1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db

Resubmissions

08/01/2024, 09:20

240108-lawn3afhd3 7

Analysis

max time kernel
820s
max time network
821s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
08/01/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db.elf
Size

5.0MB
MD5

14be5f004bc5e7a33c3057df92ad9a16
SHA1

3f1ef27c55ca816b285fb1be4ef6db3af94a1f32
SHA256

1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db
SHA512

5b5a34bc067296caa6d71df57085867a47d9b3b7f0d2fd78ddbb62bd87ae4a5974f1423d1b05b924a824124513dd767422333d5774b3ee1825f7366ffdd62ee1
SSDEEP

49152:E33d0lGt6UHcFL7Rn2o03wiEhiDmzzd/9sARlBs/00Cpfx9a9uNYp9hW16klbU6V:E33GlbU8FwmzzRDZ9mjqRV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 40 IoCs

ioc	pid	Process
/etc/32678	1541	32678
/etc/id.services.conf	1616	id.services.conf
/etc/32678	1623	32678
/etc/id.services.conf	1624	id.services.conf
/etc/id.services.conf	1657	id.services.conf
/etc/32678	1664	32678
/etc/id.services.conf	1665	id.services.conf
/etc/id.services.conf	1699	id.services.conf
/etc/32678	1706	32678
/etc/id.services.conf	1707	id.services.conf
/etc/id.services.conf	1742	id.services.conf
/etc/32678	1749	32678
/etc/id.services.conf	1750	id.services.conf
/etc/id.services.conf	1784	id.services.conf
/etc/32678	1791	32678
/etc/id.services.conf	1792	id.services.conf
/etc/id.services.conf	1826	id.services.conf
/etc/32678	1833	32678
/etc/id.services.conf	1834	id.services.conf
/etc/id.services.conf	1867	id.services.conf
/etc/32678	1874	32678
/etc/id.services.conf	1875	id.services.conf
/etc/id.services.conf	1980	id.services.conf
/etc/32678	1987	32678
/etc/id.services.conf	1988	id.services.conf
/etc/id.services.conf	2017	id.services.conf
/etc/32678	2024	32678
/etc/id.services.conf	2025	id.services.conf
/etc/id.services.conf	2054	id.services.conf
/etc/32678	2061	32678
/etc/id.services.conf	2062	id.services.conf
/etc/id.services.conf	2091	id.services.conf
/etc/32678	2098	32678
/etc/id.services.conf	2099	id.services.conf
/etc/id.services.conf	2128	id.services.conf
/etc/32678	2135	32678
/etc/id.services.conf	2136	id.services.conf
/etc/id.services.conf	2167	id.services.conf
/etc/32678	2174	32678
/etc/id.services.conf	2175	id.services.conf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/crontab	bash

Creates/modifies environment variables 1 TTPs 2 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/profile.d/bash_config.sh
File opened for modification	/etc/profile.d/bash_config

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/linux_kill
File opened for modification	/etc/init.d/ssh

Reads CPU attributes 1 TTPs 13 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Modifies Bash startup script 1 TTPs 2 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/profile.d/bash_config.sh
File opened for modification	/etc/profile.d/bash_config

Enumerates kernel/hardware configuration 1 TTPs 28 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db.elf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db.elf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/98/status	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1162/status	pkill
File opened for reading	/proc/901/stat	Process not Found
File opened for reading	/proc/1233/status	pkill
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/1174/cmdline	pkill
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1153/status	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1065/cmdline	pkill
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/30/cmdline	pkill
File opened for reading	/proc/316/status	pkill
File opened for reading	/proc/161/status	pkill
File opened for reading	/proc/1087/status	pkill
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/873/cmdline	pkill
File opened for reading	/proc/89/status	pkill
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/488/cmdline	pkill
File opened for reading	/proc/2167/status	pkill
File opened for reading	/proc/723/stat	Process not Found
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/1185/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/636/cmdline	pkill
File opened for reading	/proc/1083/cmdline	pkill
File opened for reading	/proc/1139/cmdline	pkill
File opened for reading	/proc/1542/status	pkill
File opened for reading	/proc/115/cmdline	pkill
File opened for reading	/proc/504/cmdline	pkill
File opened for reading	/proc/315/cmdline	pkill
File opened for reading	/proc/2135/status	pkill
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/1287/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/615/status	pkill
File opened for reading	/proc/179/status	pkill
File opened for reading	/proc/2043/stat	Process not Found
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/1073/status	pkill
File opened for reading	/proc/1139/status	pkill
File opened for reading	/proc/1148/status	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/167/status	pkill
File opened for reading	/proc/989/cmdline	pkill
File opened for reading	/proc/1191/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/592/cmdline	pkill
File opened for reading	/proc/636/status	pkill
File opened for reading	/proc/1188/cmdline	pkill
File opened for reading	/proc/2153/stat	Process not Found
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/175/status	pkill
File opened for reading	/proc/1532/cmdline	pkill

/tmp/1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db.elf
/tmp/1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db.elf
1⤵
- Enumerates kernel/hardware configuration
PID:1535
- /bin/sh
  2⤵
  PID:1539
- /usr/sbin/service
  2⤵
  PID:1540
- - /usr/bin/basename
    3⤵
    PID:1543
- - /usr/bin/basename
    3⤵
    PID:1550
- - /bin/systemctl
    3⤵
    PID:1552
- /tmp/1c586ad31dcba128cced4797f23fd8d3f1bb04c44abbfdba3cb3844fc87c21db.elf
  2⤵
  - Enumerates kernel/hardware configuration
  PID:1542

/etc/32678
1⤵
- Executes dropped EXE
PID:1541
- /bin/sleep
  2⤵
  PID:1544
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1616
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1620
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1621
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1622
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1625
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1627
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1630
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1635
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1636
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1637
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1638
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Reads runtime system information
      PID:1639
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1640
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1641
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1642
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1643
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1644
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1645
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1646
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1647
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1648
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1649
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1650
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1651
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1652
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1653
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1624

/usr/sbin/update-rc.d
1⤵
PID:1551
- /usr/local/sbin/systemctl
  systemctl daemon-reload
  2⤵
  PID:1554
- /usr/local/bin/systemctl
  systemctl daemon-reload
  2⤵
  PID:1554
- /usr/sbin/systemctl
  systemctl daemon-reload
  2⤵
  PID:1554
- /usr/bin/systemctl
  systemctl daemon-reload
  2⤵
  PID:1554
- /sbin/systemctl
  systemctl daemon-reload
  2⤵
  PID:1554
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  PID:1554

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1556

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1557

/bin/bash
1⤵
- Creates/modifies Cron job
PID:1581

/usr/local/sbin/systemctl
1⤵
PID:1540

/usr/local/bin/systemctl
1⤵
PID:1540

/usr/sbin/systemctl
1⤵
PID:1540

/usr/bin/systemctl
1⤵
PID:1540

/sbin/systemctl
1⤵
PID:1540

/bin/systemctl
1⤵
PID:1540

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1623
- /bin/sleep
  sleep 60
  2⤵
  PID:1626
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1657
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1661
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1662
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1663
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1666
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1668
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1669
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1676
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1677
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1678
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1679
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1680
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1681
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1682
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1683
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1684
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1685
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1686
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1687
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1688
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1689
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1690
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1691
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1692
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1693
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1694
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1665

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1634

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1633

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:1622

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:1622

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:1622

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:1622

/sbin/systemctl
systemctl start crond.service
1⤵
PID:1622

/bin/systemctl
systemctl start crond.service
1⤵
PID:1622

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1664
- /bin/sleep
  sleep 60
  2⤵
  PID:1667
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1699
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1703
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1704
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1705
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1708
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1710
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1713
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1718
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1719
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1720
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      Reads runtime system information
      PID:1721
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1722
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1723
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1724
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1725
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1726
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1727
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1728
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1729
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Reads runtime system information
      PID:1730
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1731
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1732
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1733
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Reads runtime system information
      PID:1734
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1735
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1736
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1707

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1675

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1674

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:1663

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:1663

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:1663

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:1663

/sbin/systemctl
systemctl start crond.service
1⤵
PID:1663

/bin/systemctl
systemctl start crond.service
1⤵
PID:1663

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1706
- /bin/sleep
  sleep 60
  2⤵
  PID:1709
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1742
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1746
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1747
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1748
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1751
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1753
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1756
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      Reads runtime system information
      PID:1761
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1762
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1763
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1764
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1765
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1766
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1767
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1768
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1769
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1770
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1771
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1772
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Reads runtime system information
      PID:1773
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1774
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1775
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1776
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1777
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1778
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1779
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1750

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1717

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1716

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:1705

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:1705

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:1705

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:1705

/sbin/systemctl
systemctl start crond.service
1⤵
PID:1705

/bin/systemctl
systemctl start crond.service
1⤵
PID:1705

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1749
- /bin/sleep
  sleep 60
  2⤵
  PID:1752
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1784
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1788
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1789
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1790
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1793
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1795
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1798
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1803
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1804
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1805
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1806
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1807
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1808
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1809
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1810
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1811
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      PID:1812
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1813
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1814
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1815
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1816
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1817
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1818
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1819
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1820
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1821
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1792

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1760

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1759

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:1748

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:1748

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:1748

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:1748

/sbin/systemctl
systemctl start crond.service
1⤵
PID:1748

/bin/systemctl
systemctl start crond.service
1⤵
PID:1748

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1791
- /bin/sleep
  sleep 60
  2⤵
  PID:1794
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1826
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1830
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1831
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1832
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1835
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1837
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1841
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1845
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1846
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1847
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      PID:1848
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1849
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1850
  - - /bin/systemctl
      systemctl -p Triggers show snapd.socket
      4⤵
      PID:1851
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      PID:1852
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      PID:1853
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Reads runtime system information
      PID:1854
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      PID:1855
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      PID:1856
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      PID:1857
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      PID:1858
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      PID:1859
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      PID:1860
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      PID:1861
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      PID:1862
  - - /bin/systemctl
      systemctl -p Triggers show uuidd.socket
      4⤵
      PID:1863
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1834

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Reads runtime system information
PID:1801

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1802

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:1790

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:1790

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:1790

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:1790

/sbin/systemctl
systemctl start crond.service
1⤵
PID:1790

/bin/systemctl
systemctl start crond.service
1⤵
PID:1790

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1833
- /bin/sleep
  sleep 60
  2⤵
  PID:1836
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1867
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1871
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    PID:1872
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1873
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1876
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1878
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      PID:1881
  - - /bin/systemctl
      systemctl -p Triggers show acpid.socket
      4⤵
      PID:1886
  - - /bin/systemctl
      systemctl -p Triggers show apport-forward.socket
      4⤵
      PID:1887
  - - /bin/systemctl
      systemctl -p Triggers show avahi-daemon.socket
      4⤵
      PID:1888
  - - /bin/systemctl
      systemctl -p Triggers show cups.socket
      4⤵
      Reads runtime system information
      PID:1889
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      PID:1890
  - - /bin/systemctl
      systemctl -p Triggers show saned.socket
      4⤵
      PID:1891
  - - /bin/systemctl
      4⤵
      Reads runtime system information
      PID:1892
  - - /bin/systemctl
      4⤵
      PID:1893
  - - /bin/systemctl
      4⤵
      PID:1895
  - - /bin/systemctl
      4⤵
      PID:1899
  - - /bin/systemctl
      4⤵
      PID:1903
  - - /bin/systemctl
      4⤵
      PID:1907
  - - /bin/systemctl
      4⤵
      PID:1913
  - - /bin/systemctl
      4⤵
      PID:1915
  - - /bin/systemctl
      4⤵
      PID:1920
  - - /bin/systemctl
      4⤵
      PID:1925
  - - /bin/systemctl
      4⤵
      PID:1928
  - - /bin/systemctl
      4⤵
      PID:1933
  - - /bin/systemctl
      4⤵
      PID:1937
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1875

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1843

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1844

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:1832

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:1832

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:1832

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:1832

/sbin/systemctl
systemctl start crond.service
1⤵
PID:1832

/bin/systemctl
systemctl start crond.service
1⤵
PID:1832

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:1874
- /bin/sleep
  sleep 60
  2⤵
  PID:1877
- /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1980
- - /usr/bin/pkill
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1984
- - /bin/sh
    3⤵
    PID:1985
- - /usr/sbin/service
    3⤵
    PID:1986
  - - /usr/bin/basename
      4⤵
      PID:1989
  - - /usr/bin/basename
      4⤵
      PID:1991
  - - /bin/systemctl
      4⤵
      PID:1994
- - /etc/id.services.conf
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:1988

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1885

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Reads runtime system information
PID:1884

/usr/local/sbin/systemctl
1⤵
PID:1873

/usr/local/bin/systemctl
1⤵
PID:1873

/usr/sbin/systemctl
1⤵
PID:1873

/usr/bin/systemctl
1⤵
PID:1873

/sbin/systemctl
1⤵
PID:1873

/bin/systemctl
1⤵
PID:1873

/etc/32678
1⤵
- Executes dropped EXE
PID:1987
- /bin/sleep
  2⤵
  PID:1990
- /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:2017
- - /usr/bin/pkill
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2021
- - /bin/sh
    3⤵
    PID:2022
- - /usr/sbin/service
    3⤵
    PID:2023
  - - /usr/bin/basename
      4⤵
      PID:2026
  - - /usr/bin/basename
      4⤵
      PID:2028
  - - /bin/systemctl
      4⤵
      PID:2031
- - /etc/id.services.conf
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:2025

/bin/sed
1⤵
PID:1998

/bin/systemctl
1⤵
PID:1997

/usr/local/sbin/systemctl
1⤵
PID:1986

/usr/local/bin/systemctl
1⤵
PID:1986

/usr/sbin/systemctl
1⤵
PID:1986

/usr/bin/systemctl
1⤵
PID:1986

/sbin/systemctl
1⤵
PID:1986

/bin/systemctl
1⤵
PID:1986

/etc/32678
1⤵
- Executes dropped EXE
PID:2024
- /bin/sleep
  2⤵
  PID:2027
- /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:2054
- - /usr/bin/pkill
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2058
- - /bin/sh
    3⤵
    PID:2059
- - /usr/sbin/service
    3⤵
    PID:2060
  - - /usr/bin/basename
      4⤵
      PID:2063
  - - /usr/bin/basename
      4⤵
      PID:2065
  - - /bin/systemctl
      4⤵
      PID:2068
- - /etc/id.services.conf
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:2062

/bin/sed
1⤵
PID:2035

/bin/systemctl
1⤵
PID:2034

/usr/local/sbin/systemctl
1⤵
PID:2023

/usr/local/bin/systemctl
1⤵
PID:2023

/usr/sbin/systemctl
1⤵
PID:2023

/usr/bin/systemctl
1⤵
PID:2023

/sbin/systemctl
1⤵
PID:2023

/bin/systemctl
1⤵
PID:2023

/etc/32678
1⤵
- Executes dropped EXE
PID:2061
- /bin/sleep
  2⤵
  PID:2064
- /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:2091
- - /usr/bin/pkill
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2095
- - /bin/sh
    3⤵
    PID:2096
- - /usr/sbin/service
    3⤵
    PID:2097
  - - /usr/bin/basename
      4⤵
      PID:2100
  - - /usr/bin/basename
      4⤵
      PID:2102
  - - /bin/systemctl
      4⤵
      PID:2105
- - /etc/id.services.conf
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:2099

/bin/sed
1⤵
PID:2072

/bin/systemctl
1⤵
PID:2071

/usr/local/sbin/systemctl
1⤵
PID:2060

/usr/local/bin/systemctl
1⤵
PID:2060

/usr/sbin/systemctl
1⤵
PID:2060

/usr/bin/systemctl
1⤵
PID:2060

/sbin/systemctl
1⤵
PID:2060

/bin/systemctl
1⤵
PID:2060

/etc/32678
1⤵
- Executes dropped EXE
PID:2098
- /bin/sleep
  2⤵
  PID:2101
- /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:2128
- - /usr/bin/pkill
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2132
- - /bin/sh
    3⤵
    PID:2133
- - /usr/sbin/service
    3⤵
    PID:2134
  - - /usr/bin/basename
      4⤵
      PID:2137
  - - /usr/bin/basename
      4⤵
      PID:2139
  - - /bin/systemctl
      4⤵
      PID:2142
- - /etc/id.services.conf
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:2136

/bin/sed
1⤵
PID:2109

/bin/systemctl
1⤵
PID:2108

/usr/local/sbin/systemctl
1⤵
PID:2097

/usr/local/bin/systemctl
1⤵
PID:2097

/usr/sbin/systemctl
1⤵
PID:2097

/usr/bin/systemctl
1⤵
PID:2097

/sbin/systemctl
1⤵
PID:2097

/bin/systemctl
1⤵
PID:2097

/etc/32678
1⤵
- Executes dropped EXE
PID:2135
- /bin/sleep
  2⤵
  PID:2138
- /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:2167
- - /usr/bin/pkill
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2171
- - /bin/sh
    3⤵
    PID:2172
- - /usr/sbin/service
    3⤵
    PID:2173
  - - /usr/bin/basename
      4⤵
      PID:2176
  - - /usr/bin/basename
      4⤵
      PID:2178
  - - /bin/systemctl
      4⤵
      PID:2181
- - /etc/id.services.conf
    3⤵
    - Executes dropped EXE
    - Enumerates kernel/hardware configuration
    PID:2175

/bin/systemctl
1⤵
- Reads runtime system information
PID:2145

/bin/sed
1⤵
PID:2146

/usr/local/sbin/systemctl
1⤵
PID:2134

/usr/local/bin/systemctl
1⤵
PID:2134

/usr/sbin/systemctl
1⤵
PID:2134

/usr/bin/systemctl
1⤵
PID:2134

/sbin/systemctl
1⤵
PID:2134

/bin/systemctl
1⤵
PID:2134

/etc/32678
1⤵
- Executes dropped EXE
PID:2174
- /bin/sleep
  2⤵
  PID:2177

/bin/systemctl
1⤵
PID:2184

/bin/sed
1⤵
PID:2185

/usr/local/sbin/systemctl
1⤵
PID:2173

/usr/local/bin/systemctl
1⤵
PID:2173

/usr/sbin/systemctl
1⤵
PID:2173

/usr/bin/systemctl
1⤵
PID:2173

/sbin/systemctl
1⤵
PID:2173

/bin/systemctl
1⤵
PID:2173

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.img

Filesize
33B

MD5
d73d3376908ea075a939e3871ad0fabe

SHA1
320ff65831247ba199515f1b94df26cc8a3e5f76

SHA256
edbdabe30d8236a2c0a4eb89dfd597552130e4c1a4e93f8fe1568920442ad73a

SHA512
57b83fef88620598beb5d65626bf757d0abef242d2d6a01796a61474dedc5095a4a9d0f292b6abb450cad3d4410ab8456253600f58ddb66cfe6d79e1c8415536

Download Submit
/boot/System.img.config

Filesize
384KB

MD5
320b0ef9b0f3fd349ced377595d78236

SHA1
e1610fe0b533158dee15e30bdd823b067e5f80a7

SHA256
6d49cf7b7567ccfa7883fb58b5c05cf12b4cb76cb4a49ad7e7e69671006a362d

SHA512
2a621fa960dbdc644436f41b7b7545fa125dedaebbefca9d17bc53f079062ac9ee9cc1cd43c80b039d174ca68700c0616502713e1733562126bb07f739ef0865

Download Submit
/etc/32678

Filesize
61B

MD5
768eaf287796da19e1cf5e0b2fb1b161

SHA1
6a1ce2ee5ccc86d1f33806feb14547b35290df2a

SHA256
1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb

SHA512
e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

Download Submit
/etc/init.d/linux_kill

Filesize
189B

MD5
3909975f7cc0d1121c1819b800069f31

SHA1
3e68de708c2e6c40fab6794afdee3104e5590189

SHA256
6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b

SHA512
50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e

Download Submit
/etc/profile.d/bash_config.sh

Filesize
37B

MD5
cfb4e51061485fe91169381fbdc1538e

SHA1
9a85b9b766a15b01737a41d680e4593b7a9bde87

SHA256
897f37267d0ceaa2fbdaa09847f5d08e6f8b01a0348a0d666264b0f10acd0c90

SHA512
fb154ec711d2090a7461da4db8ddad2b522649a27e74162ecb203f539b1729430288bc02d78d2071bde9c4bbc005693403a57612ef50277d52f816cb94524216

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads