3c0e677024ea8554a0eed96c62ef39549cefebb44937d9c778926daac67d5495

Analysis

max time kernel
30s
max time network
40s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
27-09-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
Size

30KB
MD5

fa8008ca091d7d984279655e9bc577d8
SHA1

2cb21f9e3473a1fb6e3718b2018d6eea5f6f5020
SHA256

3c0e677024ea8554a0eed96c62ef39549cefebb44937d9c778926daac67d5495
SHA512

138f3847581ed8730764453da36c9555dd669e0bf5efc0c6f2433d443afeb4419cd6f190d97417dfa47a8cde3ab145e75664e96b16aad991ab5f10bf8204d9db
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKS:p78zQ5VFNcDAFLcIwgnoYq0xFBVZHttn

Score

7^/10

defense_evasion discovery evasion privilege_escalation

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
669	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
676	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
660	chattr
665	chattr
814	xargs
854	xargs
867	xargs
978	xargs
1115	xargs
723	xargs
755	xargs
809	xargs
894	xargs
1110	xargs
817	xargs
993	xargs
1045	xargs
1148	xargs
689	chattr
785	xargs
819	xargs
840	xargs
955	xargs
1105	xargs
706	xargs
880	xargs
1008	xargs
1053	xargs
1095	xargs
1130	xargs
1153	xargs
925	xargs
973	xargs
1016	xargs
1031	xargs
1088	xargs
700	grep
741	xargs
767	xargs
832	xargs
717	xargs
791	xargs
941	xargs
983	xargs
988	xargs
1081	xargs
729	xargs
747	xargs
963	xargs
1100	xargs
658	chattr
711	xargs
803	xargs
886	xargs
687	chattr
761	xargs
773	xargs
948	xargs
1074	xargs
1135	xargs
1023	xargs
662	chattr
696	grep
779	xargs
935	xargs
1038	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 53 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 46 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
937	ps
996	ps
695	ps
699	ps
836	ps
897	ps
905	ps
912	ps
1004	ps
1131	ps
1139	ps
1144	ps
828	ps
979	ps
1027	ps
1049	ps
1063	ps
1111	ps
951	ps
974	ps
989	ps
1019	ps
1106	ps
921	ps
964	ps
1077	ps
890	ps
969	ps
1041	ps
1056	ps
1070	ps
1034	ps
1096	ps
1121	ps
1126	ps
944	ps
1012	ps
1101	ps
1116	ps
882	ps
931	ps
959	ps
984	ps
1084	ps
1091	ps
1149	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/107/stat	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/165/status	ps
File opened for reading	/proc/1121/cmdline	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/107/cmdline	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/130/cmdline	ps
File opened for reading	/proc/602/status	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/1112/cmdline	ps
File opened for reading	/proc/1023/stat	ps
File opened for reading	/proc/165/cmdline	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/661/cmdline	ps
File opened for reading	/proc/279/stat	ps
File opened for reading	/proc/854/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/1030/stat	ps
File opened for reading	/proc/130/status	ps
File opened for reading	/proc/601/status	ps
File opened for reading	/proc/654/status	ps
File opened for reading	/proc/148/status	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/927/stat	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/859/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/165/stat	ps
File opened for reading	/proc/1012/stat	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/278/stat	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/602/stat	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/106/stat	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/263/cmdline	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/130/status	ps
File opened for reading	/proc/329/cmdline	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/13/status	ps

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1141	grep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	fa8008ca091d7d984279655e9bc577d8_JaffaCakes118

/tmp/fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
/tmp/fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:655
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:656
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:658
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:660
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:662
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:665
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:669
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:676
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:684
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:685
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:687
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:689
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:690
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:692
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:693
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:695
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:696
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:700
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:699
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:704
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:703
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:705
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:706
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:710
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:709
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:711
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:708
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:715
- /bin/grep
  grep -v -
  2⤵
  PID:716
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:714
- /bin/grep
  grep :143
  2⤵
  PID:713
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:717
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:721
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:720
- /bin/grep
  grep :2222
  2⤵
  PID:719
- /bin/grep
  grep -v -
  2⤵
  PID:722
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:723
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:727
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:726
- /bin/grep
  grep :3333
  2⤵
  PID:725
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:729
- /bin/grep
  grep -v -
  2⤵
  PID:728
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:732
- /bin/grep
  grep :3389
  2⤵
  PID:731
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:733
- /bin/grep
  grep -v -
  2⤵
  PID:734
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:735
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:738
- /bin/grep
  grep :4444
  2⤵
  PID:737
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:739
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:741
- /bin/grep
  grep -v -
  2⤵
  PID:740
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:745
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:744
- /bin/grep
  grep -v -
  2⤵
  PID:746
- /bin/grep
  grep :5555
  2⤵
  PID:743
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:747
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:753
- /bin/grep
  grep -v -
  2⤵
  PID:754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:752
- /bin/grep
  grep :6666
  2⤵
  PID:751
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:755
- /bin/grep
  grep -v -
  2⤵
  PID:760
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:759
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:761
- /bin/grep
  grep :6665
  2⤵
  PID:757
- /bin/grep
  grep -v -
  2⤵
  PID:766
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:765
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:767
- /bin/grep
  grep :6667
  2⤵
  PID:763
- /bin/grep
  grep -v -
  2⤵
  PID:772
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:771
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:770
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:773
- /bin/grep
  grep :7777
  2⤵
  PID:769
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:777
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:776
- /bin/grep
  grep -v -
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:779
- /bin/grep
  grep :8444
  2⤵
  PID:775
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:783
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:782
- /bin/grep
  grep -v -
  2⤵
  PID:784
- /bin/grep
  grep :3347
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:785
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:789
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:788
- /bin/grep
  grep -v -
  2⤵
  PID:790
- /bin/grep
  grep :14444
  2⤵
  PID:787
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:795
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:794
- /bin/grep
  grep -v -
  2⤵
  PID:796
- /bin/grep
  grep :14433
  2⤵
  PID:793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:797
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:800
- /bin/grep
  grep :13531
  2⤵
  PID:799
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:801
- /bin/grep
  grep -v -
  2⤵
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:803
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:807
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:806
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:809
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:808
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:811
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:814
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:813
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:817
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:819
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:818
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  PID:821
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  PID:823
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  PID:826
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:832
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:831
- /bin/grep
  grep -v grep
  2⤵
  PID:830
- /bin/grep
  grep ./oka
  2⤵
  PID:829
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:840
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:839
- /bin/grep
  grep -v grep
  2⤵
  PID:838
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:837
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:836
- /bin/grep
  grep -v bin
  2⤵
  PID:845
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:844
- /bin/grep
  grep -v "\\["
  2⤵
  PID:846
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:843
- /bin/grep
  grep -v "("
  2⤵
  PID:847
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:848
- /bin/grep
  grep -v proxymap
  2⤵
  PID:849
- /bin/grep
  grep -v postgres
  2⤵
  PID:850
- /bin/grep
  grep -v postgrey
  2⤵
  PID:851
- /bin/grep
  grep -v kinsing
  2⤵
  PID:852
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:853
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:854
- /bin/grep
  grep -v "("
  2⤵
  PID:861
- /bin/grep
  grep -v "\\["
  2⤵
  PID:860
- /bin/grep
  grep -v bin
  2⤵
  PID:859
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:858
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:862
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:857
- /bin/grep
  grep -v proxymap
  2⤵
  PID:863
- /bin/grep
  grep -v postgres
  2⤵
  PID:864
- /bin/grep
  grep -v postgrey
  2⤵
  PID:865
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:867
- /bin/grep
  grep -v "("
  2⤵
  PID:874
- /bin/grep
  grep -v "\\["
  2⤵
  PID:873
- /bin/grep
  grep -v bin
  2⤵
  PID:872
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:875
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:871
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:870
- /bin/grep
  grep -v proxymap
  2⤵
  PID:876
- /bin/grep
  grep -v postgres
  2⤵
  PID:877
- /bin/grep
  grep -v postgrey
  2⤵
  PID:878
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:879
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:880
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:886
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:885
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:884
- /bin/grep
  grep -v grep
  2⤵
  PID:883
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:882
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:893
- /bin/grep
  grep -v grep
  2⤵
  PID:892
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:891
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:890
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:901
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:900
- /bin/grep
  grep -v grep
  2⤵
  PID:899
- /bin/grep
  grep ./crun
  2⤵
  PID:898
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:897
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:909
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:908
- /bin/grep
  grep -v grep
  2⤵
  PID:907
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:906
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:905
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:916
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:915
- /bin/grep
  grep :3333
  2⤵
  PID:914
- /bin/grep
  grep -v grep
  2⤵
  PID:913
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:912
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:925
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:924
- /bin/grep
  grep :5555
  2⤵
  PID:923
- /bin/grep
  grep -v grep
  2⤵
  PID:922
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:921
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:933
- /bin/grep
  grep -v grep
  2⤵
  PID:932
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:934
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:931
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:935
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:941
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:940
- /bin/grep
  grep log_
  2⤵
  PID:939
- /bin/grep
  grep -v grep
  2⤵
  PID:938
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:937
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:948
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:947
- /bin/grep
  grep -v grep
  2⤵
  PID:945
- /bin/grep
  grep systemten
  2⤵
  PID:946
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:955
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:957
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:957
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:957
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:957
- - /sbin/kill
    kill -9 14
    3⤵
    PID:957
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:957
- /bin/grep
  grep netns
  2⤵
  PID:953
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:954
- /bin/grep
  grep -v grep
  2⤵
  PID:952
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:951
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:963
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:962
- /bin/grep
  grep voltuned
  2⤵
  PID:961
- /bin/grep
  grep -v grep
  2⤵
  PID:960
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:968
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:967
- /bin/grep
  grep darwin
  2⤵
  PID:966
- /bin/grep
  grep -v grep
  2⤵
  PID:965
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:964
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:972
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:971
- /bin/grep
  grep -v grep
  2⤵
  PID:970
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:969
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:978
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:977
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:976
- /bin/grep
  grep -v grep
  2⤵
  PID:975
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:983
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:982
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:981
- /bin/grep
  grep -v grep
  2⤵
  PID:980
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:979
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:988
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:987
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:986
- /bin/grep
  grep -v grep
  2⤵
  PID:985
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:984
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:993
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:992
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:991
- /bin/grep
  grep -v grep
  2⤵
  PID:990
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:989
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:998
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:999
- /bin/grep
  grep -v grep
  2⤵
  PID:997
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1000
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:996
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1008
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1007
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1006
- /bin/grep
  grep -v grep
  2⤵
  PID:1005
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1004
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1016
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1015
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1014
- /bin/grep
  grep -v grep
  2⤵
  PID:1013
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1012
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1023
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1022
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1021
- /bin/grep
  grep -v grep
  2⤵
  PID:1020
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1019
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1027
- /bin/grep
  grep -v grep
  2⤵
  PID:1028
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1030
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1031
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1029
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1038
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1037
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1036
- /bin/grep
  grep -v grep
  2⤵
  PID:1035
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1034
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1045
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1044
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1043
- /bin/grep
  grep -v grep
  2⤵
  PID:1042
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1041
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1053
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1052
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1051
- /bin/grep
  grep -v grep
  2⤵
  PID:1050
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1049
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1060
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1059
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1058
- /bin/grep
  grep -v grep
  2⤵
  PID:1057
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1056
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1067
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1066
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1065
- /bin/grep
  grep -v grep
  2⤵
  PID:1064
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1063
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1074
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1073
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1072
- /bin/grep
  grep -v grep
  2⤵
  PID:1071
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1081
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1080
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1079
- /bin/grep
  grep -v grep
  2⤵
  PID:1078
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1077
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1086
- /bin/grep
  grep -v grep
  2⤵
  PID:1085
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1087
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1088
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1084
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1095
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1093
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1094
- /bin/grep
  grep -v grep
  2⤵
  PID:1092
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1091
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1100
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1099
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1098
- /bin/grep
  grep -v grep
  2⤵
  PID:1097
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1105
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1104
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1103
- /bin/grep
  grep -v grep
  2⤵
  PID:1102
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1110
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1109
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1108
- /bin/grep
  grep -v grep
  2⤵
  PID:1107
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1106
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1115
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1114
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1113
- /bin/grep
  grep -v grep
  2⤵
  PID:1112
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1111
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1120
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1119
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1118
- /bin/grep
  grep -v grep
  2⤵
  PID:1117
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1116
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1123
- /bin/grep
  grep -v grep
  2⤵
  PID:1122
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1124
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1125
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1121
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1130
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1129
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1128
- /bin/grep
  grep -v grep
  2⤵
  PID:1127
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1126
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1135
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1134
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1133
- /bin/grep
  grep -v grep
  2⤵
  PID:1132
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1131
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1143
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1142
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:1141
- /bin/grep
  grep -v grep
  2⤵
  PID:1140
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1147
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1146
- /bin/grep
  grep -v grep
  2⤵
  PID:1145
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1144
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1153
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1152
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1151
- /bin/grep
  grep -v grep
  2⤵
  PID:1150
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1149

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads