40ff24d1aab366d334c58facb4eaaccedc41159e32d3ee8397dac76d377f2f75

Analysis

max time kernel
39s
max time network
25s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
27/03/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0970e709cdf0724a8d923f9c300798b
Size

69KB
MD5

e0970e709cdf0724a8d923f9c300798b
SHA1

962627cccc7211010ccc59feb4cea08225076cb2
SHA256

40ff24d1aab366d334c58facb4eaaccedc41159e32d3ee8397dac76d377f2f75
SHA512

dea65a63308539484ce5ebe994bc6e7c3ae5a20fb771aa9d133e16aa2a570bb31db17283b8942c51b785f1d113e5403f00abf958e96aab3084ac089e0e984e69
SSDEEP

1536:qF2Lc2Xnd6QMKYtq7bSdAkKFOmm5aiu0xsE:qF2Lc9tsS2v47cXksE

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
683	iptables

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
848	xargs
868	xargs
886	xargs
822	xargs
833	xargs
717	grep
815	xargs
841	xargs
892	xargs
898	xargs
916	xargs
676	chattr
708	chattr
860	xargs
874	xargs
721	grep
784	systemctl
738	systemctl
854	xargs
880	xargs
904	xargs
910	xargs
678	chattr
710	chattr

Disables AppArmor 28 IoCs

Disables AppArmor security module.

pid	Process
768	systemctl
785	systemctl
799	systemctl
761	systemctl
761	systemctl
774	systemctl
761	systemctl
790	systemctl
761	systemctl
757	systemctl
781	systemctl
796	systemctl
761	systemctl
761	systemctl
724	systemctl
765	systemctl
792	systemctl
802	systemctl
724	systemctl
724	systemctl
724	systemctl
777	systemctl
724	systemctl
724	systemctl
779	systemctl
784	systemctl
788	systemctl
807	systemctl

Disables SELinux 1 IoCs

Disables SELinux security module.

pid	Process
723	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 8 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 32 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/139/cmdline	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/315/status	ps
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/327/status	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/668/status	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/filesystems	sysctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/295/cmdline	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/624/cmdline	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/114/status	ps
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/287/status	ps
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/624/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/115/cmdline	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/147/status	ps
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/298/stat	ps
File opened for reading	/proc/665/status	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/298/status	ps
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/112/status	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/669/stat	ps
File opened for reading	/proc/103/status	ps
File opened for reading	/proc/702/status	ps
File opened for reading	/proc/719/cmdline	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/151/status	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/717/status	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/433/status	ps
File opened for reading	/proc/tty/drivers	ps

/tmp/e0970e709cdf0724a8d923f9c300798b
/tmp/e0970e709cdf0724a8d923f9c300798b
1⤵
PID:669
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:672
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:676
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:678
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:683
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:689
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:704
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:707
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:708
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:710
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:712
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:713
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:714
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:716
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:717
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:720
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:721
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:723
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:724
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:725
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:727
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:728
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:732
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:733
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:734
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:737
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Enumerates kernel/hardware configuration
    PID:738
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:739
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:740
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:745
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:747
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:749
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:752
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:753
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:724
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:724
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:724
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:724
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:724
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:724
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:757
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:761
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:762
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:763
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:765
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:774
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:777
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:779
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:781
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:784
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:785
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:788
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:790
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:792
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:796
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:799
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:802
- /usr/local/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/local/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:761
- /sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:761
- /bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:761
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:807
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:811
- /bin/grep
  grep -v grep
  2⤵
  PID:812
- /bin/grep
  grep aegis
  2⤵
  PID:813
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:814
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:815
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:818
- /bin/grep
  grep -v grep
  2⤵
  PID:819
- /bin/grep
  grep Yun
  2⤵
  PID:820
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:822
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:825
- /bin/mkdir
  mkdir /usr/share -p
  2⤵
  PID:827
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:830
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:831
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:832
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:833
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:838
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:839
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:840
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:841
- /bin/grep
  grep :443
  2⤵
  PID:844
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:845
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:846
- /bin/grep
  grep -v -
  2⤵
  PID:847
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:848
- /bin/grep
  grep :23
  2⤵
  PID:850
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:851
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:852
- /bin/grep
  grep -v -
  2⤵
  PID:853
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:854
- /bin/grep
  grep :443
  2⤵
  PID:856
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:857
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:858
- /bin/grep
  grep -v -
  2⤵
  PID:859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:860
- /bin/grep
  grep :143
  2⤵
  PID:864
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:865
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:866
- /bin/grep
  grep -v -
  2⤵
  PID:867
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:868
- /bin/grep
  grep :2222
  2⤵
  PID:870
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:871
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:872
- /bin/grep
  grep -v -
  2⤵
  PID:873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:874
- /bin/grep
  grep :3333
  2⤵
  PID:876
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:877
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:878
- /bin/grep
  grep -v -
  2⤵
  PID:879
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:880
- /bin/grep
  grep :3389
  2⤵
  PID:882
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:883
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:884
- /bin/grep
  grep -v -
  2⤵
  PID:885
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:886
- /bin/grep
  grep :5555
  2⤵
  PID:888
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:889
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:890
- /bin/grep
  grep -v -
  2⤵
  PID:891
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:892
- /bin/grep
  grep :6666
  2⤵
  PID:894
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:895
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:896
- /bin/grep
  grep -v -
  2⤵
  PID:897
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:898
- /bin/grep
  grep :6665
  2⤵
  PID:900
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:901
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:902
- /bin/grep
  grep -v -
  2⤵
  PID:903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:904
- /bin/grep
  grep :6667
  2⤵
  PID:906
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:907
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:908
- /bin/grep
  grep -v -
  2⤵
  PID:909
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:910
- /bin/grep
  grep :7777
  2⤵
  PID:912
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:913
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:914
- /bin/grep
  grep -v -
  2⤵
  PID:915
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:916
- /bin/grep
  grep :8444
  2⤵
  PID:918

/usr/sbin/sendmail
sendmail -t
1⤵
- Reads runtime system information
PID:698
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1rpISV-0000BG-9T
  2⤵
  - Reads CPU attributes
  PID:736

/usr/sbin/sendmail
sendmail -t
1⤵
PID:702
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1rpISV-0000BK-7T
  2⤵
  - Reads CPU attributes
  PID:735

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:730

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
- Reads runtime system information
PID:731

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:768

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:769

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
820B

MD5
9334d6e2159faed47ae15639860f4c10

SHA1
03577777febd6941533a96ff7836ea7c054897ce

SHA256
a800fc34c3d6f5afbcf10aa5c8ce5525632de29a4f4afd5893ce567ce56ff235

SHA512
0b41fea4477feeb92868def43351f93f38a0578e994b46905c523769fc811be5b46ba870632242db51cb7e33aee9645a70ce5a5cd848039206ad557488822547

Download Submit
/var/mail/user

Filesize
1KB

MD5
f904b856a75326fd53b60cdb1929e95a

SHA1
cc1cd4b24fc2591746593dda9dba7f2867238b14

SHA256
e7d0cebb1eb958a4cce101675d0af2268a105cc027fe4da498a68a09f244e097

SHA512
70481042fc1c11c9b10e901e6a66808f66f31d766434e4ce2f40c6de70d9ca1d3c0cd1e41a96efd4e545612dbfcb178b59d562e991df4da9bb749373e5b3d4d2

Download Submit
/var/spool/exim4/input/1rpISV-0000BG-9T-D

Filesize
126B

MD5
ccfed9c79ce8c6cdaa793043218488a8

SHA1
121c07ec2e881191aa34e09a5001554ab84b7f02

SHA256
de97885aa5ee563cdbada605480597d403696bd817abe050072e5fc4b20caf01

SHA512
2f8b4aaedc63fcb65da8abb3cb1f7ec241dbb592e7191be6939ca634566f51d3f480cba1b66cb683bdd693abc7a10a4b3be7d22fec8e9fc6a6a963fd1272214a

Download Submit
/var/spool/exim4/input/1rpISV-0000BK-7T-D

Filesize
145B

MD5
fca37c3eb8c39ae0b3df0d68458cce4a

SHA1
a55c475cd3a5af3b19a7e0f55c3e23770ed9416f

SHA256
91ed2d3b9bbac6e8aadaeb4a32f6a16677348b66ddb48acf6cfebf46701e1447

SHA512
16f690c83e7f26d858f669995ae9baedd8fbfe9497db6e9d2fc8f322e7c56fc7c335d123126e436ba152d01b003677fe164e0ddfe24beef3a5dcbdae53777833

Download Submit
/var/spool/exim4/input/1rpISV-0000BK-7T-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.698

Filesize
912B

MD5
256d13907c80c79a4ac533659b4b8534

SHA1
b56752636cbb1884e08939b29b807ed3ed7a7b96

SHA256
21bd65587fd025942d42b0ae894c03b0f472c2f853bd63d366e0c32011c26eb9

SHA512
a8f202b8090619ab88a04d93b7cc701825cb5a8e0670718416625e11b2aa4e4cd23b8fda1c432eaff4b735ff1e9668efff05eb6c2b78a1866c6b1fb526dd7be8

Download Submit
/var/spool/exim4/msglog/1rpISV-0000BG-9T

Filesize
288B

MD5
c10deda93421bcbb407c24cc10463225

SHA1
dac48cc358b4ced99f0a2bc8df1f15b77835d602

SHA256
420add32c32ac1986f4d4505711d2d7fab9bd618e5b9bee6bc8de5e4bab42c36

SHA512
fde16373b00daab61516ea6fee724342699d0018c50d7dd5a7e1f0b0c8a7a990d6ff5a0b0f5efc5fd34bf3d18011219f86fc23baa5770a904c1275dba2a5b0c7

Download Submit
/var/spool/exim4/msglog/1rpISV-0000BG-9T

Filesize
89B

MD5
78fc06bb5d039c24b7f902abc01b931e

SHA1
db7ad6176f2e1a7bf9cb201fcbcdf1332118ceb9

SHA256
940a72ba14f6bc13249e329bb457f975879b10eec7692ce625a8da96cd80eeaa

SHA512
8e8fae5fcdb7a795380e284a7248704d6adc4867b5c88cf6a00fcb3198f0e0f8f765b904d45930c4a84ad4ac8e999295257e68c8967167bf24bfeaf077ca74f1

Download Submit
/var/spool/exim4/msglog/1rpISV-0000BK-7T

Filesize
288B

MD5
ec98b17a7d3cb7ec90e03e3ed3fa582b

SHA1
350e72c003f627de6fcf39d29a958abb212a16e0

SHA256
61df95a989a4eefe6d5ce5c29e87f4498d9eaf33871160c5b1f72575aebe31d2

SHA512
012cc3c43e1e2343ba0cf4bbd5292bdbcf097e9a8b4c50d873693b6b6ac86c360f95fa44302ba449863a144cb72b11e36151092ec64b93f279dd64bcf3f0dc80

Download Submit
/var/spool/exim4/msglog/1rpISV-0000BK-7T

Filesize
89B

MD5
f87c8740d1778ffaa4fa024351145aa2

SHA1
e20393ecb33b1df9b3159ea01991c80efe10eeb8

SHA256
0800b0fc4cb77f8f8e05a3bf57c949e036fbe19f2210c2eff5f8fe4629f47d2f

SHA512
087189059e5670e73751f36532285d4d66afccef9198e0aaf487b9686e6ada5781708e758895b486c9a722a39bbffa25de0e50c535b8fd4275c6aeca2faec44f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads