Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
03-11-2024 14:44
Behavioral task
behavioral1
Sample
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf
-
Size
1.8MB
-
MD5
3b0cc5dd65238abdc55e9c47d0d8660f
-
SHA1
81d42740e04d5378d96c1a8ebd7de21863225dc4
-
SHA256
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e
-
SHA512
dbd19679e394a0ca56742f6b29fb8fc15adb0bfa6f714250b788a9b53199a1a74c9c39a94ea13fc5b06b846cc93c86f56ccdf34ffd1ad8cd09e826cf513f99df
-
SSDEEP
24576:ae9ufJvk4gQjMNRfktnsIXvZFyD9i+MPCIxyuzNqssZXJj4bdYVVMtIwWz1v:WYMnwRO4ssPcd5Wz1
Malware Config
Extracted
kaiji
ss.us-tv.top:1930
Signatures
-
Kaiji 1 IoCs
Kaiji payload
Processes:
resource yara_rule /boot/System.mod Kaiji -
Kaiji family
-
Executes dropped EXE 5 IoCs
Processes:
32676opt.services.cfgopt.services.cfgopt.services.cfgopt.services.cfgioc pid process /etc/32676 1596 32676 /etc/opt.services.cfg 1740 opt.services.cfg /etc/opt.services.cfg 1744 opt.services.cfg /etc/opt.services.cfg 1760 opt.services.cfg /etc/opt.services.cfg 1764 opt.services.cfg -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfdescription ioc process File opened for modification /dev/watchdog a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /dev/misc/watchdog a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/profile.d/bash_cfg.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/profile.d/gateway.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfdescription ioc process File opened for modification /etc/init.d/apparmor a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/avahi-daemon a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/cron a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/dbus a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/kmod a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/x11-common a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/acpid a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/anacron a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/bluetooth a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/console-setup.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/saned a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/udev a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/apport a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/cryptdisks a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/cryptdisks-early a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/cups a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/openvpn a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/sssd a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/gdm3 a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/hwclock.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/lvm2-lvmpolld a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/open-iscsi a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/plymouth-log a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/alsa-utils a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/rsync a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/ssh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/cups-browsed a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/procps a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/iscsid a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/keyboard-setup.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/plymouth a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/spice-vdagent a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/init.d/unattended-upgrades a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfdescription ioc process File opened for modification /usr/lib/systemd/system/quotaoff.service a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf -
Write file to user bin folder 12 IoCs
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfdescription ioc process File opened for modification /usr/bin/include/ss a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/include/lsof a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/lsof a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/ps a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/ss a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/ls a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/dir a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/include/ps a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/include/ls a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/include/dir a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/include/find a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /usr/bin/find a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf -
Modifies Bash startup script 2 TTPs 3 IoCs
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfdescription ioc process File opened for modification /etc/profile.d/bash_cfg.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/profile.d/gateway.sh a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for modification /etc/profile.d/bash_cfg a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf -
Command and Scripting Interpreter: Unix Shell 1 TTPs 4 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 6 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfa65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfopt.services.cfgopt.services.cfgopt.services.cfgopt.services.cfgdescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size opt.services.cfg -
Processes:
a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elfsystemctlsystemctlsystemctlseddescription ioc process File opened for reading /proc/217/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/695/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/780/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/988/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1030/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1169/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1401/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/90/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1410/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/219/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/220/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/446/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/734/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1071/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/89/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/17/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/25/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/99/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/212/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/631/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/13/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1154/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1035/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/11/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/19/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/502/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/634/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/3/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1168/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1201/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/76/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1177/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1283/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1090/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/86/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/590/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/628/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1139/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1157/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/83/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/88/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/588/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1069/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1312/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/5/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/409/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/527/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1197/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/75/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/93/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1294/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1561/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/85/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/98/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/210/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/308/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/779/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/833/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1130/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf File opened for reading /proc/1153/stat a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf
Processes
-
/tmp/a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf/tmp/a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf1⤵
- Enumerates kernel/hardware configuration
PID:1587 -
/tmp/a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf/tmp/a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e.elf " "2⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies systemd
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1591 -
/bin/sh/bin/sh -c "/etc/32676&"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1595
-
-
/usr/sbin/serviceservice crond start3⤵PID:1597
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1599
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1600
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:1603
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵PID:1602
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service3⤵PID:1597
-
-
/usr/local/bin/systemctlsystemctl start crond.service3⤵PID:1597
-
-
/usr/sbin/systemctlsystemctl start crond.service3⤵PID:1597
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵PID:1597
-
-
/bin/sh/bin/sh -c "cd /boot;systemctl daemon-reload;systemctl enable quotaoff.service;systemctl start quotaoff.service;journalctl -xe --no-pager"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1620 -
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Reads runtime system information
PID:1621
-
-
/usr/bin/systemctlsystemctl enable quotaoff.service4⤵PID:1655
-
-
/usr/bin/systemctlsystemctl start quotaoff.service4⤵
- Reads runtime system information
PID:1689
-
-
/usr/bin/journalctljournalctl -xe --no-pager4⤵PID:1697
-
-
-
/bin/sh/bin/sh -c "cd /boot;ausearch -c 'System.mod' --raw | audit2allow -M my-Systemmod;semodule -X 300 -i my-Systemmod.pp"3⤵
- Command and Scripting Interpreter: Unix Shell
PID:1704
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
- Command and Scripting Interpreter: Unix Shell
PID:1707
-
-
/usr/bin/renicerenice -20 15913⤵PID:1708
-
-
/usr/bin/mountmount -o bind /tmp/ /proc/15913⤵PID:1709
-
-
/usr/sbin/serviceservice cron start3⤵PID:1711
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1712
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:1713
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
- Reads runtime system information
PID:1716
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵PID:1715
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service3⤵PID:1711
-
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵PID:1711
-
-
/usr/sbin/systemctlsystemctl start cron.service3⤵PID:1711
-
-
/usr/bin/systemctlsystemctl start cron.service3⤵
- Reads runtime system information
PID:1711
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵PID:1723
-
-
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
PID:1596 -
/usr/bin/sleepsleep 602⤵PID:1598
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1740 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1744
-
-
-
/usr/bin/sleepsleep 602⤵PID:1745
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1760 -
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:1764
-
-
-
/usr/bin/sleepsleep 602⤵PID:1765
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
1.8MB
MD53b0cc5dd65238abdc55e9c47d0d8660f
SHA181d42740e04d5378d96c1a8ebd7de21863225dc4
SHA256a65f1664ac6666e1e1b324464d5a3a125c89764940a022d056b9a2d65ad5ed0e
SHA512dbd19679e394a0ca56742f6b29fb8fc15adb0bfa6f714250b788a9b53199a1a74c9c39a94ea13fc5b06b846cc93c86f56ccdf34ffd1ad8cd09e826cf513f99df
-
Filesize
49B
MD5780cd313a114965d95124917f5c02f47
SHA1fb893ca00a38aba208553d4ede636ff636b187b3
SHA25655f6c64f19ca65fe3e7618d6e5de1277166378440f0b181b13cc3ce7c40c38a4
SHA5123047949f1b77e4af4c0d180a291af1b00372206d1fd7eb0edfb7932e73cb5bd0617f5c701f91d1ffd362918574afaf18fc664ae4c9db221efe2470b0dd87dd43
-
Filesize
98B
MD591d72d702c7c0e7df8e472b6408ee8bc
SHA18886c0698dc7715bbd3d70b3dc8913dca367ce26
SHA256487ac24d77b56855216f30a3530a8e6ad9692ac328667dffe60a5f1ca720d28e
SHA512afeb1153564f2960095d1cc74c5591540417852bcc74eaa4e39a1e2e8e7abb1ab66e4476809e3eaebf970ed463a18d73721797022b85b415ed72040a7f71be78
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
5KB
MD5e31c48334ee659ca0ada6f367f07c758
SHA13c2a034e38f5bf41a4f702c082fbffad687a8207
SHA256d24f0710e2e828fac572d07333643baa15b99353f70bc7e9f3e08cc5ba24e573
SHA512076066062e8b44171766a81261d088748e4b11ae27876e3a78be332c6a6cb5c9b2d802e4413c7f3cd2d5d5b41a0ebaf83080aac6268250cf44476769b3a082ca
-
Filesize
186B
MD5b02de6cd28cd922b18d9d93375a70d8b
SHA1021426a5a2ff9edc80ba5936c94b37525538885e
SHA256d8d8e5cd33aa3450cd74c63716a02f3dff39efef2836559f110bc93663b1380a
SHA512db3fe03ad5e599e6c03aaec7bf1242f5509fbb624adb9afb7499e25487daef3f3f1c6babf51570b527a5ac5c9f4b079ae4cc53baa9497c0a121328bef8d04422