File and Directory Permissions Modification

Adversaries may modify file or directory permissions to evade defenses.

Deletes system logs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

Flushes firewall rules

Flushes/ disables firewall rules inside the Linux kernel.

Loads a kernel module

Loads a Linux kernel module, potentially to achieve persistence

Attempts to change immutable files

Modifies inode attributes on the filesystem to allow changing of immutable files.

Creates/modifies Cron job

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Disables AppArmor

Disables AppArmor security module.

Enumerates running processes

Discovers information about currently running processes on the system

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Writes file to system bin folder