52bf41af1675913ec0b7b5c0e69f5afcf57343322691f8f8bb0da025337d5746

Analysis

max time kernel
26s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20231222-en
resource tags

arch:armhfimage:debian9-armhf-20231222-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
08/01/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a66d7799c5454f6a5a7d9f0b7e4d198
Size

62KB
MD5

4a66d7799c5454f6a5a7d9f0b7e4d198
SHA1

5ca124d0ef4f9a57437608d6f6a62997730f929a
SHA256

52bf41af1675913ec0b7b5c0e69f5afcf57343322691f8f8bb0da025337d5746
SHA512

8a4ab0ceca70a99ad8160ab07f416674cbb738b6ff0ddf922bde66f935673b69a933b77bb14288925b15f32285973e509b674252885792a77e5685cd0987f408
SSDEEP

1536:lF2cc2/OdOQvL06oCKBoWdAkKFOmm5air0TIg:lF2ccx5odoW2v47ccyIg

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
683	iptables

Attempts to change immutable files 49 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
852	xargs
875	xargs
977	xargs
982	xargs
992	xargs
1017	xargs
680	chattr
699	chattr
704	grep
681	chattr
935	xargs
952	xargs
987	xargs
822	xargs
906	xargs
916	xargs
782	xargs
957	xargs
858	xargs
1012	xargs
736	systemctl
810	xargs
834	xargs
891	xargs
1027	xargs
945	xargs
1002	xargs
706	grep
925	xargs
972	xargs
1007	xargs
846	xargs
962	xargs
1032	xargs
804	xargs
967	xargs
797	xargs
866	xargs
898	xargs
997	xargs
698	chattr
765	exim4
775	xargs
790	xargs
828	xargs
840	xargs
816	xargs
882	xargs
1022	xargs

Disables AppArmor 9 IoCs

Disables AppArmor security module.

pid	Process
763	systemctl
711	systemctl
711	systemctl
756	systemctl
760	systemctl
711	systemctl
711	systemctl
711	systemctl
711	systemctl

Disables SELinux 1 IoCs

Disables SELinux security module.

pid	Process
709	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 32 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill

Enumerates kernel/hardware configuration 1 TTPs 18 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/295/status	ps
File opened for reading	/proc/324/cmdline	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/604/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/313/cmdline	ps
File opened for reading	/proc/138/stat	ps
File opened for reading	/proc/98/status	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/138/status	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/108/stat	ps
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/934/cmdline	ps
File opened for reading	/proc/140/status	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/582/cmdline	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/948/status	ps
File opened for reading	/proc/1013/stat	ps
File opened for reading	/proc/313/status	ps
File opened for reading	/proc/960/stat	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/315/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/276/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/588/cmdline	ps
File opened for reading	/proc/140/status	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/604/status	ps
File opened for reading	/proc/985/stat	ps
File opened for reading	/proc/276/stat	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/646/stat	ps
File opened for reading	/proc/106/status	ps
File opened for reading	/proc/134/status	ps
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/649/stat	ps
File opened for reading	/proc/667/stat	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/289/stat	ps
File opened for reading	/proc/604/stat	ps

/tmp/4a66d7799c5454f6a5a7d9f0b7e4d198
/tmp/4a66d7799c5454f6a5a7d9f0b7e4d198
1⤵
PID:667
- /usr/bin/id
  id
  2⤵
  PID:669
- /bin/mkdir
  mkdir /var/tmp/.system -p
  2⤵
  PID:677
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:678
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:680
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:681
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:683
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:687
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:696
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  PID:697
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:698
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:699
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:700
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:701
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:702
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:703
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:704
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:705
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:706
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:709
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:711
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:713
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:714
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:715
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:725
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:728
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:731
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:733
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Enumerates kernel/hardware configuration
    PID:736
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:738
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:741
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:743
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:745
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:748
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:750
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:752
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:711
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:711
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:711
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:711
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:711
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:711
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:756
- /bin/systemctl
  systemctl stop aliyun
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:760
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:763
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:771
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:772
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:774
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:775
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:778
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:779
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:782
- /bin/grep
  grep :443
  2⤵
  PID:786
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:787
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:788
- /bin/grep
  grep -v -
  2⤵
  PID:789
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:790
- /bin/grep
  grep :23
  2⤵
  PID:793
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:794
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:795
- /bin/grep
  grep -v -
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:797
- /bin/grep
  grep :443
  2⤵
  PID:799
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:800
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:801
- /bin/grep
  grep -v -
  2⤵
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:804
- /bin/grep
  grep :143
  2⤵
  PID:806
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:807
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:808
- /bin/grep
  grep -v -
  2⤵
  PID:809
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:810
- /bin/grep
  grep :2222
  2⤵
  PID:812
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:813
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:814
- /bin/grep
  grep -v -
  2⤵
  PID:815
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:816
- /bin/grep
  grep :3333
  2⤵
  PID:818
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:819
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:820
- /bin/grep
  grep -v -
  2⤵
  PID:821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:822
- /bin/grep
  grep :3389
  2⤵
  PID:824
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:825
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:826
- /bin/grep
  grep -v -
  2⤵
  PID:827
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:828
- /bin/grep
  grep :5555
  2⤵
  PID:830
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:831
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:832
- /bin/grep
  grep -v -
  2⤵
  PID:833
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:834
- /bin/grep
  grep :6666
  2⤵
  PID:836
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:837
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:838
- /bin/grep
  grep -v -
  2⤵
  PID:839
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:840
- /bin/grep
  grep :6665
  2⤵
  PID:842
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:843
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:844
- /bin/grep
  grep -v -
  2⤵
  PID:845
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:846
- /bin/grep
  grep :6667
  2⤵
  PID:848
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:849
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:850
- /bin/grep
  grep -v -
  2⤵
  PID:851
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:852
- /bin/grep
  grep :7777
  2⤵
  PID:854
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:855
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:856
- /bin/grep
  grep -v -
  2⤵
  PID:857
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:858
- /bin/grep
  grep :8444
  2⤵
  PID:860
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:861
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:863
- /bin/grep
  grep -v -
  2⤵
  PID:864
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:866
- /bin/grep
  grep :3347
  2⤵
  PID:868
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:870
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:871
- /bin/grep
  grep -v -
  2⤵
  PID:874
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:875
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:878
- /bin/grep
  grep -v grep
  2⤵
  PID:879
- /bin/grep
  grep :3333
  2⤵
  PID:880
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:881
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:882
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:885
- /bin/grep
  grep -v grep
  2⤵
  PID:887
- /bin/grep
  grep :5555
  2⤵
  PID:888
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:889
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:891
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:894
- /bin/grep
  grep -v grep
  2⤵
  PID:895
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:896
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:897
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:898
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:901
- /bin/grep
  grep -v grep
  2⤵
  PID:902
- /bin/grep
  grep log_
  2⤵
  PID:903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:904
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:906
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:910
- /bin/grep
  grep -v grep
  2⤵
  PID:911
- /bin/grep
  grep systemten
  2⤵
  PID:913
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:914
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:916
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:920
- /bin/grep
  grep -v grep
  2⤵
  PID:921
- /bin/grep
  grep netns
  2⤵
  PID:922
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:924
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:925
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:929
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:929
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:929
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:929
- - /sbin/kill
    kill -9 14
    3⤵
    PID:929
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:929
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:930
- /bin/grep
  grep -v grep
  2⤵
  PID:931
- /bin/grep
  grep voltuned
  2⤵
  PID:933
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:934
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:935
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:939
- /bin/grep
  grep -v grep
  2⤵
  PID:940
- /bin/grep
  grep darwin
  2⤵
  PID:942
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:943
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:945
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:948
- /bin/grep
  grep -v grep
  2⤵
  PID:949
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:950
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:951
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:952
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:953
- /bin/grep
  grep -v grep
  2⤵
  PID:954
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:955
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:956
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:957
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:958
- /bin/grep
  grep -v grep
  2⤵
  PID:959
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:960
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:961
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:962
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:963
- /bin/grep
  grep -v grep
  2⤵
  PID:964
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:965
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:966
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:967
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:968
- /bin/grep
  grep -v grep
  2⤵
  PID:969
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:970
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:971
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:972
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:973
- /bin/grep
  grep -v grep
  2⤵
  PID:974
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:975
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:976
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:977
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:978
- /bin/grep
  grep -v grep
  2⤵
  PID:979
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:980
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:981
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:982
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:983
- /bin/grep
  grep -v grep
  2⤵
  PID:984
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:986
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:987
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:988
- /bin/grep
  grep -v grep
  2⤵
  PID:989
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:990
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:991
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:992
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:993
- /bin/grep
  grep -v grep
  2⤵
  PID:994
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:995
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:996
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:997
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:998
- /bin/grep
  grep -v grep
  2⤵
  PID:999
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1001
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1002
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1003
- /bin/grep
  grep -v grep
  2⤵
  PID:1004
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1005
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1006
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1007
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1008
- /bin/grep
  grep -v grep
  2⤵
  PID:1009
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1010
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1011
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1012
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1013
- /bin/grep
  grep -v grep
  2⤵
  PID:1014
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1015
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1016
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1017
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1018
- /bin/grep
  grep -v grep
  2⤵
  PID:1019
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1020
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1021
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1022
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1023
- /bin/grep
  grep -v grep
  2⤵
  PID:1024
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1025
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1026
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1027
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1028
- /bin/grep
  grep -v grep
  2⤵
  PID:1029
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1030
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1031
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1032

/usr/sbin/sendmail
sendmail -t
1⤵
PID:690
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1rMg1B-0000B8-HR
  2⤵
  - Reads CPU attributes
  PID:764

/usr/sbin/sendmail
sendmail -t
1⤵
PID:694
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1rMg1B-0000BC-I4
  2⤵
  - Attempts to change immutable files
  - Reads CPU attributes
  PID:765

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:719

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
839B

MD5
615c74e5b3ce7d78692458342b740954

SHA1
da0e67aa2adda46db083af20bdf4a5e951ecd2df

SHA256
6934e463e620833c1c23b03f2c0f4fc8d53aafe6ddf6a76dddbc5c57d4da7b84

SHA512
8e6087ba51f69a52633c0495ce93f47f65ad9575207cc17b77c3b1c9637d8d934c57bb0a0ba8a6ff1ada26d445e835096646f0f32a8243fc75e2013dd84ad392

Download Submit
/var/mail/user

Filesize
1KB

MD5
967707c8a0d3f34061772805d93b915a

SHA1
4ef8aa6980b05994e4cbbf7635a529151ab87204

SHA256
21bf83caf54df8e4b919e4c6a4203ad0bd431f723eff0a875df54fd85b2d60b1

SHA512
d6cf2c2a1d88b82ae7c97ed75875e4e4e0bdebccd85a43f9678f8f25731795dd07692e2f72a2151dce8427280ec64a04b41e99903e2ed58c1adbaff88e5c4b4f

Download Submit
/var/spool/exim4/input/1rMg1B-0000B8-HR-D

Filesize
126B

MD5
c05d8be80071a0a121c43e3446ea04f1

SHA1
69e2a00b8bcb06ac7ae317ee7ba1c6164f85e97b

SHA256
ccbc80870b5c81bd84dfe930d16213dcc69b2af0154780d23f239e184ec5f39b

SHA512
0a2f804dc86f5ec296bf4d0a5442deacd1db5ebc68d2940b73bd1b8aa7c7a05d19b5afa9edb689c7d873a070a9fb8ff64a44f7002c9c738673058667defffcc3

Download Submit
/var/spool/exim4/input/1rMg1B-0000BC-I4-D

Filesize
145B

MD5
6836b5e110626152e989cb25b3d66489

SHA1
21cf9eccf65910e4ff685b56aa32beeccfd14bd9

SHA256
0e9c5d07cfce07a5b60d75772c6a8c5d5469f284cc640da8453954c8b47ff7eb

SHA512
d4147802d4138d6b594f12acff59bb35b05ac9eadfed18816e7ee68a42a1e5cedc1b8602db2bc25c2b95944dc68915204ceff630ee479add4187a6b0567e0fd3

Download Submit
/var/spool/exim4/input/1rMg1B-0000BC-I4-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.690

Filesize
912B

MD5
135f9a346aba5dab7ccd6a86c707d793

SHA1
7714132acd7bba264009323c0fbc8f97a89186ed

SHA256
3d0657d5d91417e95dd11b56ecaa8ce96952b109eaba3f3f3c66724aa83a8c95

SHA512
b91549d31eb572d26fae7a5c381611208b2e4bae22633c01f8f028130e89435a81a64c99e408134f05d6c3f89a758018698f867e7ea94045dc92991e1180d75d

Download Submit
/var/spool/exim4/msglog/1rMg1B-0000B8-HR

Filesize
288B

MD5
5c61bf25256e07c6d1fcb9d33a065611

SHA1
8178c36ab7655553cd8610feb3cf738018357ddb

SHA256
19a2e8cb0921d409785aeb47bba570ab908d49b0c5614af6c864fe1713deaf28

SHA512
a46f88fa8a597e5b2d4091727946d2e91ff5de4eb716a1d20cc894da96608099783313b31ab6a42522148874f03be860bad9a2e2147998be8af45a3aba26a4c7

Download Submit
/var/spool/exim4/msglog/1rMg1B-0000B8-HR

Filesize
89B

MD5
b167bcf0cc77e17a84f519902fe60bbe

SHA1
fb01a2dff54ab9064bad617eea33b58406e3780c

SHA256
86a60e979a78fa77ad0c6177c2f76528337d0b75976346660deee3fcbc75c540

SHA512
cee973b90d67e735b310cd199efadc09d871bbb7c8a2a1d3a2d174720bb05696e604cabb60fa2d097f5a03e245c3b9f298a839a8be23fa1b86c3f88c56f6e401

Download Submit
/var/spool/exim4/msglog/1rMg1B-0000BC-I4

Filesize
288B

MD5
09f2919c1b6336b2b630a9982101256d

SHA1
2678e5563d3a02040c6211c3132298bc5167ef6b

SHA256
3b5b02616b2561eb818a963532965bbc1cb6ee5ed4a0000a9d7801cf71203f7e

SHA512
20bd05a9f2923c6f0b65a84317ee6d7a930b460de4b7b225ba68e6528f6b94179476b0bb65422f02c28210d9d689d7bcca4c9f5ca6a203f4e51d22fa321d6c6b

Download Submit
/var/spool/exim4/msglog/1rMg1B-0000BC-I4

Filesize
89B

MD5
dd590ece4afed1f6816d64d11c32ea27

SHA1
f676fa31bc31819fb767d3bb91e2e2a79f2721d1

SHA256
b384b627ed6c572e60d5b254548fd5226a8d2c9b008f1544d14d84f06a8574e7

SHA512
c29c9e3992b6a4fc2012928714bdb77f734b36d33cfc33075c0227311ca2ecffa461e74953c37626e295461f907c3f70a9c2dbd86d78aacd1cf855e0c20f91ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads