c4988d040000 pid=1165 + +/usr/bin/cp + +write-file + + + +guuid=d014e9de-0c00-0000-e1c3-c4988c040000 pid=1164->guuid=664cf9de-0c00-0000-e1c3-c4988d040000 pid=1165 + + +execve + + + +guuid=565883df-0c00-0000-e1c3-c4988f040000 pid=1167 + +/usr/bin/mkdir + + + +guuid=6abb5ddf-0c00-0000-e1c3-c4988e040000 pid=1166->guuid=565883df-0c00-0000-e1c3-c4988f040000 pid=1167 + + +execve + + + +guuid=7c58a8df-0c00-0000-e1c3-c49891040000 pid=1169 + +/usr/bin/cp + +write-file + + + +guuid=49489ddf-0c00-0000-e1c3-c49890040000 pid=1168->guuid=7c58a8df-0c00-0000-e1c3-c49891040000 pid=1169 + + +execve + + + +guuid=dee7f1df-0c00-0000-e1c3-c49893040000 pid=1171 + +/usr/bin/chmod + + + +guuid=75f2e2df-0c00-0000-e1c3-c49892040000 pid=1170->guuid=dee7f1df-0c00-0000-e1c3-c49893040000 pid=1171 + + +execve + + + +guuid=7d1b1be0-0c00-0000-e1c3-c49895040000 pid=1173 + +/usr/bin/cp + +write-file + + + +guuid=55b10ae0-0c00-0000-e1c3-c49894040000 pid=1172->guuid=7d1b1be0-0c00-0000-e1c3-c49895040000 pid=1173 + + +execve + + + +guuid=507ddde0-0c00-0000-e1c3-c49897040000 pid=1175 + +/usr/bin/mkdir + + + +guuid=5aabcee0-0c00-0000-e1c3-c49896040000 pid=1174->guuid=507ddde0-0c00-0000-e1c3-c49897040000 pid=1175 + + +execve + + + +guuid=6dcf01e1-0c00-0000-e1c3-c49899040000 pid=1177 + +/usr/bin/cp + +write-file + + + +guuid=8ea5f6e0-0c00-0000-e1c3-c49898040000 pid=1176->guuid=6dcf01e1-0c00-0000-e1c3-c49899040000 pid=1177 + + +execve + + + +guuid=08ef48e1-0c00-0000-e1c3-c4989b040000 pid=1179 + +/usr/bin/chmod + + + +guuid=564b3ae1-0c00-0000-e1c3-c4989a040000 pid=1178->guuid=08ef48e1-0c00-0000-e1c3-c4989b040000 pid=1179 + + +execve + + + +guuid=ed8f72e1-0c00-0000-e1c3-c4989d040000 pid=1181 + +/usr/bin/mkdir + + + +guuid=487061e1-0c00-0000-e1c3-c4989c040000 pid=1180->guuid=ed8f72e1-0c00-0000-e1c3-c4989d040000 pid=1181 + + +execve + + + +guuid=786ba2e1-0c00-0000-e1c3-c4989f040000 pid=1183 + +/usr/bin/cp + +write-file + + + +guuid=971693e1-0c00-0000-e1c3-c4989e040000 pid=1182->guuid=786ba2e1-0c00-0000-e1c3-c4989f040000 pid=1183 + + +execve + + + +guuid=cdd7f1e1-0c00-0000-e1c3-c498a1040000 pid=1185 + +/usr/bin/chmod + + + +guuid=5c6ee4e1-0c00-0000-e1c3-c498a0040000 pid=1184->guuid=cdd7f1e1-0c00-0000-e1c3-c498a1040000 pid=1185 + + +execve + + + +guuid=22f40ee2-0c00-0000-e1c3-c498a3040000 pid=1187 + +/usr/bin/mkdir + + + +guuid=321002e2-0c00-0000-e1c3-c498a2040000 pid=1186->guuid=22f40ee2-0c00-0000-e1c3-c498a3040000 pid=1187 + + +execve + + + +guuid=571e3ce2-0c00-0000-e1c3-c498a5040000 pid=1189 + +/usr/bin/cp + +write-file + + + +guuid=663830e2-0c00-0000-e1c3-c498a4040000 pid=1188->guuid=571e3ce2-0c00-0000-e1c3-c498a5040000 pid=1189 + + +execve + + + +guuid=4d1781e2-0c00-0000-e1c3-c498a7040000 pid=1191 + +/usr/bin/chmod + + + +guuid=d2d373e2-0c00-0000-e1c3-c498a6040000 pid=1190->guuid=4d1781e2-0c00-0000-e1c3-c498a7040000 pid=1191 + + +execve + + + +guuid=e508a4e2-0c00-0000-e1c3-c498a9040000 pid=1193 + +/usr/bin/kmod + + + +guuid=0ee898e2-0c00-0000-e1c3-c498a8040000 pid=1192->guuid=e508a4e2-0c00-0000-e1c3-c498a9040000 pid=1193 + + +execve + + + +guuid=83843b9d-0c00-0000-e1c3-c4986e040000 pid=1200->10.0.2.3 + + +send: 360B + + + diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b new file mode 100644 index 0000000..97410ba Binary files /dev/null and b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b differ diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/analysis.yaml b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/analysis.yaml new file mode 100644 index 0000000..bdec372 --- /dev/null +++ b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:30:08.021887+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/dump.pcap b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/dump.pcap new file mode 100644 index 0000000..dd2df41 Binary files /dev/null and b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/dump.pcap differ diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/kunai.jsonl.gz b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..e4deea5 Binary files /dev/null and b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/kunai.jsonl.gz differ diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/kunai.stderr b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/kunai.stderr new file mode 100644 index 0000000..d61efcd --- /dev/null +++ b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.stderr b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.stdout b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.stdout new file mode 100644 index 0000000..e69de29 diff --git a/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.svg b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.svg new file mode 100644 index 0000000..be67272 --- /dev/null +++ b/linux/ad69790f301c6b7cebaa84a7fecd6431e87b09526d81a3c618bdf985e08edf3b/analysis/sample.svg @@ -0,0 +1,92 @@ + + + + + + +%3 + + + +guuid=56bd9127-0b00-0000-7c0a-19cb58040000 pid=1112 + +/usr/bin/sudo + + + +guuid=fed9b428-0b00-0000-7c0a-19cb59040000 pid=1113 + +/tmp/sample.bin + +net + + + +guuid=56bd9127-0b00-0000-7c0a-19cb58040000 pid=1112->guuid=fed9b428-0b00-0000-7c0a-19cb59040000 pid=1113 + + +execve + + + +8.8.8.8 + +8.8.8.8 + + + +guuid=fed9b428-0b00-0000-7c0a-19cb59040000 pid=1113->8.8.8.8 + + +con + + + +guuid=7b1ec728-0b00-0000-7c0a-19cb5a040000 pid=1114 + +/tmp/sample.bin + + + +guuid=fed9b428-0b00-0000-7c0a-19cb59040000 pid=1113->guuid=7b1ec728-0b00-0000-7c0a-19cb5a040000 pid=1114 + + +clone + + + +guuid=c24ac928-0b00-0000-7c0a-19cb5b040000 pid=1115 + +/tmp/sample.bin + +net + +send-data + +zombie + + + +guuid=7b1ec728-0b00-0000-7c0a-19cb5a040000 pid=1114->guuid=c24ac928-0b00-0000-7c0a-19cb5b040000 pid=1115 + + +clone + + + +45.95.169.138 + +45.95.169.138 + + + +guuid=c24ac928-0b00-0000-7c0a-19cb5b040000 pid=1115->45.95.169.138 + + +send: 96B + + + diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/analysis.yaml b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/analysis.yaml new file mode 100644 index 0000000..28fab7f --- /dev/null +++ b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:32:25.847547+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/dump.pcap b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/dump.pcap new file mode 100644 index 0000000..ba70cb6 Binary files /dev/null and b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/dump.pcap differ diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/kunai.jsonl.gz b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..f2962fd Binary files /dev/null and b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/kunai.jsonl.gz differ diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/kunai.stderr b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/kunai.stderr new file mode 100644 index 0000000..d61efcd --- /dev/null +++ b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.stderr b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.stderr new file mode 100644 index 0000000..f9ee614 --- /dev/null +++ b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.stderr @@ -0,0 +1,4 @@ +attached +New password: Password change has been aborted. +passwd: Authentication token manipulation error +passwd: password unchanged diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.stdout b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.stdout new file mode 100644 index 0000000..e69de29 diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.svg b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.svg new file mode 100644 index 0000000..38c08dd --- /dev/null +++ b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/analysis/sample.svg @@ -0,0 +1,77 @@ + + + + + + +%3 + + + +guuid=b11c622b-0b00-0000-bc0f-2f2859040000 pid=1113 + +/usr/bin/sudo + + + +guuid=57ed1f2c-0b00-0000-bc0f-2f285a040000 pid=1114 + +/usr/bin/newgrp + + + +guuid=b11c622b-0b00-0000-bc0f-2f2859040000 pid=1113->guuid=57ed1f2c-0b00-0000-bc0f-2f285a040000 pid=1114 + + +execve + + + +guuid=b8c1c52c-0b00-0000-bc0f-2f285c040000 pid=1116 + +/tmp/sample.bin + + + +guuid=57ed1f2c-0b00-0000-bc0f-2f285a040000 pid=1114->guuid=b8c1c52c-0b00-0000-bc0f-2f285c040000 pid=1116 + + +clone + + + +guuid=cae6f62e-0b00-0000-bc0f-2f285d040000 pid=1117 + +/usr/bin/bash + + + +guuid=57ed1f2c-0b00-0000-bc0f-2f285a040000 pid=1114->guuid=cae6f62e-0b00-0000-bc0f-2f285d040000 pid=1117 + + +execve + + + +guuid=a493e31f-0000-0000-bc0f-2f2801000000 pid=1 + +/usr/lib/systemd/systemd + + + +guuid=2f5bc22c-0b00-0000-bc0f-2f285b040000 pid=1115 + +/usr/bin/passwd + + + +guuid=a493e31f-0000-0000-bc0f-2f2801000000 pid=1->guuid=2f5bc22c-0b00-0000-bc0f-2f285b040000 pid=1115 + + +execve + + + diff --git a/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5 b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5 new file mode 100644 index 0000000..251de3c Binary files /dev/null and b/linux/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5/b87ad7dba1d367c437db51045e57835f77e8d9735d5c917c6d16984fbde8a3c5 differ diff --git a/linux/bc70f90946d19b022fae8740cd3d5b349da29d1b3353cc01c3192ba0ba48ae79 b/linux/bc70f90946d19b022fae8740cd3d5b349da29d1b3353cc01c3192ba0ba48ae79/bc70f90946d19b022fae8740cd3d5b349da29d1b3353cc01c3192ba0ba48ae79 similarity index 100% rename from linux/bc70f90946d19b022fae8740cd3d5b349da29d1b3353cc01c3192ba0ba48ae79 rename to linux/bc70f90946d19b022fae8740cd3d5b349da29d1b3353cc01c3192ba0ba48ae79/bc70f90946d19b022fae8740cd3d5b349da29d1b3353cc01c3192ba0ba48ae79 diff --git a/linux/d14544d70f8193d9369020701d02a028408646cfd432e344da98c93ceaaa5e87 b/linux/d14544d70f8193d9369020701d02a028408646cfd432e344da98c93ceaaa5e87/d14544d70f8193d9369020701d02a028408646cfd432e344da98c93ceaaa5e87 similarity index 100% rename from linux/d14544d70f8193d9369020701d02a028408646cfd432e344da98c93ceaaa5e87 rename to linux/d14544d70f8193d9369020701d02a028408646cfd432e344da98c93ceaaa5e87/d14544d70f8193d9369020701d02a028408646cfd432e344da98c93ceaaa5e87 diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/analysis.yaml b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/analysis.yaml new file mode 100644 index 0000000..38afa46 --- /dev/null +++ b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/analysis.yaml @@ -0,0 +1,14 @@ +analysis: + duration_sec: 60 + timestamp: '2024-06-19T14:33:34.822490+00:00' +kunai: + args: + - --include=all + - --send-data-min-len=0 + version: kunai 0.2.3 +sample: + args: [] +system: + kernel: 5.10.0-30-cloud-amd64 + uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) + x86_64 GNU/Linux' diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/dump.pcap b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/dump.pcap new file mode 100644 index 0000000..6bdafe6 Binary files /dev/null and b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/dump.pcap differ diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/kunai.jsonl.gz b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/kunai.jsonl.gz new file mode 100644 index 0000000..3572acc Binary files /dev/null and b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/kunai.jsonl.gz differ diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/kunai.stderr b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/kunai.stderr new file mode 100644 index 0000000..d61efcd --- /dev/null +++ b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/kunai.stderr @@ -0,0 +1,2 @@ +[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 +[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0 diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.stderr b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.stderr new file mode 100644 index 0000000..e69de29 diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.stdout b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.stdout new file mode 100644 index 0000000..e69de29 diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.svg b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.svg new file mode 100644 index 0000000..e75cca4 --- /dev/null +++ b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/analysis/sample.svg @@ -0,0 +1,1225 @@ + + + + + + +%3 + + + +guuid=629f3032-0b00-0000-0d92-ffce59040000 pid=1113 + +/usr/bin/sudo + + + +guuid=0e3d5433-0b00-0000-0d92-ffce5a040000 pid=1114 + +/tmp/sample.bin + + + +guuid=629f3032-0b00-0000-0d92-ffce59040000 pid=1113->guuid=0e3d5433-0b00-0000-0d92-ffce5a040000 pid=1114 + + +execve + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115 + +/tmp/sample.bin + +write-config + +write-file + +zombie + + + +guuid=0e3d5433-0b00-0000-0d92-ffce5a040000 pid=1114->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115 + + +clone + + + +guuid=6bd2dced-0b00-0000-0d92-ffce5d040000 pid=1117 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=6bd2dced-0b00-0000-0d92-ffce5d040000 pid=1117 + + +execve + + + +guuid=59c31dee-0b00-0000-0d92-ffce5f040000 pid=1119 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=59c31dee-0b00-0000-0d92-ffce5f040000 pid=1119 + + +execve + + + +guuid=ac3e67ee-0b00-0000-0d92-ffce61040000 pid=1121 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=ac3e67ee-0b00-0000-0d92-ffce61040000 pid=1121 + + +execve + + + +guuid=1e57c6ee-0b00-0000-0d92-ffce63040000 pid=1123 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=1e57c6ee-0b00-0000-0d92-ffce63040000 pid=1123 + + +execve + + + +guuid=01f425ef-0b00-0000-0d92-ffce65040000 pid=1125 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=01f425ef-0b00-0000-0d92-ffce65040000 pid=1125 + + +execve + + + +guuid=5036d666-0c00-0000-0d92-ffce67040000 pid=1127 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=5036d666-0c00-0000-0d92-ffce67040000 pid=1127 + + +execve + + + +guuid=e3214667-0c00-0000-0d92-ffce69040000 pid=1129 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=e3214667-0c00-0000-0d92-ffce69040000 pid=1129 + + +execve + + + +guuid=587b43a3-0c00-0000-0d92-ffce6b040000 pid=1131 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=587b43a3-0c00-0000-0d92-ffce6b040000 pid=1131 + + +clone + + + +guuid=d558ada3-0c00-0000-0d92-ffce6f040000 pid=1135 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=d558ada3-0c00-0000-0d92-ffce6f040000 pid=1135 + + +execve + + + +guuid=133be6a3-0c00-0000-0d92-ffce71040000 pid=1137 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=133be6a3-0c00-0000-0d92-ffce71040000 pid=1137 + + +execve + + + +guuid=c30bdbdf-0c00-0000-0d92-ffce73040000 pid=1139 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=c30bdbdf-0c00-0000-0d92-ffce73040000 pid=1139 + + +clone + + + +guuid=738c3ce0-0c00-0000-0d92-ffce77040000 pid=1143 + +/usr/bin/dash + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=738c3ce0-0c00-0000-0d92-ffce77040000 pid=1143 + + +execve + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1145 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1145 + + +clone + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1146 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1146 + + +clone + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1147 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1147 + + +clone + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1148 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1148 + + +clone + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1149 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1149 + + +clone + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1150 + +/tmp/sample.bin + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1150 + + +clone + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1151 + +/tmp/sample.bin + +send-data + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1115->guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1151 + + +clone + + + +guuid=dfa1f7ed-0b00-0000-0d92-ffce5e040000 pid=1118 + +/usr/bin/ln + + + +guuid=6bd2dced-0b00-0000-0d92-ffce5d040000 pid=1117->guuid=dfa1f7ed-0b00-0000-0d92-ffce5e040000 pid=1118 + + +execve + + + +guuid=08b739ee-0b00-0000-0d92-ffce60040000 pid=1120 + +/usr/bin/ln + + + +guuid=59c31dee-0b00-0000-0d92-ffce5f040000 pid=1119->guuid=08b739ee-0b00-0000-0d92-ffce60040000 pid=1120 + + +execve + + + +guuid=6fdc8eee-0b00-0000-0d92-ffce62040000 pid=1122 + +/usr/bin/ln + + + +guuid=ac3e67ee-0b00-0000-0d92-ffce61040000 pid=1121->guuid=6fdc8eee-0b00-0000-0d92-ffce62040000 pid=1122 + + +execve + + + +guuid=4d59eeee-0b00-0000-0d92-ffce64040000 pid=1124 + +/usr/bin/ln + + + +guuid=1e57c6ee-0b00-0000-0d92-ffce63040000 pid=1123->guuid=4d59eeee-0b00-0000-0d92-ffce64040000 pid=1124 + + +execve + + + +guuid=1f5453ef-0b00-0000-0d92-ffce66040000 pid=1126 + +/usr/bin/ln + + + +guuid=01f425ef-0b00-0000-0d92-ffce65040000 pid=1125->guuid=1f5453ef-0b00-0000-0d92-ffce66040000 pid=1126 + + +execve + + + +guuid=6ae71b67-0c00-0000-0d92-ffce68040000 pid=1128 + +/usr/bin/mkdir + + + +guuid=5036d666-0c00-0000-0d92-ffce67040000 pid=1127->guuid=6ae71b67-0c00-0000-0d92-ffce68040000 pid=1128 + + +execve + + + +guuid=b9c65967-0c00-0000-0d92-ffce6a040000 pid=1130 + +/usr/bin/cp + +write-file + + + +guuid=e3214667-0c00-0000-0d92-ffce69040000 pid=1129->guuid=b9c65967-0c00-0000-0d92-ffce6a040000 pid=1130 + + +execve + + + +guuid=bf0c4ea3-0c00-0000-0d92-ffce6c040000 pid=1132 + +/usr/bin/dash + + + +guuid=587b43a3-0c00-0000-0d92-ffce6b040000 pid=1131->guuid=bf0c4ea3-0c00-0000-0d92-ffce6c040000 pid=1132 + + +execve + + + +guuid=172f9aa3-0c00-0000-0d92-ffce6d040000 pid=1133 + +/usr/bin/bsd-port/agent + + + +guuid=bf0c4ea3-0c00-0000-0d92-ffce6c040000 pid=1132->guuid=172f9aa3-0c00-0000-0d92-ffce6d040000 pid=1133 + + +execve + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134 + +/usr/bin/bsd-port/agent + +write-config + +write-file + +zombie + + + +guuid=172f9aa3-0c00-0000-0d92-ffce6d040000 pid=1133->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134 + + +clone + + + +guuid=0b736ce4-0c00-0000-0d92-ffce80040000 pid=1152 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=0b736ce4-0c00-0000-0d92-ffce80040000 pid=1152 + + +execve + + + +guuid=a1238ae4-0c00-0000-0d92-ffce82040000 pid=1154 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=a1238ae4-0c00-0000-0d92-ffce82040000 pid=1154 + + +execve + + + +guuid=04d6a6e4-0c00-0000-0d92-ffce84040000 pid=1156 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=04d6a6e4-0c00-0000-0d92-ffce84040000 pid=1156 + + +execve + + + +guuid=3eaec1e4-0c00-0000-0d92-ffce86040000 pid=1158 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=3eaec1e4-0c00-0000-0d92-ffce86040000 pid=1158 + + +execve + + + +guuid=f5dadde4-0c00-0000-0d92-ffce88040000 pid=1160 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=f5dadde4-0c00-0000-0d92-ffce88040000 pid=1160 + + +execve + + + +guuid=4a64fae4-0c00-0000-0d92-ffce8a040000 pid=1162 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=4a64fae4-0c00-0000-0d92-ffce8a040000 pid=1162 + + +execve + + + +guuid=5ad11ee5-0c00-0000-0d92-ffce8c040000 pid=1164 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=5ad11ee5-0c00-0000-0d92-ffce8c040000 pid=1164 + + +execve + + + +guuid=0a8c6be5-0c00-0000-0d92-ffce8e040000 pid=1166 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=0a8c6be5-0c00-0000-0d92-ffce8e040000 pid=1166 + + +execve + + + +guuid=27bf2de6-0c00-0000-0d92-ffce91040000 pid=1169 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=27bf2de6-0c00-0000-0d92-ffce91040000 pid=1169 + + +execve + + + +guuid=3f068de6-0c00-0000-0d92-ffce93040000 pid=1171 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=3f068de6-0c00-0000-0d92-ffce93040000 pid=1171 + + +execve + + + +guuid=7e00bce6-0c00-0000-0d92-ffce95040000 pid=1173 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=7e00bce6-0c00-0000-0d92-ffce95040000 pid=1173 + + +execve + + + +guuid=50f4dee7-0c00-0000-0d92-ffce97040000 pid=1175 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=50f4dee7-0c00-0000-0d92-ffce97040000 pid=1175 + + +execve + + + +guuid=4e9e1fe8-0c00-0000-0d92-ffce99040000 pid=1177 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=4e9e1fe8-0c00-0000-0d92-ffce99040000 pid=1177 + + +execve + + + +guuid=fdfda1e8-0c00-0000-0d92-ffce9b040000 pid=1179 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=fdfda1e8-0c00-0000-0d92-ffce9b040000 pid=1179 + + +execve + + + +guuid=d5f8dce8-0c00-0000-0d92-ffce9d040000 pid=1181 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=d5f8dce8-0c00-0000-0d92-ffce9d040000 pid=1181 + + +execve + + + +guuid=7cc127e9-0c00-0000-0d92-ffce9f040000 pid=1183 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=7cc127e9-0c00-0000-0d92-ffce9f040000 pid=1183 + + +execve + + + +guuid=6dcdd4e9-0c00-0000-0d92-ffcea1040000 pid=1185 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=6dcdd4e9-0c00-0000-0d92-ffcea1040000 pid=1185 + + +execve + + + +guuid=ad4b0aea-0c00-0000-0d92-ffcea3040000 pid=1187 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=ad4b0aea-0c00-0000-0d92-ffcea3040000 pid=1187 + + +execve + + + +guuid=26b94aea-0c00-0000-0d92-ffcea5040000 pid=1189 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=26b94aea-0c00-0000-0d92-ffcea5040000 pid=1189 + + +execve + + + +guuid=876ac5ea-0c00-0000-0d92-ffcea7040000 pid=1191 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=876ac5ea-0c00-0000-0d92-ffcea7040000 pid=1191 + + +execve + + + +guuid=54a213eb-0c00-0000-0d92-ffcea9040000 pid=1193 + +/usr/bin/dash + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=54a213eb-0c00-0000-0d92-ffcea9040000 pid=1193 + + +execve + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1195 + +/usr/bin/bsd-port/agent + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1195 + + +clone + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1196 + +/usr/bin/bsd-port/agent + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1196 + + +clone + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1197 + +/usr/bin/bsd-port/agent + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1197 + + +clone + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1198 + +/usr/bin/bsd-port/agent + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1198 + + +clone + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1199 + +/usr/bin/bsd-port/agent + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1199 + + +clone + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1200 + +/usr/bin/bsd-port/agent + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1200 + + +clone + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1201 + +/usr/bin/bsd-port/agent + +net + +send-data + +write-file + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1134->guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1201 + + +clone + + + +guuid=00c8bea3-0c00-0000-0d92-ffce70040000 pid=1136 + +/usr/bin/mkdir + + + +guuid=d558ada3-0c00-0000-0d92-ffce6f040000 pid=1135->guuid=00c8bea3-0c00-0000-0d92-ffce70040000 pid=1136 + + +execve + + + +guuid=c5b7f5a3-0c00-0000-0d92-ffce72040000 pid=1138 + +/usr/bin/cp + +write-file + + + +guuid=133be6a3-0c00-0000-0d92-ffce71040000 pid=1137->guuid=c5b7f5a3-0c00-0000-0d92-ffce72040000 pid=1138 + + +execve + + + +guuid=5320f3df-0c00-0000-0d92-ffce74040000 pid=1140 + +/usr/bin/dash + + + +guuid=c30bdbdf-0c00-0000-0d92-ffce73040000 pid=1139->guuid=5320f3df-0c00-0000-0d92-ffce74040000 pid=1140 + + +execve + + + +guuid=ed071fe0-0c00-0000-0d92-ffce75040000 pid=1141 + +/usr/bin/acpid + + + +guuid=5320f3df-0c00-0000-0d92-ffce74040000 pid=1140->guuid=ed071fe0-0c00-0000-0d92-ffce75040000 pid=1141 + + +execve + + + +guuid=aaa72ce0-0c00-0000-0d92-ffce76040000 pid=1142 + +/usr/bin/acpid + +delete-file + +write-file + +zombie + + + +guuid=ed071fe0-0c00-0000-0d92-ffce75040000 pid=1141->guuid=aaa72ce0-0c00-0000-0d92-ffce76040000 pid=1142 + + +clone + + + +guuid=aaa72ce0-0c00-0000-0d92-ffce76040000 pid=1167 + +/usr/bin/acpid + + + +guuid=aaa72ce0-0c00-0000-0d92-ffce76040000 pid=1142->guuid=aaa72ce0-0c00-0000-0d92-ffce76040000 pid=1167 + + +clone + + + +guuid=7da254e0-0c00-0000-0d92-ffce78040000 pid=1144 + +/usr/bin/kmod + + + +guuid=738c3ce0-0c00-0000-0d92-ffce77040000 pid=1143->guuid=7da254e0-0c00-0000-0d92-ffce78040000 pid=1144 + + +execve + + + +10.0.2.3 + +10.0.2.3 + + + +guuid=f6486533-0b00-0000-0d92-ffce5b040000 pid=1151->10.0.2.3 + + +send: 1700B + + + +guuid=95d579e4-0c00-0000-0d92-ffce81040000 pid=1153 + +/usr/bin/ln + + + +guuid=0b736ce4-0c00-0000-0d92-ffce80040000 pid=1152->guuid=95d579e4-0c00-0000-0d92-ffce81040000 pid=1153 + + +execve + + + +guuid=09cf95e4-0c00-0000-0d92-ffce83040000 pid=1155 + +/usr/bin/ln + + + +guuid=a1238ae4-0c00-0000-0d92-ffce82040000 pid=1154->guuid=09cf95e4-0c00-0000-0d92-ffce83040000 pid=1155 + + +execve + + + +guuid=3456b2e4-0c00-0000-0d92-ffce85040000 pid=1157 + +/usr/bin/ln + + + +guuid=04d6a6e4-0c00-0000-0d92-ffce84040000 pid=1156->guuid=3456b2e4-0c00-0000-0d92-ffce85040000 pid=1157 + + +execve + + + +guuid=273bcde4-0c00-0000-0d92-ffce87040000 pid=1159 + +/usr/bin/ln + + + +guuid=3eaec1e4-0c00-0000-0d92-ffce86040000 pid=1158->guuid=273bcde4-0c00-0000-0d92-ffce87040000 pid=1159 + + +execve + + + +guuid=b852eae4-0c00-0000-0d92-ffce89040000 pid=1161 + +/usr/bin/ln + + + +guuid=f5dadde4-0c00-0000-0d92-ffce88040000 pid=1160->guuid=b852eae4-0c00-0000-0d92-ffce89040000 pid=1161 + + +execve + + + +guuid=ac7605e5-0c00-0000-0d92-ffce8b040000 pid=1163 + +/usr/bin/mkdir + + + +guuid=4a64fae4-0c00-0000-0d92-ffce8a040000 pid=1162->guuid=ac7605e5-0c00-0000-0d92-ffce8b040000 pid=1163 + + +execve + + + +guuid=677e2be5-0c00-0000-0d92-ffce8d040000 pid=1165 + +/usr/bin/cp + +write-file + + + +guuid=5ad11ee5-0c00-0000-0d92-ffce8c040000 pid=1164->guuid=677e2be5-0c00-0000-0d92-ffce8d040000 pid=1165 + + +execve + + + +guuid=199bf0e5-0c00-0000-0d92-ffce90040000 pid=1168 + +/usr/bin/mkdir + + + +guuid=0a8c6be5-0c00-0000-0d92-ffce8e040000 pid=1166->guuid=199bf0e5-0c00-0000-0d92-ffce90040000 pid=1168 + + +execve + + + +guuid=ea223be6-0c00-0000-0d92-ffce92040000 pid=1170 + +/usr/bin/cp + +write-file + + + +guuid=27bf2de6-0c00-0000-0d92-ffce91040000 pid=1169->guuid=ea223be6-0c00-0000-0d92-ffce92040000 pid=1170 + + +execve + + + +guuid=67bca0e6-0c00-0000-0d92-ffce94040000 pid=1172 + +/usr/bin/chmod + + + +guuid=3f068de6-0c00-0000-0d92-ffce93040000 pid=1171->guuid=67bca0e6-0c00-0000-0d92-ffce94040000 pid=1172 + + +execve + + + +guuid=435bcee6-0c00-0000-0d92-ffce96040000 pid=1174 + +/usr/bin/cp + +write-file + + + +guuid=7e00bce6-0c00-0000-0d92-ffce95040000 pid=1173->guuid=435bcee6-0c00-0000-0d92-ffce96040000 pid=1174 + + +execve + + + +guuid=34f4f2e7-0c00-0000-0d92-ffce98040000 pid=1176 + +/usr/bin/mkdir + + + +guuid=50f4dee7-0c00-0000-0d92-ffce97040000 pid=1175->guuid=34f4f2e7-0c00-0000-0d92-ffce98040000 pid=1176 + + +execve + + + +guuid=148233e8-0c00-0000-0d92-ffce9a040000 pid=1178 + +/usr/bin/cp + +write-file + + + +guuid=4e9e1fe8-0c00-0000-0d92-ffce99040000 pid=1177->guuid=148233e8-0c00-0000-0d92-ffce9a040000 pid=1178 + + +execve + + + +guuid=2a6abbe8-0c00-0000-0d92-ffce9c040000 pid=1180 + +/usr/bin/chmod + + + +guuid=fdfda1e8-0c00-0000-0d92-ffce9b040000 pid=1179->guuid=2a6abbe8-0c00-0000-0d92-ffce9c040000 pid=1180 + + +execve + + + +guuid=0193f2e8-0c00-0000-0d92-ffce9e040000 pid=1182 + +/usr/bin/mkdir + + + +guuid=d5f8dce8-0c00-0000-0d92-ffce9d040000 pid=1181->guuid=0193f2e8-0c00-0000-0d92-ffce9e040000 pid=1182 + + +execve + + + +guuid=460548e9-0c00-0000-0d92-ffcea0040000 pid=1184 + +/usr/bin/cp + +write-file + + + +guuid=7cc127e9-0c00-0000-0d92-ffce9f040000 pid=1183->guuid=460548e9-0c00-0000-0d92-ffcea0040000 pid=1184 + + +execve + + + +guuid=d6acebe9-0c00-0000-0d92-ffcea2040000 pid=1186 + +/usr/bin/chmod + + + +guuid=6dcdd4e9-0c00-0000-0d92-ffcea1040000 pid=1185->guuid=d6acebe9-0c00-0000-0d92-ffcea2040000 pid=1186 + + +execve + + + +guuid=14e41dea-0c00-0000-0d92-ffcea4040000 pid=1188 + +/usr/bin/mkdir + + + +guuid=ad4b0aea-0c00-0000-0d92-ffcea3040000 pid=1187->guuid=14e41dea-0c00-0000-0d92-ffcea4040000 pid=1188 + + +execve + + + +guuid=fbd15fea-0c00-0000-0d92-ffcea6040000 pid=1190 + +/usr/bin/cp + +write-file + + + +guuid=26b94aea-0c00-0000-0d92-ffcea5040000 pid=1189->guuid=fbd15fea-0c00-0000-0d92-ffcea6040000 pid=1190 + + +execve + + + +guuid=2f53edea-0c00-0000-0d92-ffcea8040000 pid=1192 + +/usr/bin/chmod + + + +guuid=876ac5ea-0c00-0000-0d92-ffcea7040000 pid=1191->guuid=2f53edea-0c00-0000-0d92-ffcea8040000 pid=1192 + + +execve + + + +guuid=f5c128eb-0c00-0000-0d92-ffceaa040000 pid=1194 + +/usr/bin/kmod + + + +guuid=54a213eb-0c00-0000-0d92-ffcea9040000 pid=1193->guuid=f5c128eb-0c00-0000-0d92-ffceaa040000 pid=1194 + + +execve + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1201->10.0.2.3 + + +send: 30B + + + +139.196.58.17 + +139.196.58.17 + + + +guuid=56f0a4a3-0c00-0000-0d92-ffce6e040000 pid=1201->139.196.58.17 + + +send: 360B + + + diff --git a/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f new file mode 100644 index 0000000..d71972c Binary files /dev/null and b/linux/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f/e27571a89dfbb256bdf2aa7ff0a062bd10bd712c46d7ddc045a8ac85c4903c2f differ diff --git a/linux/e89b79c039776ff64e4979a80fa95c020161a98f8cb434fbfd09f409ba73bd9e b/linux/e89b79c039776ff64e4979a80fa95c020161a98f8cb434fbfd09f409ba73bd9e/e89b79c039776ff64e4979a80fa95c020161a98f8cb434fbfd09f409ba73bd9e similarity index 100% rename from linux/e89b79c039776ff64e4979a80fa95c020161a98f8cb434fbfd09f409ba73bd9e rename to linux/e89b79c039776ff64e4979a80fa95c020161a98f8cb434fbfd09f409ba73bd9e/e89b79c039776ff64e4979a80fa95c020161a98f8cb434fbfd09f409ba73bd9e