Analysis
-
max time kernel
149s -
max time network
139s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
-
submitted
18-01-2025 15:12
General
-
Target
The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
-
Size
8.6MB
-
MD5
ae747bc7fff9bc23f06635ef60ea0e8d
-
SHA1
64315e834f67905ed4e47f36155362a78ac23462
-
SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
-
SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2
-
SSDEEP
98304:rDSceJ/GqDu6P0ypQ0Qv5knSTH20ejwBcHjI7Xk:rDSceJ/GqD18RZv5knS720e7s
Score
8/10
Malware Config
Signatures
-
Adds new SSH keys 1 TTPs 1 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
Deletes itself 1 IoCs
-
OS Credential Dumping 1 TTPs 64 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 64 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 15 IoCs
Adversaries may detect and evade virtualized environments and sandboxes.
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 64 IoCs
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 54 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 26 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c0461⤵
- Adds new SSH keys
- Deletes itself
- Deletes log files
- Writes file to tmp directory
-
/usr/bin/unameuname -a2⤵
-
-
/usr/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
-
/usr/bin/catcat /etc/issue2⤵
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/usr/bin/journalctljournalctl -S "@0" -u sshd2⤵
-
-
/usr/bin/catcat "/var/log/auth*"2⤵
-
-
/usr/bin/zcatzcat "/var/log/auth*"2⤵
-
-
/usr/local/sbin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/usr/local/bin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/usr/sbin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/usr/bin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_269433⤵
-
/usr/bin/touchtouch .local_269434⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_269433⤵
-
-
/usr/bin/sudosudo rm .local_269433⤵
-
/usr/bin/rmrm .local_269434⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- Reads CPU attributes
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
-
/usr/bin/sudosudo -S touch .local_72303⤵
-
/usr/bin/touchtouch .local_72304⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_72303⤵
-
-
/usr/bin/sudosudo rm .local_72303⤵
-
/usr/bin/rmrm .local_72304⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_276383⤵
-
/usr/bin/touchtouch .local_276384⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_276383⤵
-
-
/usr/bin/sudosudo rm .local_276383⤵
-
/usr/bin/rmrm .local_276384⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- Reads CPU attributes
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
- Reads runtime system information
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
- Reads CPU attributes
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_271093⤵
-
/usr/bin/touchtouch .local_271094⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_271093⤵
-
-
/usr/bin/sudosudo rm .local_271093⤵
-
/usr/bin/rmrm .local_271094⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_149173⤵
- OS Credential Dumping
-
/usr/bin/touchtouch .local_149174⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_149173⤵
-
-
/usr/bin/sudosudo rm .local_149173⤵
-
/usr/bin/rmrm .local_149174⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
- Reads runtime system information
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_103883⤵
-
/usr/bin/touchtouch .local_103884⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_103883⤵
-
-
/usr/bin/sudosudo rm .local_103883⤵
-
/usr/bin/rmrm .local_103884⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_2233⤵
-
/usr/bin/touchtouch .local_2234⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_2233⤵
-
-
/usr/bin/sudosudo rm .local_2233⤵
-
/usr/bin/rmrm .local_2234⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 bssh4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_18243⤵
-
/usr/bin/touchtouch .local_18244⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_18243⤵
-
-
/usr/bin/sudosudo rm .local_18243⤵
-
/usr/bin/rmrm .local_18244⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_275783⤵
-
/usr/bin/touchtouch .local_275784⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_275783⤵
-
-
/usr/bin/sudosudo rm .local_275783⤵
-
/usr/bin/rmrm .local_275784⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
- OS Credential Dumping
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_50703⤵
-
/usr/bin/touchtouch .local_50704⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_50703⤵
-
-
/usr/bin/sudosudo rm .local_50703⤵
-
/usr/bin/rmrm .local_50704⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads CPU attributes
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Reads runtime system information
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/sudosudo -S touch .local_258143⤵
-
/usr/bin/touchtouch .local_258144⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_258143⤵
-
-
/usr/bin/sudosudo rm .local_258143⤵
-
/usr/bin/rmrm .local_258144⤵
-
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
- Reads CPU attributes
-
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Account Manipulation
1SSH Authorized Keys
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
2System Checks
1Time Based Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.6MB
MD5ae747bc7fff9bc23f06635ef60ea0e8d
SHA164315e834f67905ed4e47f36155362a78ac23462
SHA256103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
SHA512e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2