b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
149s
max time network
161s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
04-09-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Size

8.6MB
MD5

ae747bc7fff9bc23f06635ef60ea0e8d
SHA1

64315e834f67905ed4e47f36155362a78ac23462
SHA256

103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
SHA512

e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2
SSDEEP

98304:rDSceJ/GqDu6P0ypQ0Qv5knSTH20ejwBcHjI7Xk:rDSceJ/GqD18RZv5knS720e7s

Score

8^/10

antivm defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds new SSH keys 1 TTPs 1 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
persistence privilege_escalation

SSH Authorized Keys
T1098.004

Processes:

103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

description ioc process

File opened for modification /root/.ssh/authorized_keys 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Deletes itself 1 IoCs

Processes:

pid

2874

description	ioc	process
File opened for modification	/root/.ssh/authorized_keys	103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

pid
2874

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 64 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudosudowhich

pid	process
3147	sudo
3366	sudo
4140
4574
4627
4895
2934	sudo
3157	sudo
3230	sudo
4413
4456
3044	sudo
3608	sudo
4692
3264	sudo
3476	sudo
3975	sudo
4716
4845
2932	sudo
3028	sudo
3181	sudo
3946	sudo
4122
4352
4405
3145	sudo
3661	sudo
4136
2904	sudo
3040	sudo
3175	sudo
3671	sudo
4024	sudo
4076
4342
4729
2938	sudo
3246	sudo
3504	sudo
3655	sudo
3132	sudo
3159	sudo
4224
4415
4584
4893
4899
3099	sudo
3932	sudo
4116
4222
4236
4511
4658
4760
3462	sudo
3718	sudo
4001	sudo
4244
4252
4254
4360
3238	which

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

Processes:

103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

description	ioc	process
File deleted	/var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046	103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 64 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

description	ioc	process
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo
File opened for reading	/proc/cpuinfo

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pspspspspspspkillpkillpspspspspkillpspspkillpkillpkillpspkillpspkillpkillpkillpspspspspkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible
File opened for reading	/sys/devices/system/cpu/possible

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

pkillpspkillpspspspkillpspkillpkillpkillpspspspspkillpspkillpkillpkillpspkillpspkillpkillpspspkillpspsps

description	ioc	process
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node
File opened for reading	/sys/devices/system/node

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pkillkillallpkillpkillkillallpssudopspidofpspkillpskillallpskillallpkillpspkillkillallpskillallkillallpkillpspspkillpkillpspspkillpsps

description	ioc	process
File opened for reading	/proc/2370/cgroup
File opened for reading	/proc/63/cgroup
File opened for reading	/proc/2300/cmdline
File opened for reading	/proc/2367/cmdline	pkill
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/2529/stat	pkill
File opened for reading	/proc/2867/ctty
File opened for reading	/proc/2878/status
File opened for reading	/proc/2346/status
File opened for reading	/proc/12/stat
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/2628	killall
File opened for reading	/proc/2284/cmdline	ps
File opened for reading	/proc/sys/kernel/seccomp/actions_avail	sudo
File opened for reading	/proc/2877/cmdline	ps
File opened for reading	/proc/728/cgroup
File opened for reading	/proc/2368/environ
File opened for reading	/proc/194/stat	pidof
File opened for reading	/proc/2189/environ	ps
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/56/stat
File opened for reading	/proc/2300/status	ps
File opened for reading	/proc/731/stat
File opened for reading	/proc/2651/ctty
File opened for reading	/proc/2074	killall
File opened for reading	/proc/56/cmdline
File opened for reading	/proc/13/stat
File opened for reading	/proc/1112/ctty	ps
File opened for reading	/proc/2189	killall
File opened for reading	/proc/1400/cmdline	pkill
File opened for reading	/proc/31/environ	ps
File opened for reading	/proc/52/ctty	pkill
File opened for reading	/proc/1067/cgroup
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/2191/status
File opened for reading	/proc/2	killall
File opened for reading	/proc/33/environ	ps
File opened for reading	/proc/3545	killall
File opened for reading	/proc/2345/cmdline
File opened for reading	/proc/2300/cgroup
File opened for reading	/proc/2523	killall
File opened for reading	/proc/1085/stat	pkill
File opened for reading	/proc/2621/environ	ps
File opened for reading	/proc/2867/cgroup
File opened for reading	/proc/2352/status	ps
File opened for reading	/proc/199/status	pkill
File opened for reading	/proc/357/ctty
File opened for reading	/proc/2300/stat
File opened for reading	/proc/8
File opened for reading	/proc/51
File opened for reading	/proc/2610/cmdline
File opened for reading	/proc/21/ctty	pkill
File opened for reading	/proc/2639/cmdline	pkill
File opened for reading	/proc/457/stat
File opened for reading	/proc/2539/cmdline	ps
File opened for reading	/proc/49/status
File opened for reading	/proc/2870/cmdline	ps
File opened for reading	/proc/2161/cmdline	pkill
File opened for reading	/proc/2682/stat	ps
File opened for reading	/proc/2370/stat	ps
File opened for reading	/proc/2807/ctty
File opened for reading	/proc/2373/environ
File opened for reading	/proc/2468
File opened for reading	/proc/793/environ

Writes file to tmp directory 21 IoCs

Malware often drops required files in the /tmp directory.

Processes:

103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046touchtouchtouchtouchtouchtouchtouchtouchtouchtouchtouch

description	ioc	process
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc	103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_2149	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20765
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_10129	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_19923	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_29275
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_21234
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_28289	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_4503	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24732	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20634
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_30673
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9137
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9481
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_15039	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9750	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_7509	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_31374
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20654	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24420	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_22887

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
1⤵
- Adds new SSH keys
- Deletes log files
- Writes file to tmp directory
PID:2870

/usr/bin/uname
uname -a
2⤵
PID:2885

/usr/bin/cat
cat /proc/cpuinfo
2⤵
PID:2886

/usr/bin/cat
cat /etc/issue
2⤵
PID:2888

/usr/bin/free
free -m
2⤵
PID:2889

/usr/bin/uptime
uptime
2⤵
PID:2890

/usr/bin/journalctl
journalctl -S "@0" -u sshd
2⤵
PID:2891

/usr/bin/cat
cat "/var/log/auth*"
2⤵
PID:2892

/usr/bin/zcat
zcat "/var/log/auth*"
2⤵
PID:2893

/usr/local/sbin/gzip
gzip -cd "/var/log/auth*"
2⤵
PID:2893

/usr/local/bin/gzip
gzip -cd "/var/log/auth*"
2⤵
PID:2893

/usr/sbin/gzip
gzip -cd "/var/log/auth*"
2⤵
PID:2893

/usr/bin/gzip
gzip -cd "/var/log/auth*"
2⤵
PID:2893

/bin/bash
/bin/bash -
2⤵
PID:2894

/usr/bin/which
which sudo
3⤵
PID:2896

/usr/bin/wc
wc -l
3⤵
PID:2897

/usr/bin/sudo
sudo -S touch .local_20654
3⤵
PID:2899

/usr/bin/touch
touch .local_20654
4⤵
- Writes file to tmp directory
PID:2900

/usr/bin/grep
grep -c root
3⤵
PID:2903

/usr/bin/ls
ls -l .local_20654
3⤵
PID:2902

/usr/bin/sudo
sudo rm .local_20654
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:2904

/usr/bin/rm
rm .local_20654
4⤵
PID:2905

/usr/bin/sudo
sudo ps auxff
3⤵
PID:2907

/usr/bin/ps
ps auxff
4⤵
- Checks CPU configuration
PID:2911

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:2908

/usr/bin/grep
grep -v grep
3⤵
PID:2909

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2910

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:2912

/usr/bin/killall
killall -9 bssh
4⤵
PID:2913

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:2914

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:2915

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:2916

/usr/bin/killall
killall -9 xm64
4⤵
PID:2917

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:2918

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:2919

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:2920

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:2921

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:2922

/usr/bin/killall
killall -9 xorgg
4⤵
PID:2923

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:2924

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:2925

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:2926

/usr/bin/killall
killall -9 crond64
4⤵
PID:2927

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:2928

/usr/bin/killall
killall -9 tsm
4⤵
PID:2929

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:2930

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:2931

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:2932

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:2933

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:2934

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:2935

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:2936

/usr/bin/pkill
pkill test.mod
4⤵
PID:2937

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:2938

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Reads CPU attributes
PID:2939

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:2940

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
PID:2941

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:2942

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Enumerates kernel/hardware configuration
PID:2943

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:2944

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:2945

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:2946

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:2947

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:2948

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:2949

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:2950

/usr/bin/sudo
sudo ps auxf
3⤵
PID:2952

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:2956

/usr/bin/grep
grep xmr
3⤵
PID:2953

/usr/bin/grep
grep -v grep
3⤵
PID:2954

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2955

/usr/bin/sudo
sudo ps auxf
3⤵
PID:2958

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
PID:2962

/usr/bin/grep
grep cryptonight
3⤵
PID:2959

/usr/bin/grep
grep -v grep
3⤵
PID:2960

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2961

/usr/bin/sudo
sudo ps auxf
3⤵
PID:2964

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:2968

/usr/bin/grep
grep stratum
3⤵
PID:2965

/usr/bin/grep
grep -v grep
3⤵
PID:2966

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2967

/usr/bin/sudo
sudo ps auxf
3⤵
PID:2970

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2974

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:2971

/usr/bin/grep
grep -v grep
3⤵
PID:2972

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2973

/usr/bin/sudo
sudo ps auxf
3⤵
PID:2976

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
PID:2980

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:2977

/usr/bin/grep
grep -v grep
3⤵
PID:2978

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2979

/usr/bin/sudo
sudo ps auxf
3⤵
PID:2982

/usr/bin/ps
ps auxf
4⤵
PID:2986

/usr/bin/grep
grep xm64
3⤵
PID:2983

/usr/bin/grep
grep -v grep
3⤵
PID:2984

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:2985

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:2987

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:2988

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:2989

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:2990

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:2991

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:2992

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:2993

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:2994

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:2995

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:2996

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:2997

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:2998

/usr/bin/pidof
pidof libexec
3⤵
- Reads runtime system information
PID:2999

/usr/bin/free
free -m
2⤵
PID:3000

/usr/bin/uptime
uptime
2⤵
PID:3001

/bin/bash
/bin/bash -
2⤵
PID:3002

/usr/bin/which
which sudo
3⤵
PID:3004

/usr/bin/wc
wc -l
3⤵
PID:3005

/usr/bin/sudo
sudo -S touch .local_28289
3⤵
PID:3007

/usr/bin/touch
touch .local_28289
4⤵
- Writes file to tmp directory
PID:3008

/usr/bin/grep
grep -c root
3⤵
PID:3011

/usr/bin/ls
ls -l .local_28289
3⤵
PID:3010

/usr/bin/sudo
sudo rm .local_28289
3⤵
PID:3012

/usr/bin/rm
rm .local_28289
4⤵
PID:3013

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3015

/usr/bin/ps
ps auxff
4⤵
- Checks CPU configuration
- Reads CPU attributes
PID:3019

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3016

/usr/bin/grep
grep -v grep
3⤵
PID:3017

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3018

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3020

/usr/bin/killall
killall -9 bssh
4⤵
PID:3021

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3022

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3023

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3024

/usr/bin/killall
killall -9 xm64
4⤵
PID:3025

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3026

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3027

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3028

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3029

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3030

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3031

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3032

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3033

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3034

/usr/bin/killall
killall -9 crond64
4⤵
PID:3035

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3036

/usr/bin/killall
killall -9 tsm
4⤵
PID:3037

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3038

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3039

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3040

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3041

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3042

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3043

/usr/bin/sudo
sudo pkill test.mod
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3044

/usr/bin/pkill
pkill test.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3045

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3046

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
PID:3047

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3048

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
PID:3049

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3050

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Reads CPU attributes
PID:3051

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3052

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:3053

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3054

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3055

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3056

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3057

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3058

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3060

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3064

/usr/bin/grep
grep xmr
3⤵
PID:3061

/usr/bin/grep
grep -v grep
3⤵
PID:3062

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3063

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3066

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3070

/usr/bin/grep
grep cryptonight
3⤵
PID:3067

/usr/bin/grep
grep -v grep
3⤵
PID:3068

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3069

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3072

/usr/bin/ps
ps auxf
4⤵
PID:3076

/usr/bin/grep
grep stratum
3⤵
PID:3073

/usr/bin/grep
grep -v grep
3⤵
PID:3074

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3075

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3078

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:3082

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3079

/usr/bin/grep
grep -v grep
3⤵
PID:3080

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3081

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3084

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:3088

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3085

/usr/bin/grep
grep -v grep
3⤵
PID:3086

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3087

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3090

/usr/bin/ps
ps auxf
4⤵
PID:3094

/usr/bin/grep
grep xm64
3⤵
PID:3091

/usr/bin/grep
grep -v grep
3⤵
PID:3092

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3093

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3095

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3096

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3097

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3098

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3099

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3100

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3101

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3102

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3103

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3104

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3105

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3106

/usr/bin/pidof
pidof libexec
3⤵
PID:3107

/usr/bin/free
free -m
2⤵
PID:3125

/usr/bin/uptime
uptime
2⤵
PID:3126

/bin/bash
/bin/bash -
2⤵
PID:3127

/usr/bin/which
which sudo
3⤵
PID:3129

/usr/bin/wc
wc -l
3⤵
PID:3130

/usr/bin/sudo
sudo -S touch .local_2149
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3132

/usr/bin/touch
touch .local_2149
4⤵
- Writes file to tmp directory
PID:3133

/usr/bin/ls
ls -l .local_2149
3⤵
PID:3135

/usr/bin/grep
grep -c root
3⤵
PID:3136

/usr/bin/sudo
sudo rm .local_2149
3⤵
PID:3137

/usr/bin/rm
rm .local_2149
4⤵
PID:3138

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3140

/usr/bin/ps
ps auxff
4⤵
PID:3144

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3141

/usr/bin/grep
grep -v grep
3⤵
PID:3142

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3143

/usr/bin/sudo
sudo killall -9 bssh
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3145

/usr/bin/killall
killall -9 bssh
4⤵
- Reads runtime system information
PID:3146

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3147

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3148

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3149

/usr/bin/killall
killall -9 xm64
4⤵
PID:3150

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3151

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3152

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3153

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3154

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3155

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3156

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3157

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3158

/usr/bin/sudo
sudo killall -9 crond64
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3159

/usr/bin/killall
killall -9 crond64
4⤵
PID:3160

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3161

/usr/bin/killall
killall -9 tsm
4⤵
PID:3162

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3163

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3164

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3165

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3166

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3167

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3168

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3169

/usr/bin/pkill
pkill test.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3170

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3171

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
PID:3172

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3173

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3174

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3175

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3176

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3177

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:3178

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3179

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3180

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3181

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
- Enumerates kernel/hardware configuration
PID:3182

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3183

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3185

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
PID:3189

/usr/bin/grep
grep xmr
3⤵
PID:3186

/usr/bin/grep
grep -v grep
3⤵
PID:3187

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3188

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3191

/usr/bin/ps
ps auxf
4⤵
PID:3195

/usr/bin/grep
grep cryptonight
3⤵
PID:3192

/usr/bin/grep
grep -v grep
3⤵
PID:3193

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3194

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3197

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads runtime system information
PID:3201

/usr/bin/grep
grep stratum
3⤵
PID:3198

/usr/bin/grep
grep -v grep
3⤵
PID:3199

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3200

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3203

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
PID:3207

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3204

/usr/bin/grep
grep -v grep
3⤵
PID:3205

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3206

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3209

/usr/bin/ps
ps auxf
4⤵
PID:3213

/usr/bin/grep
grep -v grep
3⤵
PID:3211

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3210

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3212

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3215

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3219

/usr/bin/grep
grep xm64
3⤵
PID:3216

/usr/bin/grep
grep -v grep
3⤵
PID:3217

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3218

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3220

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3221

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3222

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3223

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3224

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3225

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3226

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3227

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3228

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3229

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3230

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3231

/usr/bin/pidof
pidof libexec
3⤵
PID:3232

/bin/bash
/bin/bash -
2⤵
PID:3236

/usr/bin/which
which sudo
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3238

/usr/bin/wc
wc -l
3⤵
PID:3239

/usr/bin/sudo
sudo -S touch .local_4503
3⤵
PID:3241

/usr/bin/touch
touch .local_4503
4⤵
- Writes file to tmp directory
PID:3242

/usr/bin/ls
ls -l .local_4503
3⤵
PID:3244

/usr/bin/grep
grep -c root
3⤵
PID:3245

/usr/bin/sudo
sudo rm .local_4503
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3246

/usr/bin/rm
rm .local_4503
4⤵
PID:3247

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3249

/usr/bin/ps
ps auxff
4⤵
- Checks CPU configuration
PID:3253

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3250

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3252

/usr/bin/grep
grep -v grep
3⤵
PID:3251

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3254

/usr/bin/killall
killall -9 bssh
4⤵
PID:3255

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3256

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3257

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3258

/usr/bin/killall
killall -9 xm64
4⤵
PID:3259

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3260

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3261

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3262

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3263

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3264

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3265

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3266

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3267

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3268

/usr/bin/killall
killall -9 crond64
4⤵
PID:3269

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3270

/usr/bin/killall
killall -9 tsm
4⤵
PID:3271

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3272

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3273

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3274

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3275

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3276

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3277

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3278

/usr/bin/pkill
pkill test.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3279

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3280

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Reads CPU attributes
PID:3281

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3282

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3283

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3284

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Reads runtime system information
PID:3285

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3286

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3287

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3288

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3289

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3290

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
- Reads CPU attributes
PID:3291

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3292

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3294

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
PID:3298

/usr/bin/grep
grep xmr
3⤵
PID:3295

/usr/bin/grep
grep -v grep
3⤵
PID:3296

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3297

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3300

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
PID:3304

/usr/bin/grep
grep cryptonight
3⤵
PID:3301

/usr/bin/grep
grep -v grep
3⤵
PID:3302

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3303

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3306

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads CPU attributes
PID:3310

/usr/bin/grep
grep stratum
3⤵
PID:3307

/usr/bin/grep
grep -v grep
3⤵
PID:3308

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3309

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3312

/usr/bin/ps
ps auxf
4⤵
- Reads runtime system information
PID:3316

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3313

/usr/bin/grep
grep -v grep
3⤵
PID:3314

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3315

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3318

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
PID:3322

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3319

/usr/bin/grep
grep -v grep
3⤵
PID:3320

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3321

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3324

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
PID:3328

/usr/bin/grep
grep xm64
3⤵
PID:3325

/usr/bin/grep
grep -v grep
3⤵
PID:3326

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3327

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3329

/usr/bin/killall
killall -9 "[atd]"
4⤵
- Reads runtime system information
PID:3330

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3331

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3332

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3333

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3334

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3335

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3336

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3337

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3338

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3339

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3340

/usr/bin/pidof
pidof libexec
3⤵
PID:3341

/usr/bin/free
free -m
2⤵
PID:3342

/usr/bin/uptime
uptime
2⤵
PID:3343

/bin/bash
/bin/bash -
2⤵
PID:3344

/usr/bin/which
which sudo
3⤵
PID:3346

/usr/bin/wc
wc -l
3⤵
PID:3347

/usr/bin/sudo
sudo -S touch .local_24732
3⤵
PID:3349

/usr/bin/touch
touch .local_24732
4⤵
- Writes file to tmp directory
PID:3350

/usr/bin/ls
ls -l .local_24732
3⤵
PID:3352

/usr/bin/grep
grep -c root
3⤵
PID:3353

/usr/bin/sudo
sudo rm .local_24732
3⤵
PID:3354

/usr/bin/rm
rm .local_24732
4⤵
PID:3355

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3357

/usr/bin/ps
ps auxff
4⤵
- Checks CPU configuration
PID:3361

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3358

/usr/bin/grep
grep -v grep
3⤵
PID:3359

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3360

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3362

/usr/bin/killall
killall -9 bssh
4⤵
PID:3363

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3364

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3365

/usr/bin/sudo
sudo killall -9 xm64
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3366

/usr/bin/killall
killall -9 xm64
4⤵
PID:3367

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3368

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3369

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3370

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3371

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3372

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3373

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3374

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3375

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3376

/usr/bin/killall
killall -9 crond64
4⤵
PID:3377

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3378

/usr/bin/killall
killall -9 tsm
4⤵
- Reads runtime system information
PID:3379

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3380

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3381

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3382

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3383

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3384

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3385

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3386

/usr/bin/pkill
pkill test.mod
4⤵
PID:3387

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3388

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Reads runtime system information
PID:3389

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3390

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3391

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3392

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Reads CPU attributes
PID:3393

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3394

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:3395

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3396

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3397

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3398

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3399

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3400

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3402

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3406

/usr/bin/grep
grep xmr
3⤵
PID:3403

/usr/bin/grep
grep -v grep
3⤵
PID:3404

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3405

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3408

/usr/bin/ps
ps auxf
4⤵
PID:3412

/usr/bin/grep
grep cryptonight
3⤵
PID:3409

/usr/bin/grep
grep -v grep
3⤵
PID:3410

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3411

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3414

/usr/bin/ps
ps auxf
4⤵
- Reads runtime system information
PID:3418

/usr/bin/grep
grep stratum
3⤵
PID:3415

/usr/bin/grep
grep -v grep
3⤵
PID:3416

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3417

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3420

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3424

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3421

/usr/bin/grep
grep -v grep
3⤵
PID:3422

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3423

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3426

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
PID:3430

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3427

/usr/bin/grep
grep -v grep
3⤵
PID:3428

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3429

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3432

/usr/bin/ps
ps auxf
4⤵
PID:3436

/usr/bin/grep
grep xm64
3⤵
PID:3433

/usr/bin/grep
grep -v grep
3⤵
PID:3434

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3435

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3437

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3438

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3439

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3440

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3441

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3442

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3443

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
- Reads runtime system information
PID:3444

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3445

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3446

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3447

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3448

/usr/bin/pidof
pidof libexec
3⤵
PID:3449

/usr/bin/free
free -m
2⤵
PID:3450

/usr/bin/uptime
uptime
2⤵
PID:3451

/bin/bash
/bin/bash -
2⤵
PID:3452

/usr/bin/which
which sudo
3⤵
PID:3454

/usr/bin/wc
wc -l
3⤵
PID:3455

/usr/bin/sudo
sudo -S touch .local_15039
3⤵
PID:3457

/usr/bin/touch
touch .local_15039
4⤵
- Writes file to tmp directory
PID:3458

/usr/bin/ls
ls -l .local_15039
3⤵
PID:3460

/usr/bin/grep
grep -c root
3⤵
PID:3461

/usr/bin/sudo
sudo rm .local_15039
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3462

/usr/bin/rm
rm .local_15039
4⤵
PID:3463

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3465

/usr/bin/ps
ps auxff
4⤵
- Enumerates kernel/hardware configuration
PID:3469

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3466

/usr/bin/grep
grep -v grep
3⤵
PID:3467

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3468

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3470

/usr/bin/killall
killall -9 bssh
4⤵
PID:3471

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3472

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3473

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3474

/usr/bin/killall
killall -9 xm64
4⤵
PID:3475

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3476

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3477

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3478

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3479

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3480

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3481

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3482

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3483

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3484

/usr/bin/killall
killall -9 crond64
4⤵
PID:3485

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3486

/usr/bin/killall
killall -9 tsm
4⤵
PID:3487

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3488

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3489

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3490

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3491

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3492

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3493

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3494

/usr/bin/pkill
pkill test.mod
4⤵
PID:3495

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3496

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Reads runtime system information
PID:3497

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3498

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
PID:3499

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3500

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Reads CPU attributes
PID:3501

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3502

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:3503

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3504

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3505

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3506

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3507

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3508

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3510

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads runtime system information
PID:3514

/usr/bin/grep
grep xmr
3⤵
PID:3511

/usr/bin/grep
grep -v grep
3⤵
PID:3512

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3513

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3516

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3520

/usr/bin/grep
grep cryptonight
3⤵
PID:3517

/usr/bin/grep
grep -v grep
3⤵
PID:3518

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3519

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3522

/usr/bin/ps
ps auxf
4⤵
PID:3526

/usr/bin/grep
grep stratum
3⤵
PID:3523

/usr/bin/grep
grep -v grep
3⤵
PID:3524

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3525

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3528

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3532

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3529

/usr/bin/grep
grep -v grep
3⤵
PID:3530

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3531

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3534

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3538

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3535

/usr/bin/grep
grep -v grep
3⤵
PID:3536

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3537

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3540

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads runtime system information
PID:3544

/usr/bin/grep
grep xm64
3⤵
PID:3541

/usr/bin/grep
grep -v grep
3⤵
PID:3542

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3543

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3545

/usr/bin/killall
killall -9 "[atd]"
4⤵
- Reads runtime system information
PID:3546

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3547

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3548

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3549

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3550

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3551

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3552

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3553

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
- Reads runtime system information
PID:3554

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3555

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3556

/usr/bin/pidof
pidof libexec
3⤵
PID:3557

/bin/bash
/bin/bash -
2⤵
PID:3558

/usr/bin/which
which sudo
3⤵
PID:3560

/usr/bin/wc
wc -l
3⤵
PID:3561

/usr/bin/sudo
sudo -S touch .local_9750
3⤵
PID:3563

/usr/bin/touch
touch .local_9750
4⤵
- Writes file to tmp directory
PID:3564

/usr/bin/ls
ls -l .local_9750
3⤵
PID:3566

/usr/bin/grep
grep -c root
3⤵
PID:3567

/usr/bin/sudo
sudo rm .local_9750
3⤵
PID:3568

/usr/bin/rm
rm .local_9750
4⤵
PID:3569

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3571

/usr/bin/ps
ps auxff
4⤵
- Reads runtime system information
PID:3575

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3572

/usr/bin/grep
grep -v grep
3⤵
PID:3573

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3574

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3576

/usr/bin/killall
killall -9 bssh
4⤵
PID:3577

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3578

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3579

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3580

/usr/bin/killall
killall -9 xm64
4⤵
PID:3581

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3582

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3583

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3584

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3585

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3586

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3587

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3588

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3589

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3590

/usr/bin/killall
killall -9 crond64
4⤵
PID:3591

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3592

/usr/bin/killall
killall -9 tsm
4⤵
PID:3593

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3594

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3595

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3596

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3597

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3598

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3599

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3600

/usr/bin/pkill
pkill test.mod
4⤵
PID:3601

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3602

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Reads runtime system information
PID:3603

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3604

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
PID:3605

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3606

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
PID:3607

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3608

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:3609

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3610

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3611

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3612

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3613

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3616

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3618

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
PID:3622

/usr/bin/grep
grep xmr
3⤵
PID:3619

/usr/bin/grep
grep -v grep
3⤵
PID:3620

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3621

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3624

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
PID:3628

/usr/bin/grep
grep cryptonight
3⤵
PID:3625

/usr/bin/grep
grep -v grep
3⤵
PID:3626

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3627

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3630

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3634

/usr/bin/grep
grep -v grep
3⤵
PID:3632

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3633

/usr/bin/grep
grep stratum
3⤵
PID:3631

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3636

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:3640

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3637

/usr/bin/grep
grep -v grep
3⤵
PID:3638

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3639

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3642

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3646

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3643

/usr/bin/grep
grep -v grep
3⤵
PID:3644

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3645

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3648

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3652

/usr/bin/grep
grep xm64
3⤵
PID:3649

/usr/bin/grep
grep -v grep
3⤵
PID:3650

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3651

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3653

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3654

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3655

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3656

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3657

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3658

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3659

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3660

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3661

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3662

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3663

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3664

/usr/bin/pidof
pidof libexec
3⤵
PID:3665

/usr/bin/free
free -m
2⤵
PID:3614

/usr/bin/uptime
uptime
2⤵
PID:3615

/bin/bash
/bin/bash -
2⤵
PID:3666

/usr/bin/wc
wc -l
3⤵
PID:3669

/usr/bin/which
which sudo
3⤵
PID:3668

/usr/bin/sudo
sudo -S touch .local_7509
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3671

/usr/bin/touch
touch .local_7509
4⤵
- Writes file to tmp directory
PID:3672

/usr/bin/ls
ls -l .local_7509
3⤵
PID:3674

/usr/bin/grep
grep -c root
3⤵
PID:3675

/usr/bin/sudo
sudo rm .local_7509
3⤵
PID:3676

/usr/bin/rm
rm .local_7509
4⤵
PID:3677

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3679

/usr/bin/ps
ps auxff
4⤵
- Checks CPU configuration
PID:3683

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3680

/usr/bin/grep
grep -v grep
3⤵
PID:3681

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3682

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3684

/usr/bin/killall
killall -9 bssh
4⤵
PID:3685

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3686

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3687

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3688

/usr/bin/killall
killall -9 xm64
4⤵
PID:3689

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3690

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3691

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3692

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3693

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3694

/usr/bin/killall
killall -9 xorgg
4⤵
- Reads runtime system information
PID:3695

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3696

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3697

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3698

/usr/bin/killall
killall -9 crond64
4⤵
PID:3699

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3700

/usr/bin/killall
killall -9 tsm
4⤵
PID:3701

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3702

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3703

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3704

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3705

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3706

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3707

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3708

/usr/bin/pkill
pkill test.mod
4⤵
PID:3709

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3710

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Reads runtime system information
PID:3711

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3712

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:3713

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3714

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
- Reads CPU attributes
- Reads runtime system information
PID:3715

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3716

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3717

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3718

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3719

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3720

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3721

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3722

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3724

/usr/bin/ps
ps auxf
4⤵
- Reads runtime system information
PID:3728

/usr/bin/grep
grep xmr
3⤵
PID:3725

/usr/bin/grep
grep -v grep
3⤵
PID:3726

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3727

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3730

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3734

/usr/bin/grep
grep cryptonight
3⤵
PID:3731

/usr/bin/grep
grep -v grep
3⤵
PID:3732

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3733

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3736

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3740

/usr/bin/grep
grep stratum
3⤵
PID:3737

/usr/bin/grep
grep -v grep
3⤵
PID:3738

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3739

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3742

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3746

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3743

/usr/bin/grep
grep -v grep
3⤵
PID:3744

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3745

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3748

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3752

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3749

/usr/bin/grep
grep -v grep
3⤵
PID:3750

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3751

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3754

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3758

/usr/bin/grep
grep xm64
3⤵
PID:3755

/usr/bin/grep
grep -v grep
3⤵
PID:3756

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3757

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3759

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3760

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3761

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3762

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3763

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3764

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3765

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3766

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3767

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3768

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3769

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3770

/usr/bin/pidof
pidof libexec
3⤵
PID:3771

/usr/bin/free
free -m
2⤵
PID:3772

/usr/bin/uptime
uptime
2⤵
PID:3773

/bin/bash
/bin/bash -
2⤵
PID:3774

/usr/bin/which
which sudo
3⤵
PID:3776

/usr/bin/wc
wc -l
3⤵
PID:3777

/usr/bin/sudo
sudo -S touch .local_24420
3⤵
PID:3779

/usr/bin/touch
touch .local_24420
4⤵
- Writes file to tmp directory
PID:3780

/usr/bin/ls
ls -l .local_24420
3⤵
PID:3782

/usr/bin/grep
grep -c root
3⤵
PID:3783

/usr/bin/sudo
sudo rm .local_24420
3⤵
PID:3784

/usr/bin/rm
rm .local_24420
4⤵
PID:3785

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3787

/usr/bin/ps
ps auxff
4⤵
- Enumerates kernel/hardware configuration
PID:3791

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3788

/usr/bin/grep
grep -v grep
3⤵
PID:3789

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3790

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3792

/usr/bin/killall
killall -9 bssh
4⤵
PID:3793

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3794

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3795

/usr/bin/sudo
sudo killall -9 xm64
3⤵
- Reads runtime system information
PID:3796

/usr/bin/killall
killall -9 xm64
4⤵
PID:3797

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3798

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3799

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3800

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3801

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3802

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3803

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3804

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3805

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3806

/usr/bin/killall
killall -9 crond64
4⤵
PID:3807

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3808

/usr/bin/killall
killall -9 tsm
4⤵
PID:3809

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3810

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3811

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3812

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3813

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3814

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3815

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3816

/usr/bin/pkill
pkill test.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3817

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3818

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
- Enumerates kernel/hardware configuration
PID:3819

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3820

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
PID:3821

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3822

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
PID:3823

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
PID:3824

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:3825

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3826

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3827

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3828

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3829

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3830

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3832

/usr/bin/ps
ps auxf
4⤵
- Reads runtime system information
PID:3836

/usr/bin/grep
grep xmr
3⤵
PID:3833

/usr/bin/grep
grep -v grep
3⤵
PID:3834

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3835

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3838

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads runtime system information
PID:3842

/usr/bin/grep
grep cryptonight
3⤵
PID:3839

/usr/bin/grep
grep -v grep
3⤵
PID:3840

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3841

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3844

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3848

/usr/bin/grep
grep stratum
3⤵
PID:3845

/usr/bin/grep
grep -v grep
3⤵
PID:3846

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3847

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3850

/usr/bin/ps
ps auxf
4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3854

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3851

/usr/bin/grep
grep -v grep
3⤵
PID:3852

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3853

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3856

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads CPU attributes
PID:3860

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3857

/usr/bin/grep
grep -v grep
3⤵
PID:3858

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3859

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3862

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3866

/usr/bin/grep
grep xm64
3⤵
PID:3863

/usr/bin/grep
grep -v grep
3⤵
PID:3864

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3865

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
PID:3867

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3868

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3869

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3870

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3871

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3872

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3873

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3874

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3875

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3876

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3877

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3878

/usr/bin/pidof
pidof libexec
3⤵
PID:3879

/usr/bin/free
free -m
2⤵
PID:3880

/usr/bin/uptime
uptime
2⤵
PID:3881

/bin/bash
/bin/bash -
2⤵
PID:3882

/usr/bin/wc
wc -l
3⤵
PID:3885

/usr/bin/which
which sudo
3⤵
PID:3884

/usr/bin/sudo
sudo -S touch .local_10129
3⤵
PID:3887

/usr/bin/touch
touch .local_10129
4⤵
- Writes file to tmp directory
PID:3888

/usr/bin/ls
ls -l .local_10129
3⤵
PID:3890

/usr/bin/grep
grep -c root
3⤵
PID:3891

/usr/bin/sudo
sudo rm .local_10129
3⤵
PID:3892

/usr/bin/rm
rm .local_10129
4⤵
PID:3893

/usr/bin/sudo
sudo ps auxff
3⤵
PID:3895

/usr/bin/ps
ps auxff
4⤵
- Checks CPU configuration
- Reads runtime system information
PID:3899

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:3896

/usr/bin/grep
grep -v grep
3⤵
PID:3897

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3898

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:3900

/usr/bin/killall
killall -9 bssh
4⤵
PID:3901

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:3902

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:3903

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:3904

/usr/bin/killall
killall -9 xm64
4⤵
PID:3905

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:3906

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:3907

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:3908

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:3909

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:3910

/usr/bin/killall
killall -9 xorgg
4⤵
PID:3911

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:3912

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:3913

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:3914

/usr/bin/killall
killall -9 crond64
4⤵
PID:3915

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:3916

/usr/bin/killall
killall -9 tsm
4⤵
PID:3917

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
PID:3918

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:3919

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:3920

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:3921

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:3922

/usr/bin/rm
rm -rf /tmp/.iolanda
4⤵
PID:3923

/usr/bin/sudo
sudo pkill test.mod
3⤵
PID:3924

/usr/bin/pkill
pkill test.mod
4⤵
PID:3925

/usr/bin/sudo
sudo pkill daemon.i686.mod
3⤵
PID:3926

/usr/bin/pkill
pkill daemon.i686.mod
4⤵
PID:3927

/usr/bin/sudo
sudo pkill daemon.armv4l.mod
3⤵
PID:3928

/usr/bin/pkill
pkill daemon.armv4l.mod
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3929

/usr/bin/sudo
sudo pkill daemon.mips.mod
3⤵
PID:3930

/usr/bin/pkill
pkill daemon.mips.mod
4⤵
PID:3931

/usr/bin/sudo
sudo pkill daemon.mipsel.mod
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3932

/usr/bin/pkill
pkill daemon.mipsel.mod
4⤵
PID:3933

/usr/bin/sudo
sudo rm -rf /tmp/.xs
3⤵
PID:3934

/usr/bin/rm
rm -rf /tmp/.xs
4⤵
PID:3935

/usr/bin/sudo
sudo pkill ld-linux-x86-64
3⤵
PID:3936

/usr/bin/pkill
pkill ld-linux-x86-64
4⤵
PID:3937

/usr/bin/rm
rm -rf "/var/tmp/. *"
3⤵
PID:3938

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3940

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3944

/usr/bin/grep
grep xmr
3⤵
PID:3941

/usr/bin/grep
grep -v grep
3⤵
PID:3942

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3943

/usr/bin/sudo
sudo ps auxf
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3946

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
- Reads CPU attributes
PID:3950

/usr/bin/grep
grep cryptonight
3⤵
PID:3947

/usr/bin/grep
grep -v grep
3⤵
PID:3948

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3949

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3952

/usr/bin/ps
ps auxf
4⤵
- Checks CPU configuration
PID:3956

/usr/bin/grep
grep stratum
3⤵
PID:3953

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3955

/usr/bin/grep
grep -v grep
3⤵
PID:3954

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3958

/usr/bin/ps
ps auxf
4⤵
- Enumerates kernel/hardware configuration
PID:3962

/usr/bin/grep
grep dbus-daemon--system
3⤵
PID:3959

/usr/bin/grep
grep -v grep
3⤵
PID:3960

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3961

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3964

/usr/bin/ps
ps auxf
4⤵
PID:3968

/usr/bin/grep
grep "\\[\\]"
3⤵
PID:3965

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3967

/usr/bin/grep
grep -v grep
3⤵
PID:3966

/usr/bin/sudo
sudo ps auxf
3⤵
PID:3970

/usr/bin/ps
ps auxf
4⤵
PID:3974

/usr/bin/grep
grep xm64
3⤵
PID:3971

/usr/bin/grep
grep -v grep
3⤵
PID:3972

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:3973

/usr/bin/sudo
sudo killall -9 "[atd]"
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:3975

/usr/bin/killall
killall -9 "[atd]"
4⤵
PID:3976

/usr/bin/sudo
sudo rm -rf /tmp/.jk
3⤵
PID:3977

/usr/bin/rm
rm -rf /tmp/.jk
4⤵
PID:3978

/usr/bin/sudo
sudo killall -9 "[ntpd]"
3⤵
PID:3979

/usr/bin/killall
killall -9 "[ntpd]"
4⤵
PID:3980

/usr/bin/sudo
sudo killall -9 "[rpciod]"
3⤵
PID:3981

/usr/bin/killall
killall -9 "[rpciod]"
4⤵
PID:3982

/usr/bin/sudo
sudo killall -9 "[ext4-dio-unwrit]"
3⤵
PID:3983

/usr/bin/killall
killall -9 "[ext4-dio-unwrit]"
4⤵
PID:3984

/usr/bin/sudo
sudo rm -rf "/tmp/.xm*"
3⤵
PID:3985

/usr/bin/rm
rm -rf "/tmp/.xm*"
4⤵
PID:3986

/usr/bin/pidof
pidof libexec
3⤵
PID:3987

/bin/bash
/bin/bash -
2⤵
PID:3988

/usr/bin/which
which sudo
3⤵
PID:3990

/usr/bin/wc
wc -l
3⤵
PID:3991

/usr/bin/sudo
sudo -S touch .local_19923
3⤵
PID:3993

/usr/bin/touch
touch .local_19923
4⤵
- Writes file to tmp directory
PID:3994

/usr/bin/ls
ls -l .local_19923
3⤵
PID:3996

/usr/bin/grep
grep -c root
3⤵
PID:3997

/usr/bin/sudo
sudo rm .local_19923
3⤵
PID:3998

/usr/bin/rm
rm .local_19923
4⤵
PID:3999

/usr/bin/sudo
sudo ps auxff
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:4001

/usr/bin/ps
ps auxff
4⤵
- Reads CPU attributes
PID:4005

/usr/bin/grep
grep "./crond -t=all"
3⤵
PID:4002

/usr/bin/grep
grep -v grep
3⤵
PID:4003

/usr/bin/awk
awk "{ print \$2 }"
3⤵
PID:4004

/usr/bin/sudo
sudo killall -9 bssh
3⤵
PID:4006

/usr/bin/killall
killall -9 bssh
4⤵
PID:4007

/usr/bin/sudo
sudo rm -rf /tmp/.an
3⤵
PID:4008

/usr/bin/rm
rm -rf /tmp/.an
4⤵
PID:4009

/usr/bin/sudo
sudo killall -9 xm64
3⤵
PID:4010

/usr/bin/killall
killall -9 xm64
4⤵
PID:4011

/usr/bin/sudo
sudo killall -9 rpc.idmapd
3⤵
PID:4012

/usr/bin/killall
killall -9 rpc.idmapd
4⤵
PID:4013

/usr/bin/sudo
sudo rm -rf /tmp/.m2
3⤵
PID:4014

/usr/bin/rm
rm -rf /tmp/.m2
4⤵
PID:4015

/usr/bin/sudo
sudo killall -9 xorgg
3⤵
PID:4016

/usr/bin/killall
killall -9 xorgg
4⤵
PID:4017

/usr/bin/sudo
sudo rm -rf /tmp/seconfig
3⤵
PID:4018

/usr/bin/rm
rm -rf /tmp/seconfig
4⤵
PID:4019

/usr/bin/sudo
sudo killall -9 crond64
3⤵
PID:4020

/usr/bin/killall
killall -9 crond64
4⤵
PID:4021

/usr/bin/sudo
sudo killall -9 tsm
3⤵
PID:4022

/usr/bin/killall
killall -9 tsm
4⤵
PID:4023

/usr/bin/sudo
sudo rm -rf /tmp/.ssh
3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:4024

/usr/bin/rm
rm -rf /tmp/.ssh
4⤵
PID:4025

/usr/bin/sudo
sudo rm -rf /tmp/.java
3⤵
PID:4026

/usr/bin/rm
rm -rf /tmp/.java
4⤵
PID:4027

/usr/bin/sudo
sudo rm -rf /tmp/.iolanda
3⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
Filesize
8.6MB

MD5
ae747bc7fff9bc23f06635ef60ea0e8d

SHA1
64315e834f67905ed4e47f36155362a78ac23462

SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

Download Submit