Changes its process name

Executes dropped EXE

Loads a kernel module

Loads a Linux kernel module, potentially to achieve persistence

Modifies PAM framework files

Modifies Linux PAM framework files, possibly to intercept credentials.

Modifies Polkit authorization policy

Modifies rule/ action files in Polkit, possibly to grant additional privileges.

Reads EFI boot settings

Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

Checks mountinfo of local process

Checks mountinfo of running processes which indicate if it is running in chroot jail.

Creates/modifies Cron job

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Creates/modifies environment variables

Creating/modifying environment variables is a common persistence mechanism.

Deletes log files

Deletes log files on the system.

Enumerates running processes

Discovers information about currently running processes on the system

Modifies init.d

Adds/modifies system service, likely for persistence.

Reads CPU attributes

Reads list of loaded kernel modules

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

Write file to user bin folder

Writes file to system bin folder

Modifies Bash startup script