d30538787f9b9b9c2bdb9a438e49b39e655642bc1ce21dac8a7b58f71d0f3f45

Analysis

max time kernel
33s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
14/02/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

al.txt
Size

3KB
MD5

a84cc0a810b8772bfd33e660dd1f05da
SHA1

155b9c06a1e3896f6336ea7a250078a015d269e5
SHA256

d30538787f9b9b9c2bdb9a438e49b39e655642bc1ce21dac8a7b58f71d0f3f45
SHA512

ecf516c1147ea307c2254c4b622bfc24984f011be42fe1a4c3356ae2bde51192af13f77f7238a2ba93233f4516a34478a893fdc035f901426540ba00ecb21421

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.XJsjNi	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/73/cmdline	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/664/status	pkill
File opened for reading	/proc/337/status	pkill
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/747/cmdline	ps
File opened for reading	/proc/136/cmdline	pgrep
File opened for reading	/proc/664/status	pkill
File opened for reading	/proc/136/cmdline	pkill
File opened for reading	/proc/134/statm	top
File opened for reading	/proc/105/stat	ps
File opened for reading	/proc/578/cmdline	pkill
File opened for reading	/proc/102/status	pkill
File opened for reading	/proc/271/status	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/638/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/27/cmdline	pkill
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/275/cmdline	pkill
File opened for reading	/proc/41/cmdline	pkill
File opened for reading	/proc/93/cmdline	pkill
File opened for reading	/proc/stat	ps
File opened for reading	/proc/867/cmdline	ps
File opened for reading	/proc/679/status	pkill
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/582/status	pkill
File opened for reading	/proc/216/status	pkill
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/27/status	pkill
File opened for reading	/proc/701/cmdline	pkill
File opened for reading	/proc/641/cmdline	pkill
File opened for reading	/proc/41/status	pkill
File opened for reading	/proc/289/status	ps
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/102/status	pkill
File opened for reading	/proc/268/status	pkill
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/28/cmdline	pkill
File opened for reading	/proc/43/status	pkill
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/3/cmdline	pkill
File opened for reading	/proc/575/status	pkill
File opened for reading	/proc/578/cmdline	pkill
File opened for reading	/proc/160/cmdline	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/578/cmdline	pgrep
File opened for reading	/proc/25/cmdline	pkill
File opened for reading	/proc/41/cmdline	pkill
File opened for reading	/proc/41/cmdline	pkill
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/27/status	pkill
File opened for reading	/proc/filesystems	pkill
File opened for reading	/proc/641/status	top
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/104/status	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/26/cmdline	pkill

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/~/.bash_profile	al.txt
File opened for modification	/tmp/~/.bash_history	al.txt
File opened for modification	/tmp/~/.bashrc	al.txt

/tmp/al.txt
/tmp/al.txt
1⤵
- Writes file to tmp directory
PID:658
- /bin/rm
  rm -f "/dev/shm/*"
  2⤵
  PID:661
- /bin/rm
  rm -f /dev/shm/. /dev/shm/..
  2⤵
  PID:662
- /usr/bin/pkill
  pkill -f telnetd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:665
- /usr/bin/pkill
  pkill -f network-managerr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:671
- /usr/bin/pkill
  pkill -f ipv6_addrconfd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:674
- /usr/bin/pkill
  pkill -f bdus-daemon
  2⤵
  - Reads CPU attributes
  PID:676
- /usr/bin/pkill
  pkill JavaUpdate
  2⤵
  - Reads CPU attributes
  PID:677
- /usr/bin/pkill
  pkill SSHD2
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:679
- /usr/bin/pkill
  pkill LSHT
  2⤵
  - Reads CPU attributes
  PID:680
- /usr/bin/pgrep
  pgrep LSHT
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:681
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:682
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:683
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:683
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:683
- - /usr/bin/kill
    kill -9
    3⤵
    PID:683
- - /sbin/kill
    kill -9
    3⤵
    PID:683
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:683
- /bin/chmod
  chmod +w /var/tmp/.bin
  2⤵
  PID:684
- /bin/rm
  rm -rf /var/tmp/.bin
  2⤵
  PID:685
- /bin/rm
  rm -rf "~/.bash_history"
  2⤵
  PID:686
- /usr/bin/touch
  touch /var/tmp/.bin
  2⤵
  PID:687
- /usr/bin/pkill
  pkill mysqlserver
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:688
- /usr/bin/pkill
  pkill gitlab-redis
  2⤵
  - Reads CPU attributes
  PID:690
- /bin/rm
  rm -rf /var/tmp/. /var/tmp/.. /var/tmp/.bin
  2⤵
  PID:692
- /usr/bin/pkill
  pkill -9 -f donate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:693
- /usr/bin/pkill
  pkill -f /tmp/.solr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:694
- /usr/bin/pkill
  pkill -9 -f crond64
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:695
- /usr/bin/pkill
  pkill -9 -f stratum
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:697
- /usr/bin/pkill
  pkill -9 -f /tmp/java
  2⤵
  - Reads CPU attributes
  PID:700
- /usr/bin/pkill
  pkill -9 -f KIXER
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:702
- /usr/bin/pkill
  pkill -9 -f /tmp/system
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:704
- /usr/bin/pkill
  pkill -9 -f telnetd
  2⤵
  - Reads CPU attributes
  PID:706
- /usr/bin/pkill
  pkill -9 -f agettyd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:709
- /usr/bin/pkill
  pkill -9 -f /var/tmp
  2⤵
  - Reads CPU attributes
  PID:711
- /usr/bin/pkill
  pkill -9 -f "\\./python"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:714
- /usr/bin/pkill
  pkill -9 -f "\\./crun"
  2⤵
  - Reads CPU attributes
  PID:716
- /usr/bin/pkill
  pkill -9 -f "\\./\\."
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:719
- /usr/bin/pkill
  pkill -9 -f "118/cf\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:721
- /usr/bin/pkill
  pkill -9 "\\.6379"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:723
- /usr/bin/pkill
  pkill -9 "load\\.sh"
  2⤵
  - Reads CPU attributes
  PID:726
- /usr/bin/pkill
  pkill -9 "init\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:728
- /usr/bin/pkill
  pkill -9 "solr\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:730
- /usr/bin/pkill
  pkill -9 "\\.rsyslogds"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:733
- /usr/bin/pkill
  pkill -9 pnscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:736
- /usr/bin/pkill
  pkill -9 masscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:738
- /usr/bin/pkill
  pkill -9 kthreaddi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:740
- /usr/bin/pkill
  pkill -9 sysguard
  2⤵
  - Reads CPU attributes
  PID:743
- /usr/bin/pkill
  pkill -9 kthreaddk
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:745
- /usr/bin/pkill
  pkill -9 kdevtmpfsi
  2⤵
  - Reads CPU attributes
  PID:749
- /usr/bin/pkill
  pkill -9 networkservice
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:751
- /usr/bin/pkill
  pkill -9 sysupdate
  2⤵
  - Reads CPU attributes
  PID:756
- /usr/bin/top
  top -b -n 1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:758
- /bin/grep
  grep -v grep
  2⤵
  PID:759
- /bin/grep
  grep unifiw
  2⤵
  PID:760
- /usr/bin/awk
  awk "{if(\$9<=50.0) print \$1}"
  2⤵
  PID:761
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:762
- /usr/bin/pkill
  pkill -9 phpguard
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:769
- /usr/bin/pkill
  pkill -9 phpupdate
  2⤵
  - Reads CPU attributes
  PID:771
- /usr/bin/pkill
  pkill -9 networkmanager
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:772
- /usr/bin/pkill
  pkill -9 knthread
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:773
- /usr/bin/pkill
  pkill -9 mysqlserver
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:774
- /usr/bin/pkill
  pkill -9 watchbog
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:775
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads CPU attributes
  PID:776
- /usr/bin/pkill
  pkill -f /tmp/.x111
  2⤵
  - Reads CPU attributes
  PID:777
- /usr/bin/killall
  killall "/tmp/.x111/*"
  2⤵
  PID:778
- /usr/bin/pkill
  pkill -9 -f /dev/shm
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:779
- /usr/bin/pkill
  pkill -9 bashirc
  2⤵
  - Reads CPU attributes
  PID:780
- /usr/bin/pgrep
  pgrep pbotbyjanhotzu
  2⤵
  - Reads CPU attributes
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:782
- /bin/grep
  grep :13531
  2⤵
  PID:784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:786
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:787
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:788
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:790
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:790
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:790
- - /usr/bin/kill
    kill -9
    3⤵
    PID:790
- - /sbin/kill
    kill -9
    3⤵
    PID:790
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:790
- /bin/grep
  grep :5555
  2⤵
  PID:793
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:794
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:796
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:797
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:800
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:800
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:800
- - /usr/bin/kill
    kill -9
    3⤵
    PID:800
- - /sbin/kill
    kill -9
    3⤵
    PID:800
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:800
- /bin/grep
  grep :33331
  2⤵
  PID:803
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:804
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:805
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:806
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:808
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:808
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:808
- - /usr/bin/kill
    kill -9
    3⤵
    PID:808
- - /sbin/kill
    kill -9
    3⤵
    PID:808
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:808
- /bin/grep
  grep :33332
  2⤵
  PID:810
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:812
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:813
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:814
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:816
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:816
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:816
- - /usr/bin/kill
    kill -9
    3⤵
    PID:816
- - /sbin/kill
    kill -9
    3⤵
    PID:816
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:816
- /bin/grep
  grep :17777
  2⤵
  PID:818
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:819
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:821
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:822
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:824
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:824
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:824
- - /usr/bin/kill
    kill -9
    3⤵
    PID:824
- - /sbin/kill
    kill -9
    3⤵
    PID:824
- - /bin/kill
    kill -9
    3⤵
    PID:824
- /bin/grep
  grep :3333
  2⤵
  PID:826
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:827
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:828
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:829
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:832
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:832
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:832
- - /usr/bin/kill
    kill -9
    3⤵
    PID:832
- - /sbin/kill
    kill -9
    3⤵
    PID:832
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:832
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:833
- /bin/grep
  grep -v grep
  2⤵
  PID:834
- /bin/grep
  grep /tmp/.x111
  2⤵
  PID:835
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:836
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:837
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:840
- /bin/grep
  grep -v grep
  2⤵
  PID:841
- /bin/grep
  grep kinsing
  2⤵
  PID:842
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:843
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:845
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:848
- /bin/grep
  grep -v grep
  2⤵
  PID:849
- /bin/grep
  grep kremasys
  2⤵
  PID:850
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:851
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:852
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:855
- /bin/grep
  grep -v grep
  2⤵
  PID:857
- /bin/grep
  grep "while read procid"
  2⤵
  PID:858
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:860
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:863
- /bin/grep
  grep -v grep
  2⤵
  PID:864
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:865
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:867
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:873
- /bin/grep
  grep -v grep
  2⤵
  PID:874
- /bin/grep
  grep KGN1cmwg
  2⤵
  PID:875
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:876
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:878
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:881
- /bin/grep
  grep -v grep
  2⤵
  PID:882
- /bin/grep
  grep .dat
  2⤵
  PID:883
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:884
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:885
- /bin/rm
  rm /tmp/.dat
  2⤵
  PID:889
- /usr/bin/pkill
  pkill kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:890
- /usr/bin/pkill
  pkill -9 zgrab
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:891
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:892
- /bin/grep
  grep -q https://pastebin.com/raw/rVXcPD8Z
  2⤵
  PID:893
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:894
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:896
- /bin/ls
  ls -al /proc/1
  2⤵
  PID:905
- /bin/grep
  grep unifiw
  2⤵
  PID:906
- /bin/grep
  grep -a donate-level /proc/1/exe
  2⤵
  PID:907

/bin/ps
ps auxf
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:898

/bin/grep
grep -v grep
1⤵
PID:899

/bin/grep
grep unifiw
1⤵
PID:900

/usr/bin/awk
awk "{if(\$3>=50.0) print \$2}"
1⤵
PID:901

/bin/ls
ls /proc
1⤵
PID:903

/bin/grep
grep "[0-9]"
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.XJsjNi

Filesize
388B

MD5
b3fce8acd0d744319551daeace7fcdf4

SHA1
30a487740e25fd13d64ef765a4fb90c9269a399f

SHA256
3216041d9551d7f0e367e431836d1d756d5e86befbcf35bea036bd4ef879f35a

SHA512
d944864e9878ba48b0e686a77de58217268c410f2725db464a632e98d75fd057083305702a1b55358067b92e545a20cc304b75848b9439f90524411d883c4377

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads