e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b

Analysis

max time kernel
151s
max time network
16s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
15-09-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
Size

64KB
MD5

e18e805087ea6f63cf907907dc1d0a08
SHA1

ebe527ca26f78e5d347f22f323ee3f11d58cd57a
SHA256

e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b
SHA512

92115775959fa27619200334a0add1a448440ae5512aded7bd55937fec1daa0964d54f2e0f881b61515270f5bb783c9d2ab5096fd452529b8af633bff0938784
SSDEEP

768:57kFIBuFkc2zq0xvMGd5QP5ez4Z88mqKWCgpK8d7Cuaxz5st3P/hpE90550RQKIR:KF2Lc2Xnd5QhK8dmtq7b50BIR

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
718	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
724	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1204	xargs
799	xargs
832	xargs
956	xargs
1026	xargs
886	xargs
1171	xargs
1209	xargs
922	xargs
1229	xargs
782	xargs
787	xargs
805	xargs
844	xargs
1137	xargs
1224	xargs
811	xargs
906	xargs
1071	xargs
1114	xargs
750	grep
911	xargs
1146	xargs
1254	xargs
1199	xargs
1239	xargs
838	xargs
896	xargs
968	xargs
1065	xargs
1244	xargs
1274	xargs
715	chattr
1052	xargs
1094	xargs
1141	xargs
927	xargs
987	xargs
1013	xargs
1187	xargs
794	xargs
826	xargs
874	xargs
916	xargs
1261	xargs
1085	xargs
743	chattr
856	xargs
937	xargs
1020	xargs
1039	xargs
1249	xargs
742	chattr
901	xargs
975	xargs
1032	xargs
1281	xargs
949	xargs
1107	xargs
1192	xargs
1219	xargs
1126	xargs
1268	xargs
1287	xargs

Disables AppArmor 16 IoCs

Disables AppArmor security module.

pid	Process
761	systemctl
773	systemctl
770	systemctl
770	systemctl
770	systemctl
761	systemctl
761	systemctl
761	systemctl
775	systemctl
761	systemctl
761	systemctl
769	systemctl
770	systemctl
770	systemctl
770	systemctl
777	systemctl

Disables SELinux 9 IoCs

Disables SELinux security module.

pid	Process
917	kill
917	kill
917	kill
1222	grep
759	setenforce
917	kill
917	kill
917	kill
1105	grep

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/1030/cmdline	ps
File opened for reading	/proc/142/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/319/stat	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/71/status	ps
File opened for reading	/proc/703/status	ps
File opened for reading	/proc/373/stat	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/704/status	ps
File opened for reading	/proc/103/stat	ps
File opened for reading	/proc/701/status	ps
File opened for reading	/proc/1073/stat	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/113/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/466/stat	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/702/stat	ps
File opened for reading	/proc/930/stat	ps
File opened for reading	/proc/68/status	ps
File opened for reading	/proc/703/cmdline	ps
File opened for reading	/proc/384/cmdline	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/754/cmdline	ps
File opened for reading	/proc/167/cmdline	ps
File opened for reading	/proc/704/cmdline	ps
File opened for reading	/proc/103/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/929/cmdline	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/473/stat	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/319/cmdline	ps
File opened for reading	/proc/228/cmdline	ps
File opened for reading	/proc/706/cmdline	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/1162/status	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/319/cmdline	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/1069/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/703/status	ps
File opened for reading	/proc/473/status	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/81/cmdline	ps
File opened for reading	/proc/71/status	ps
File opened for reading	/proc/5/cmdline	ps

/tmp/e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
/tmp/e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
1⤵
PID:704
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:711
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:713
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:715
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:718
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:724
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:733
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1spdPS-0000Bp-3f
      4⤵
      Reads CPU attributes
      PID:751
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:736
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1spdPR-0000Bs-W5
      4⤵
      PID:748
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:739
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  PID:740
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:742
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:743
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:745
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:746
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:747
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:749
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:750
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:755
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:756
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:759
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:761
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:762
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:763
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:764
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:766
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:767
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:761
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:769
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:770
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:771
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:772
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:773
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:776
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:775
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:770
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:770
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:770
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:770
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:770
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:770
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:777
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:778
- /bin/grep
  grep -v grep
  2⤵
  PID:779
- /bin/grep
  grep aegis
  2⤵
  PID:780
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:782
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:783
- /bin/grep
  grep -v grep
  2⤵
  PID:784
- /bin/grep
  grep Yun
  2⤵
  PID:785
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:787
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:786
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:788
- /bin/mkdir
  mkdir /usr/share -p
  2⤵
  PID:789
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:791
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:792
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:794
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:796
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:798
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:799
- /bin/grep
  grep :443
  2⤵
  PID:801
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:802
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:803
- /bin/grep
  grep -v -
  2⤵
  PID:804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:805
- /bin/grep
  grep :23
  2⤵
  PID:807
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:808
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:809
- /bin/grep
  grep -v -
  2⤵
  PID:810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:811
- /bin/grep
  grep :443
  2⤵
  PID:816
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:817
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:818
- /bin/grep
  grep -v -
  2⤵
  PID:819
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:820
- /bin/grep
  grep :143
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:823
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:824
- /bin/grep
  grep -v -
  2⤵
  PID:825
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:826
- /bin/grep
  grep :2222
  2⤵
  PID:828
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:829
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:830
- /bin/grep
  grep -v -
  2⤵
  PID:831
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:832
- /bin/grep
  grep :3333
  2⤵
  PID:834
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:835
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:836
- /bin/grep
  grep -v -
  2⤵
  PID:837
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:838
- /bin/grep
  grep :3389
  2⤵
  PID:840
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:841
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:842
- /bin/grep
  grep -v -
  2⤵
  PID:843
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:844
- /bin/grep
  grep :5555
  2⤵
  PID:846
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:847
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:848
- /bin/grep
  grep -v -
  2⤵
  PID:849
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:850
- /bin/grep
  grep :6666
  2⤵
  PID:852
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:853
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:854
- /bin/grep
  grep -v -
  2⤵
  PID:855
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:856
- /bin/grep
  grep :6665
  2⤵
  PID:858
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:859
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:860
- /bin/grep
  grep -v -
  2⤵
  PID:861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:862
- /bin/grep
  grep :6667
  2⤵
  PID:864
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:865
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:866
- /bin/grep
  grep -v -
  2⤵
  PID:867
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:868
- /bin/grep
  grep :7777
  2⤵
  PID:870
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:871
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:872
- /bin/grep
  grep -v -
  2⤵
  PID:873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:874
- /bin/grep
  grep :8444
  2⤵
  PID:876
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:877
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:878
- /bin/grep
  grep -v -
  2⤵
  PID:879
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:880
- /bin/grep
  grep :3347
  2⤵
  PID:882
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:883
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:884
- /bin/grep
  grep -v -
  2⤵
  PID:885
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:886
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:887
- /bin/grep
  grep -v grep
  2⤵
  PID:888
- /bin/grep
  grep :3333
  2⤵
  PID:889
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:890
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:891
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:892
- /bin/grep
  grep -v grep
  2⤵
  PID:893
- /bin/grep
  grep :5555
  2⤵
  PID:894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:896
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:897
- /bin/grep
  grep -v grep
  2⤵
  PID:898
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:899
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:900
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:901
- /bin/ps
  ps aux
  2⤵
  PID:902
- /bin/grep
  grep -v grep
  2⤵
  PID:903
- /bin/grep
  grep log_
  2⤵
  PID:904
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:905
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:906
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:907
- /bin/grep
  grep -v grep
  2⤵
  PID:908
- /bin/grep
  grep systemten
  2⤵
  PID:909
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:910
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:911
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:912
- /bin/grep
  grep -v grep
  2⤵
  PID:913
- /bin/grep
  grep netns
  2⤵
  PID:914
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:915
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:916
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:917
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:917
- - /usr/sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:917
- - /usr/bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:917
- - /sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:917
- - /bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    - Reads CPU attributes
    PID:917
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:918
- /bin/grep
  grep -v grep
  2⤵
  PID:919
- /bin/grep
  grep voltuned
  2⤵
  PID:920
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:921
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:922
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:923
- /bin/grep
  grep -v grep
  2⤵
  PID:924
- /bin/grep
  grep darwin
  2⤵
  PID:925
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:926
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:927
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:928
- /bin/grep
  grep -v grep
  2⤵
  PID:929
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:930
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:931
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:932
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:933
- /bin/grep
  grep -v grep
  2⤵
  PID:934
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:935
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:936
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:937
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:939
- /bin/grep
  grep -v grep
  2⤵
  PID:940
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:941
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:943
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:944
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:945
- /bin/grep
  grep -v grep
  2⤵
  PID:946
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:947
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:948
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:949
- /bin/ps
  ps aux
  2⤵
  PID:952
- /bin/grep
  grep -v grep
  2⤵
  PID:953
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:954
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:955
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:956
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:958
- /bin/grep
  grep -v grep
  2⤵
  PID:959
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:960
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:961
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:962
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:964
- /bin/grep
  grep -v grep
  2⤵
  PID:965
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:966
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:967
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:968
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:971
- /bin/grep
  grep -v grep
  2⤵
  PID:972
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:975
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:977
- /bin/grep
  grep -v grep
  2⤵
  PID:978
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:979
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:980
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:981
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:983
- /bin/grep
  grep -v grep
  2⤵
  PID:984
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:986
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:987
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:990
- /bin/grep
  grep -v grep
  2⤵
  PID:991
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:992
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:993
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:994
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:997
- /bin/grep
  grep -v grep
  2⤵
  PID:998
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:999
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1000
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1001
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1002
- /bin/grep
  grep -v grep
  2⤵
  PID:1003
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1004
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1005
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1007
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1009
- /bin/grep
  grep -v grep
  2⤵
  PID:1010
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1011
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1012
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1013
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1018
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1016
- /bin/grep
  grep -v grep
  2⤵
  PID:1017
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1020
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1019
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1022
- /bin/grep
  grep -v grep
  2⤵
  PID:1023
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1024
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1025
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1026
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1028
- /bin/grep
  grep -v grep
  2⤵
  PID:1029
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1030
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1031
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1032
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1035
- /bin/grep
  grep -v grep
  2⤵
  PID:1036
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1037
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1039
- /bin/grep
  grep -v grep
  2⤵
  PID:1043
- /bin/ps
  ps aux
  2⤵
  PID:1042
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1044
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1045
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1046
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1048
- /bin/grep
  grep -v grep
  2⤵
  PID:1049
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1050
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1051
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1052
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1054
- /bin/grep
  grep -v grep
  2⤵
  PID:1055
- /bin/grep
  grep svc
  2⤵
  PID:1056
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1057
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1058
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1061
- /bin/grep
  grep -v grep
  2⤵
  PID:1062
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1063
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1064
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1065
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1067
- /bin/grep
  grep -v grep
  2⤵
  PID:1068
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1069
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1071
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1075
- /bin/grep
  grep -v grep
  2⤵
  PID:1076
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1077
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1078
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1079
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1081
- /bin/grep
  grep -v grep
  2⤵
  PID:1082
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1083
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1084
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1085
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1090
- /bin/grep
  grep -v grep
  2⤵
  PID:1091
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1092
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1093
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1094
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1096
- /bin/grep
  grep -v grep
  2⤵
  PID:1097
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:1098
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1099
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1100
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1103
- /bin/grep
  grep -v grep
  2⤵
  PID:1104
- /bin/grep
  grep http_0xCC030
  2⤵
  - Disables SELinux
  PID:1105
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1106
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1107
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1110
- /bin/grep
  grep -v grep
  2⤵
  PID:1111
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1112
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1113
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1114
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1116
- /bin/grep
  grep -v grep
  2⤵
  PID:1117
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1118
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1119
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1120
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1122
- /bin/grep
  grep -v grep
  2⤵
  PID:1123
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1124
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1125
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1126
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1128
- /bin/grep
  grep -v grep
  2⤵
  PID:1129
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1130
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1131
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1132
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1133
- /bin/grep
  grep -v grep
  2⤵
  PID:1134
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1135
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1136
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1137
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1138
- /bin/grep
  grep -v grep
  2⤵
  PID:1139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1141
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1140
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1142
- /bin/grep
  grep -v grep
  2⤵
  PID:1143
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1145
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1146
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1147
- /bin/grep
  grep -v grep
  2⤵
  PID:1148
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1149
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1150
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1151
- /bin/ps
  ps aux
  2⤵
  PID:1152
- /bin/grep
  grep -v grep
  2⤵
  PID:1153
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1154
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1155
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1156
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1157
- /bin/grep
  grep -v grep
  2⤵
  PID:1158
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1159
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1160
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1161
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1162
- /bin/grep
  grep -v grep
  2⤵
  PID:1163
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1164
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1165
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1166
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1167
- /bin/grep
  grep -v grep
  2⤵
  PID:1168
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1169
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1170
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1171
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1172
- /bin/grep
  grep -v grep
  2⤵
  PID:1173
- /bin/grep
  grep -v aux
  2⤵
  PID:1174
- /bin/grep
  grep "]"
  2⤵
  PID:1175
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1177
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1178
- /bin/grep
  grep -v grep
  2⤵
  PID:1179
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1180
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1181
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1182
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1183
- /bin/grep
  grep -v grep
  2⤵
  PID:1184
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1185
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1187
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1188
- /bin/grep
  grep -v grep
  2⤵
  PID:1189
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1190
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1191
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1192
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1193
- /bin/grep
  grep -v grep
  2⤵
  PID:1194
- /bin/grep
  grep -v /
  2⤵
  PID:1195
- /bin/grep
  grep -v -
  2⤵
  PID:1196
- /bin/grep
  grep -v _
  2⤵
  PID:1197
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1198
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1199
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1200
- /bin/grep
  grep -v grep
  2⤵
  PID:1201
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1202
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1203
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1204
- /bin/ps
  ps aux
  2⤵
  PID:1205
- /bin/grep
  grep -v grep
  2⤵
  PID:1206
- /bin/grep
  grep rsync
  2⤵
  PID:1207
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1208
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1209
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1210
- /bin/grep
  grep -v grep
  2⤵
  PID:1211
- /bin/grep
  grep watchd0g
  2⤵
  PID:1212
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1213
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1214
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1215
- /bin/grep
  grep -v grep
  2⤵
  PID:1216
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1218
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1219
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1217
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1220
- /bin/grep
  grep -v grep
  2⤵
  PID:1221
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  - Disables SELinux
  PID:1222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1224
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1225
- /bin/grep
  grep -v grep
  2⤵
  PID:1226
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1227
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1228
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1229
- /bin/grep
  grep -v grep
  2⤵
  PID:1231
- /bin/ps
  ps aux
  2⤵
  PID:1230
- /bin/grep
  grep gitee.com
  2⤵
  PID:1232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1234
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1235
- /bin/grep
  grep -v grep
  2⤵
  PID:1236
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1238
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1239
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1240
- /bin/grep
  grep -v grep
  2⤵
  PID:1241
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1242
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1244
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1245
- /bin/grep
  grep -v grep
  2⤵
  PID:1246
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1247
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1249
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1250
- /bin/grep
  grep -v grep
  2⤵
  PID:1251
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1252
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1254
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1257
- /bin/grep
  grep -v grep
  2⤵
  PID:1258
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1259
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1260
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1261
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1264
- /bin/grep
  grep -v grep
  2⤵
  PID:1265
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:1266
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1267
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1268
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1270
- /bin/grep
  grep -v grep
  2⤵
  PID:1271
- /bin/grep
  grep netdns
  2⤵
  PID:1272
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1273
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1274
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1277
- /bin/grep
  grep -v grep
  2⤵
  PID:1278
- /bin/grep
  grep watchdogs
  2⤵
  PID:1279
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1280
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1281
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1283
- /bin/grep
  grep -v grep
  2⤵
  PID:1284
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:1285
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1286
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1287

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
825B

MD5
094fc3cb83332f3c6254304de73adbc3

SHA1
297c14130264326961a6b10b16b0beb2799aea44

SHA256
8644b738c83f1cbe55a6a53bcd1a647da87d18caf76d6d1827c1700d8d859251

SHA512
0026cc6037a2bb6d2a3f7ece1eed5f54ff502ff3218609e407d938d5445cbad1afc2dfac92a84d074cb8a68054548285308318064b9857f81851f5f25c25de48

Download Submit
/var/mail/user

Filesize
1KB

MD5
85f3a3e1b9ea712abb805162a3aadc9c

SHA1
9c573aa49ed72d2dccf8841bc186188707a68f59

SHA256
ed3e7b9a97300b336478d581e5ec567d4bd223ab6c9da83ff18ff6389a7ef12f

SHA512
cb90bdf489666eb2aa3175b63100c8502fd138ac4d2ed98adfffec85fa19d40db87176e60bb5398df6f0037c10f96f92b6846799e181e0ec85cf9a6a0f76e588

Download Submit
/var/spool/exim4/input/1spdPR-0000Bs-W5-D

Filesize
146B

MD5
5c6bb8ffe1984a81c893996e3a228c9a

SHA1
315056ac5f1544e8106b3e2e79567c20309ad909

SHA256
fd1cb6846a9a58f30c7270f3f50ac15a125a0c8065ad3d81baa82d87be151fa4

SHA512
48c3f3ce2fb9c53f113599f31d3edb348948f7b6b828381c9923820ae95d35d3d411d57b7406b878c7a157a76b04c8f0a555d80b67f2801cc7cf4f3b12b9c162

Download Submit
/var/spool/exim4/input/1spdPS-0000Bp-3f-D

Filesize
128B

MD5
b29498fac5a0f1e01163d18769ad56f2

SHA1
194f8e9a3f315342b4fc5e892405fec0998383a0

SHA256
17a2386d30f7990180b630cf734304b15b4ba0b2fd4fb5063c581baf67656c94

SHA512
ab509b8641a523004cd35abd64f7f5444657765e3e2fbd27888ddd30077326866ae0b6e9d144ca974aaa73ef01e6e41e3e919e7900ae60f185f6fac4acb3c120

Download Submit
/var/spool/exim4/input/1spdPS-0000Bp-3f-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.733

Filesize
915B

MD5
2604c9a3c712d20180b0b058e5614abb

SHA1
80cac60b88b1190745f993b49425ca6b29c9baec

SHA256
037efabddd10a8407f2c068351579b8bc7dbaad3d2e9b704a13c98c401198dd4

SHA512
abc5ae1acc94fee70a97a1da9ad44501530c683d5bf42140da5e023956aaa6f39b986e775308aa968c464efb425bef72d59a0188da8461b11dbd08aab4652910

Download Submit
/var/spool/exim4/input/hdr.736

Filesize
915B

MD5
062a66120a4268ec892ab7492778589d

SHA1
aad3250ad51d011d9c4e9b8008b695c28fd15ac0

SHA256
c6f5195c43854336bb1ace716a07243af79fbbf7f42d2f31525013388933fa2f

SHA512
bf766bb351a8115ab17cc58455e2b51a88394c3982c19fd803801ef02da175a3c820027e30438f1b571542f6c71353e8ff85fe356502dccc7b69a46de83bd462

Download Submit
/var/spool/exim4/msglog/1spdPR-0000Bs-W5

Filesize
288B

MD5
170d115ed572afa2b6503ff77e75ece4

SHA1
b4263584f8a3e2de348a6c56bc11bdbd8eef06d7

SHA256
cb4089d4779f28dc58a443d1b39e0bc0485a3867e9a0f60279f1a9c8a464e3bf

SHA512
f0121765a6ccfdc2521646c26ee2936d343d2c48f91a8761148e5cac8929d0bdad22113bfaea0c38713d7d7c67d0ee143714b9b65ceba67c41fb69d43a34cf8e

Download Submit
/var/spool/exim4/msglog/1spdPR-0000Bs-W5

Filesize
89B

MD5
a82a62bc8c5623d20cdbac7a04d9acbd

SHA1
85b94ef1d27ea3126cb90c39a1e506e17da709c6

SHA256
7121658c5408b68b7fcc6405ce5690d66f833cfe8228cf3981243dd0a4e5de30

SHA512
c521b53c227675472fa801758a324c9c815d2c090dbc1cb990b24d19958684b8254e6f9b8b44445162326435747cda55809a16c54046bfec142a333a20072094

Download Submit
/var/spool/exim4/msglog/1spdPS-0000Bp-3f

Filesize
288B

MD5
db64e7192454f146f8ec2b4026e9da03

SHA1
ea6117054b467276e23ff8e3bc0bd04437e8b907

SHA256
b56edad126f4eb2d6b238b1846548cfad1f1cef3684b8bc4bc9f7df1a626a789

SHA512
4a8624ea98b4ae9ae11298cac626c7ea570afa9a4ec2a61ec216e77cac8a570d467a59356e55149102a0dd308155cc442b3af810f9233d6751609ef20d747c1d

Download Submit
/var/spool/exim4/msglog/1spdPS-0000Bp-3f

Filesize
89B

MD5
e176e97e282151c9eb2af9734d1a1fd4

SHA1
176965aeecd835924ca013ebcdf9a5e5845894c3

SHA256
3675431daf74e93940a44858eb2c853edecb7bcb9d36c781d49b8727bffe14d8

SHA512
07002ec41f7afa41546add9a537efce0ef5132a095ffd84b0ae3df878b97ae93025365ada0feea07269abc498a9b639b52e3d69042d5bd9ad7a9882a41245480

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads