Changes its process name

Deletes system logs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

Executes dropped EXE

Flushes firewall rules

Flushes/ disables firewall rules inside the Linux kernel.

Loads a kernel module

Loads a Linux kernel module, potentially to achieve persistence

Reads EFI boot settings

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

UPX packed file

Detects executables packed with UPX/modified UPX open source packer.

Attempts to change immutable files

Modifies inode attributes on the filesystem to allow changing of immutable files.

Checks CPU configuration

Checks CPU information which indicate if the system is a virtual machine.

Checks hardware identifiers (DMI)

Checks DMI information which indicate if the system is a virtual machine.

Creates/modifies Cron job

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Disables AppArmor

Disables AppArmor security module.

Disables SELinux

Disables SELinux security module.

Enumerates running processes

Discovers information about currently running processes on the system

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Reads CPU attributes

Reads hardware information

Accesses system info like serial numbers, manufacturer names etc.

Reads list of loaded kernel modules

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.