Analysis

  • max time kernel
    0s
  • max time network
    120s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel-en-20211208
  • submitted
    15-04-2022 01:07

General

  • Target

    728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848

  • Size

    126KB

  • MD5

    524f9d251746b069977fd621b2c5fd8f

  • SHA1

    6932744f2893c0b1748a3dacc480f669d971af17

  • SHA256

    728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848

  • SHA512

    71ae3066f2fb5bef87a2d0544abe8a5eeecdea6f15a7e39a0324bfbf4e0ff286206b63d89a32115af201272625f1748190cd376a5b5d345e41272d47458e4ea6

Score
9/10

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 5 IoCs
  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 6 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 45 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 11 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848
    ./728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848
    1⤵
    • Writes file to system bin folder
    • Modifies init.d
    • Modifies rc script
    • Write file to user bin folder
    • Reads runtime system information
    • Writes file to tmp directory
    PID:327
  • /bin/sh
    sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
    1⤵
      PID:328
      • /bin/rm
        rm -rf /var/run/wgsh
        2⤵
          PID:329
      • /bin/sh
        sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
        1⤵
          PID:330
          • /bin/rm
            rm -rf /var/run/bbsh
            2⤵
              PID:331
          • /bin/sh
            sh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"
            1⤵
              PID:332
              • /bin/rm
                rm -rf /var/run/tty1
                2⤵
                  PID:333
              • /bin/sh
                sh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"
                1⤵
                  PID:335
                  • /bin/rm
                    rm -rf /var/run/tty2
                    2⤵
                      PID:336
                  • /bin/sh
                    sh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"
                    1⤵
                      PID:337
                      • /bin/rm
                        rm -rf /var/run/tty3
                        2⤵
                          PID:341
                      • /bin/sh
                        sh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"
                        1⤵
                          PID:342
                          • /bin/rm
                            rm -rf /var/run/tty4
                            2⤵
                              PID:343
                          • /bin/sh
                            sh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"
                            1⤵
                              PID:344
                              • /bin/rm
                                rm -rf /var/run/tty5
                                2⤵
                                  PID:345
                              • /bin/sh
                                sh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"
                                1⤵
                                  PID:346
                                  • /bin/rm
                                    rm -rf /var/run/tty6
                                    2⤵
                                      PID:347
                                  • /bin/sh
                                    sh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"
                                    1⤵
                                      PID:348
                                      • /bin/rm
                                        rm -rf /tmp/tty1
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:349
                                    • /bin/sh
                                      sh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"
                                      1⤵
                                        PID:350
                                        • /bin/rm
                                          rm -rf /tmp/tty2
                                          2⤵
                                          • Writes file to tmp directory
                                          PID:351
                                      • /bin/sh
                                        sh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"
                                        1⤵
                                          PID:352
                                          • /bin/rm
                                            rm -rf /tmp/tty3
                                            2⤵
                                            • Writes file to tmp directory
                                            PID:353
                                        • /bin/sh
                                          sh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"
                                          1⤵
                                            PID:354
                                            • /bin/rm
                                              rm -rf /tmp/tty4
                                              2⤵
                                              • Writes file to tmp directory
                                              PID:355
                                          • /bin/sh
                                            sh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"
                                            1⤵
                                              PID:356
                                              • /bin/rm
                                                rm -rf /tmp/tty5
                                                2⤵
                                                • Writes file to tmp directory
                                                PID:357
                                            • /bin/sh
                                              sh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"
                                              1⤵
                                                PID:358
                                                • /bin/rm
                                                  rm -rf /tmp/tty6
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:359
                                              • /bin/sh
                                                sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
                                                1⤵
                                                  PID:360
                                                  • /bin/rm
                                                    rm -rf /var/run/pty
                                                    2⤵
                                                      PID:361
                                                  • /bin/sh
                                                    sh -c "killall -9 arm > /dev/null 2>&1 &"
                                                    1⤵
                                                      PID:362
                                                    • /bin/sh
                                                      sh -c "killall -9 mips > /dev/null 2>&1 &"
                                                      1⤵
                                                        PID:364
                                                      • /bin/sh
                                                        sh -c "killall -9 mipsel > /dev/null 2>&1 &"
                                                        1⤵
                                                          PID:366
                                                        • /bin/sh
                                                          sh -c "killall -9 powerpc > /dev/null 2>&1 &"
                                                          1⤵
                                                            PID:368
                                                          • /bin/sh
                                                            sh -c "killall -9 ppc > /dev/null 2>&1 &"
                                                            1⤵
                                                              PID:370
                                                            • /bin/sh
                                                              sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
                                                              1⤵
                                                                PID:372
                                                              • /bin/sh
                                                                sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
                                                                1⤵
                                                                  PID:374
                                                                • /bin/sh
                                                                  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
                                                                  1⤵
                                                                    PID:376
                                                                  • /bin/sh
                                                                    sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
                                                                    1⤵
                                                                      PID:378
                                                                    • /bin/sh
                                                                      sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
                                                                      1⤵
                                                                        PID:380
                                                                      • /bin/sh
                                                                        sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
                                                                        1⤵
                                                                          PID:382
                                                                          • /bin/rm
                                                                            rm -rf "/tmp/.xs/*"
                                                                            2⤵
                                                                            • Writes file to tmp directory
                                                                            PID:384
                                                                        • /bin/cat
                                                                          cat "/tmp/.xs/*.pid"
                                                                          1⤵
                                                                          • Writes file to tmp directory
                                                                          PID:383
                                                                        • /bin/sh
                                                                          sh -c "sleep 432000 && reboot &"
                                                                          1⤵
                                                                            PID:385
                                                                          • /bin/sh
                                                                            sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
                                                                            1⤵
                                                                              PID:387
                                                                            • /bin/sleep
                                                                              sleep 432000
                                                                              1⤵
                                                                                PID:388
                                                                              • /bin/sh
                                                                                sh -c "chmod 700 /tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848 > /dev/null 2>&1 &"
                                                                                1⤵
                                                                                  PID:390
                                                                                  • /bin/chmod
                                                                                    chmod 700 /tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848
                                                                                    2⤵
                                                                                      PID:391
                                                                                  • /bin/sh
                                                                                    sh -c "touch -acmr /bin/ls /tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848"
                                                                                    1⤵
                                                                                      PID:392
                                                                                      • /usr/bin/touch
                                                                                        touch -acmr /bin/ls /tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848
                                                                                        2⤵
                                                                                          PID:393
                                                                                      • /bin/sh
                                                                                        sh -c "(crontab -l | grep -v \"/tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
                                                                                        1⤵
                                                                                          PID:394
                                                                                        • /bin/grep
                                                                                          grep -v "no cron"
                                                                                          1⤵
                                                                                            PID:398
                                                                                          • /bin/grep
                                                                                            grep -v /tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848
                                                                                            1⤵
                                                                                              PID:397
                                                                                            • /usr/bin/crontab
                                                                                              crontab -l
                                                                                              1⤵
                                                                                              • Reads runtime system information
                                                                                              PID:396
                                                                                            • /bin/grep
                                                                                              grep -v lesshts/run.sh
                                                                                              1⤵
                                                                                                PID:399
                                                                                              • /bin/sh
                                                                                                sh -c "echo \"* * * * * /tmp/728afe738dc2f1a8ae88633d62b43cde27835296400a60c8ba2b409440ccd848 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
                                                                                                1⤵
                                                                                                  PID:400
                                                                                                • /bin/sh
                                                                                                  sh -c "crontab /var/run/.x001804289383"
                                                                                                  1⤵
                                                                                                    PID:401
                                                                                                    • /usr/bin/crontab
                                                                                                      crontab /var/run/.x001804289383
                                                                                                      2⤵
                                                                                                        PID:402
                                                                                                    • /bin/sh
                                                                                                      sh -c "rm -rf /var/run/.x001804289383"
                                                                                                      1⤵
                                                                                                        PID:403
                                                                                                        • /bin/rm
                                                                                                          rm -rf /var/run/.x001804289383
                                                                                                          2⤵
                                                                                                            PID:404
                                                                                                        • /bin/sh
                                                                                                          sh -c "/bin/uname -n"
                                                                                                          1⤵
                                                                                                            PID:405
                                                                                                            • /bin/uname
                                                                                                              /bin/uname -n
                                                                                                              2⤵
                                                                                                                PID:406
                                                                                                            • /bin/sh
                                                                                                              sh -c "/bin/uname -n"
                                                                                                              1⤵
                                                                                                                PID:407
                                                                                                                • /bin/uname
                                                                                                                  /bin/uname -n
                                                                                                                  2⤵
                                                                                                                    PID:408
                                                                                                                • /bin/sh
                                                                                                                  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
                                                                                                                  1⤵
                                                                                                                    PID:412
                                                                                                                  • /bin/sh
                                                                                                                    sh -c "service httpd stop > /dev/null 2>&1 &"
                                                                                                                    1⤵
                                                                                                                      PID:414
                                                                                                                      • /usr/sbin/service
                                                                                                                        service httpd stop
                                                                                                                        2⤵
                                                                                                                        • Write file to user bin folder
                                                                                                                        PID:416
                                                                                                                        • /usr/bin/basename
                                                                                                                          basename /usr/sbin/service
                                                                                                                          3⤵
                                                                                                                            PID:420
                                                                                                                          • /usr/bin/basename
                                                                                                                            basename /usr/sbin/service
                                                                                                                            3⤵
                                                                                                                              PID:423
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl --quiet is-active multi-user.target
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:428
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show dbus.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:454
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show ssh.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:461
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show syslog.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:464
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-fsckd.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              PID:467
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-initctl.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:470
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-journald-audit.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:473
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-journald-dev-log.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:476
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-journald.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:479
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-networkd.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              PID:482
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-rfkill.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              PID:485
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-udevd-control.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:490
                                                                                                                            • /bin/systemctl
                                                                                                                              systemctl -p Triggers show systemd-udevd-kernel.socket
                                                                                                                              3⤵
                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:493
                                                                                                                          • /usr/local/sbin/systemctl
                                                                                                                            systemctl stop httpd.service
                                                                                                                            2⤵
                                                                                                                              PID:416
                                                                                                                            • /usr/local/bin/systemctl
                                                                                                                              systemctl stop httpd.service
                                                                                                                              2⤵
                                                                                                                                PID:416
                                                                                                                              • /usr/sbin/systemctl
                                                                                                                                systemctl stop httpd.service
                                                                                                                                2⤵
                                                                                                                                  PID:416
                                                                                                                                • /usr/bin/systemctl
                                                                                                                                  systemctl stop httpd.service
                                                                                                                                  2⤵
                                                                                                                                    PID:416
                                                                                                                                  • /sbin/systemctl
                                                                                                                                    systemctl stop httpd.service
                                                                                                                                    2⤵
                                                                                                                                      PID:416
                                                                                                                                    • /bin/systemctl
                                                                                                                                      systemctl stop httpd.service
                                                                                                                                      2⤵
                                                                                                                                      • Enumerates kernel/hardware configuration
                                                                                                                                      • Reads runtime system information
                                                                                                                                      PID:416
                                                                                                                                  • /bin/cat
                                                                                                                                    cat /var/run/httpd.pid
                                                                                                                                    1⤵
                                                                                                                                      PID:415
                                                                                                                                    • /bin/sh
                                                                                                                                      sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
                                                                                                                                      1⤵
                                                                                                                                        PID:417
                                                                                                                                      • /bin/sh
                                                                                                                                        sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
                                                                                                                                        1⤵
                                                                                                                                          PID:419
                                                                                                                                        • /bin/sh
                                                                                                                                          sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
                                                                                                                                          1⤵
                                                                                                                                            PID:422
                                                                                                                                          • /bin/sh
                                                                                                                                            sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
                                                                                                                                            1⤵
                                                                                                                                              PID:425
                                                                                                                                            • /bin/cat
                                                                                                                                              cat /var/run/thttpd.pid
                                                                                                                                              1⤵
                                                                                                                                                PID:426
                                                                                                                                              • /bin/sh
                                                                                                                                                sh -c "nvram set http_enable=0 > /dev/null 2>&1"
                                                                                                                                                1⤵
                                                                                                                                                  PID:427
                                                                                                                                                • /bin/sh
                                                                                                                                                  sh -c "killall -9 httpd > /dev/null 2>&1 &"
                                                                                                                                                  1⤵
                                                                                                                                                    PID:429
                                                                                                                                                  • /bin/sh
                                                                                                                                                    sh -c "service telnetd stop > /dev/null 2>&1 &"
                                                                                                                                                    1⤵
                                                                                                                                                      PID:431
                                                                                                                                                      • /usr/sbin/service
                                                                                                                                                        service telnetd stop
                                                                                                                                                        2⤵
                                                                                                                                                        • Write file to user bin folder
                                                                                                                                                        PID:432
                                                                                                                                                        • /usr/bin/basename
                                                                                                                                                          basename /usr/sbin/service
                                                                                                                                                          3⤵
                                                                                                                                                            PID:439
                                                                                                                                                          • /usr/bin/basename
                                                                                                                                                            basename /usr/sbin/service
                                                                                                                                                            3⤵
                                                                                                                                                              PID:443
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl --quiet is-active multi-user.target
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:449
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show dbus.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              PID:462
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show ssh.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:465
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show syslog.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:468
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-fsckd.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:471
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-initctl.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:474
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-journald-audit.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              PID:477
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-journald-dev-log.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:480
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-journald.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:483
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-networkd.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:486
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-rfkill.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:488
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-udevd-control.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:491
                                                                                                                                                            • /bin/systemctl
                                                                                                                                                              systemctl -p Triggers show systemd-udevd-kernel.socket
                                                                                                                                                              3⤵
                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              PID:495
                                                                                                                                                          • /usr/local/sbin/systemctl
                                                                                                                                                            systemctl stop telnetd.service
                                                                                                                                                            2⤵
                                                                                                                                                              PID:432
                                                                                                                                                            • /usr/local/bin/systemctl
                                                                                                                                                              systemctl stop telnetd.service
                                                                                                                                                              2⤵
                                                                                                                                                                PID:432
                                                                                                                                                              • /usr/sbin/systemctl
                                                                                                                                                                systemctl stop telnetd.service
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:432
                                                                                                                                                                • /usr/bin/systemctl
                                                                                                                                                                  systemctl stop telnetd.service
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:432
                                                                                                                                                                  • /sbin/systemctl
                                                                                                                                                                    systemctl stop telnetd.service
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:432
                                                                                                                                                                    • /bin/systemctl
                                                                                                                                                                      systemctl stop telnetd.service
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Enumerates kernel/hardware configuration
                                                                                                                                                                      PID:432
                                                                                                                                                                  • /bin/sh
                                                                                                                                                                    sh -c "service sshd stop > /dev/null 2>&1 &"
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:433
                                                                                                                                                                      • /usr/sbin/service
                                                                                                                                                                        service sshd stop
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Write file to user bin folder
                                                                                                                                                                        PID:437
                                                                                                                                                                        • /usr/bin/basename
                                                                                                                                                                          basename /usr/sbin/service
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:442
                                                                                                                                                                          • /usr/bin/basename
                                                                                                                                                                            basename /usr/sbin/service
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:446
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl --quiet is-active multi-user.target
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:450
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show dbus.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              PID:463
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show ssh.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:466
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show syslog.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:469
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-fsckd.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:472
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-initctl.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:475
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-journald-audit.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:478
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-journald-dev-log.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:481
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-journald.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:484
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-networkd.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:487
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-rfkill.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:489
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-udevd-control.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:492
                                                                                                                                                                            • /bin/systemctl
                                                                                                                                                                              systemctl -p Triggers show systemd-udevd-kernel.socket
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:494
                                                                                                                                                                          • /usr/local/sbin/systemctl
                                                                                                                                                                            systemctl stop sshd.service
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:437
                                                                                                                                                                            • /usr/local/bin/systemctl
                                                                                                                                                                              systemctl stop sshd.service
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:437
                                                                                                                                                                              • /usr/sbin/systemctl
                                                                                                                                                                                systemctl stop sshd.service
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:437
                                                                                                                                                                                • /usr/bin/systemctl
                                                                                                                                                                                  systemctl stop sshd.service
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:437
                                                                                                                                                                                  • /sbin/systemctl
                                                                                                                                                                                    systemctl stop sshd.service
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:437
                                                                                                                                                                                    • /bin/systemctl
                                                                                                                                                                                      systemctl stop sshd.service
                                                                                                                                                                                      2⤵
                                                                                                                                                                                      • Enumerates kernel/hardware configuration
                                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                                      PID:437
                                                                                                                                                                                  • /bin/systemctl
                                                                                                                                                                                    systemctl list-unit-files --full "--type=socket"
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Enumerates kernel/hardware configuration
                                                                                                                                                                                    PID:435
                                                                                                                                                                                  • /bin/sed
                                                                                                                                                                                    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:436
                                                                                                                                                                                    • /bin/sh
                                                                                                                                                                                      sh -c "killall -9 telnetd > /dev/null 2>&1 &"
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:438
                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                        sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:441
                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                          sh -c "killall -9 dropbear > /dev/null 2>&1 &"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:445
                                                                                                                                                                                          • /bin/sh
                                                                                                                                                                                            sh -c "killall -9 sshd > /dev/null 2>&1 &"
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:448
                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                              sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:452
                                                                                                                                                                                              • /bin/systemctl
                                                                                                                                                                                                systemctl list-unit-files --full "--type=socket"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Enumerates kernel/hardware configuration
                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                PID:456
                                                                                                                                                                                              • /bin/systemctl
                                                                                                                                                                                                systemctl list-unit-files --full "--type=socket"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Enumerates kernel/hardware configuration
                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                PID:458
                                                                                                                                                                                              • /bin/sed
                                                                                                                                                                                                sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:459
                                                                                                                                                                                                • /bin/sed
                                                                                                                                                                                                  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:460

                                                                                                                                                                                                  Network

                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                  Downloads