Executes dropped EXE

Modifies hosts file

Adds to hosts file used for mapping hosts to IP addresses.

OS Credential Dumping

Adversaries may attempt to dump credentials to use it in password cracking.

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Abuse sudo or cached sudo credentials to execute code.

Checks hardware identifiers (DMI)

Checks DMI information which indicate if the system is a virtual machine.

Enumerates running processes

Discovers information about currently running processes on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Reads hardware information

Accesses system info like serial numbers, manufacturer names etc.

Reads list of loaded kernel modules

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.