Analysis
-
max time kernel
13s -
max time network
14s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
18-07-2024 17:02
Behavioral task
behavioral1
Sample
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
-
Size
1.6MB
-
MD5
36b5b760bb1334e2feb50ae169f19c00
-
SHA1
6dfcc0dcd64a8e498d3204b568a1679b85dcf314
-
SHA256
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
-
SHA512
759cc113d7d73bcf62da54ee70fdc49817325f5580eef4fbe8a69d1e1777a2650ee94e4e6f26b1c2e5d777e534a8e961b140b587f0d30d4108de66ba0f7f8322
-
SSDEEP
49152:ZrkdckdSMUFKV3WAiYT+rhQe+x/tM+imbXWMuV:ZrpkdSzFKVWSKav1TXXs
Malware Config
Signatures
-
Contacts a large (71001) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2447-1-0x00007450c5600000-0x00007450c5c61750-memory.dmp xmrig -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.181.61.24 Destination IP 81.169.136.222 Destination IP 95.215.19.53 Destination IP 1.0.0.1 Destination IP 217.160.70.42 -
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772fdescription ioc process File opened for reading /sys/devices/virtual/dmi/id/board_vendor 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/bios_vendor 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/sys_vendor 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/product_name 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.S97xzT crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772fdescription ioc process File opened for reading /sys/devices/virtual/dmi/id/product_version 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/product_uuid 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/bios_version 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/bios_date 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/product_serial 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/board_name 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/chassis_type 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/chassis_serial 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/board_version 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/board_serial 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/chassis_version 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f -
Changes its process name 1 IoCs
Processes:
description ioc pid Changes the process name, possibly in an attempt to hide itself bash 2449 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772fdescription ioc process File opened for reading /proc/cpuinfo 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f -
Reads CPU attributes 1 TTPs 45 IoCs
Processes:
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772fdescription ioc process File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/possible 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/online 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f -
Enumerates kernel/hardware configuration 1 TTPs 27 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772fdescription ioc process File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/bus/soc/devices 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/cpu 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/online 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/fs/cgroup/cpuset.mems.effective 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/firmware/dmi/tables/smbios_entry_point 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/kernel/mm/hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/meminfo 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/cpumap 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/virtual/dmi/id 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/fs/cgroup/cgroup.controllers 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/bus/dax/devices 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/access1/initiators 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/cpu_atom/cpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/fs/cgroup/cpuset.cpus.effective 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/system/node/node0/access0/initiators 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/firmware/dmi/tables/DMI 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /sys/devices/cpu_core/cpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772fdescription ioc process File opened for reading /proc/40/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1057/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1890/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/version_signature 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/36/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/35/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/897/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1116/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1065/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1933/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/sys/vm/nr_hugepages 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/45/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/39/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/53/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/841/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/17/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2293/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2119/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2246/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/driver/nvidia/gpus 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/3/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/42/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/192/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/789/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1077/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1079/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/self/cpuset 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1905/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/790/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1046/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/50/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/51/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1964/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/779/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/48/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1664/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1923/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/383/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/199/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/274/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1861/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2384/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2443/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/124/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/432/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1060/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1957/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2063/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/21/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/54/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1738/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1906/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/43/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/737/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1123/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1746/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/457/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/734/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/2170/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/41/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1089/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f File opened for reading /proc/1847/cmdline 17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f
Processes
-
/tmp/17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f/tmp/17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2447 -
/bin/shsh -c "command -v crontab >/dev/null 2>&1"2⤵PID:2450
-
/bin/shsh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/17229e1940e272030b079915600ea9fd944b8250680d89e1ee1eca42bbe3772f\" | crontab -"2⤵PID:2451
-
/usr/bin/crontabcrontab -r3⤵PID:2452
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:2454 -
/bin/shsh -c "iptables -I INPUT -p tcp --dport 60678 -j ACCEPT >/dev/null 2>&1"2⤵PID:2455
-
/bin/shsh -c "command -v php >/dev/null 2>&1"2⤵PID:2456
-
/bin/shsh -c "command -v nginx >/dev/null 2>&1"2⤵PID:2457
-
/bin/shsh -c "which apache2"2⤵PID:2458
-
/usr/bin/whichwhich apache23⤵PID:2459
-
/bin/shsh -c "which httpd"2⤵PID:2460
-
/usr/bin/whichwhich httpd3⤵PID:2461
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253B
MD5c99d728fe82ad8f72b2c440edb9ac221
SHA154297b991038c2fe9db85f529ebb9f2681f9850f
SHA256170a2fca4fab721f64cc4063780776192dd955a27840f889c6eb231c8f36f8e0
SHA5120d7ce6cf80f62ce6ed4682c2c58ab5b77b361c13a84d398d9a5f606122a17a7f29c6c05a46b7fb34529f2f75d64d285e5f5eccf550c6dd7b227bbad9337c0456