196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910

Analysis

max time kernel
26s
max time network
12s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-01-2025 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
Size

37KB
MD5

d6648f420423f9dad4292a606f743c4b
SHA1

dcae47ec15e96274a39fcce4352077846ebf7b70
SHA256

196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910
SHA512

3820b4fb435732fef05157ff0713ed3a62269dc1c21240dbf7e2e59191a0f34050247573b4d9758cd84495fb28d8f346e381b8f09a9041c70ca88333b1303f93
SSDEEP

384:Q7pQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIi:Q7xFNB48Fkc2zq0xvMGdl18r

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
693	iptables

Attempts to change immutable files 55 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
977	xargs
1029	xargs
743	xargs
889	xargs
806	xargs
926	xargs
1014	xargs
1043	xargs
757	xargs
785	xargs
833	xargs
854	xargs
992	xargs
999	xargs
691	chattr
730	xargs
826	xargs
1036	xargs
936	xargs
799	xargs
813	xargs
1007	xargs
736	xargs
931	xargs
948	xargs
955	xargs
750	xargs
778	xargs
692	chattr
771	xargs
847	xargs
962	xargs
704	grep
764	xargs
921	xargs
1053	xargs
863	xargs
916	xargs
716	xargs
870	xargs
702	grep
910	xargs
819	xargs
840	xargs
943	xargs
1021	xargs
969	xargs
896	xargs
1048	xargs
722	xargs
792	xargs
879	xargs
904	xargs
985	xargs
711	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads CPU attributes 1 TTPs 39 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 37 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
995	ps
1017	ps
944	ps
973	ps
1039	ps
843	ps
859	ps
917	ps
939	ps
850	ps
906	ps
922	ps
932	ps
701	ps
875	ps
892	ps
927	ps
815	ps
885	ps
1010	ps
951	ps
958	ps
965	ps
988	ps
1044	ps
836	ps
912	ps
1003	ps
1032	ps
900	ps
981	ps
1025	ps
1049	ps
703	ps
822	ps
829	ps
866	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/598/cmdline	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/863/status	ps
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/213/stat	ps
File opened for reading	/proc/297/stat	ps
File opened for reading	/proc/938/cmdline	ps
File opened for reading	/proc/284/stat	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/265/cmdline	ps
File opened for reading	/proc/152/stat	ps
File opened for reading	/proc/98/stat	ps
File opened for reading	/proc/641/cmdline	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/109/stat	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/872/stat	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/646/cmdline	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/297/status	ps
File opened for reading	/proc/602/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/264/status	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/167/cmdline	ps
File opened for reading	/proc/310/stat	ps
File opened for reading	/proc/677/cmdline	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/109/stat	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/594/stat	ps
File opened for reading	/proc/872/status	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/140/stat	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/213/status	ps
File opened for reading	/proc/41/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/646/cmdline	ps
File opened for reading	/proc/1003/status	ps
File opened for reading	/proc/647/stat	ps
File opened for reading	/proc/269/status	ps
File opened for reading	/proc/647/cmdline	ps
File opened for reading	/proc/213/status	ps
File opened for reading	/proc/310/cmdline	ps
File opened for reading	/proc/265/stat	ps
File opened for reading	/proc/1004/stat	ps
File opened for reading	/proc/109/cmdline	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/297/cmdline	ps
File opened for reading	/proc/656/cmdline	ps
File opened for reading	/proc/646/stat	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/4/cmdline	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/dev/null	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh

/tmp/196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
/tmp/196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
1⤵
- Writes file to tmp directory
PID:649
- /bin/grep
  grep -i CN
  2⤵
  PID:652
- /usr/bin/curl
  curl http://ip-api.com/json/
  2⤵
  - Checks CPU configuration
  PID:650
- /bin/sed
  sed "s/,/\\n/g"
  2⤵
  PID:651
- /bin/sync
  sync
  2⤵
  PID:675
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:680
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:681
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  PID:682
- /bin/mv
  mv /usr/bin/url /usr/bin/cd1
  2⤵
  PID:685
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  PID:686
- /bin/mv
  mv /usr/bin/get /usr/bin/wd1
  2⤵
  PID:687
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:688
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:691
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:692
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:693
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:696
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:697
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:698
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:699
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:700
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:701
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:702
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:704
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:703
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:705
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  - Reads CPU attributes
  PID:706
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:708
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:709
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:711
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:710
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:714
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:716
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:713
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:715
- /bin/grep
  grep -v -
  2⤵
  PID:721
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:719
- /bin/grep
  grep :443
  2⤵
  PID:718
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:722
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:720
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:727
- /bin/grep
  grep :23
  2⤵
  PID:726
- /bin/grep
  grep -v -
  2⤵
  PID:729
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:730
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:728
- /bin/grep
  grep :443
  2⤵
  PID:732
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:734
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:736
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:733
- /bin/grep
  grep -v -
  2⤵
  PID:735
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:741
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:740
- /bin/grep
  grep :143
  2⤵
  PID:739
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:743
- /bin/grep
  grep -v -
  2⤵
  PID:742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:747
- /bin/grep
  grep :2222
  2⤵
  PID:746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:750
- /bin/grep
  grep -v -
  2⤵
  PID:749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:748
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:754
- /bin/grep
  grep :3333
  2⤵
  PID:753
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:757
- /bin/grep
  grep -v -
  2⤵
  PID:756
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:762
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:761
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:764
- /bin/grep
  grep :3389
  2⤵
  PID:760
- /bin/grep
  grep -v -
  2⤵
  PID:763
- /bin/grep
  grep -v -
  2⤵
  PID:770
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:769
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:771
- /bin/grep
  grep :5555
  2⤵
  PID:767
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:768
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:775
- /bin/grep
  grep :6666
  2⤵
  PID:774
- /bin/grep
  grep -v -
  2⤵
  PID:777
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:778
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:776
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:782
- /bin/grep
  grep :6665
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:785
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:783
- /bin/grep
  grep -v -
  2⤵
  PID:784
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:790
- /bin/grep
  grep -v -
  2⤵
  PID:791
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:792
- /bin/grep
  grep :6667
  2⤵
  PID:788
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:789
- /bin/grep
  grep -v -
  2⤵
  PID:798
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:799
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:796
- /bin/grep
  grep :7777
  2⤵
  PID:795
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:797
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:803
- /bin/grep
  grep :8444
  2⤵
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:806
- /bin/grep
  grep -v -
  2⤵
  PID:805
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:804
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:810
- /bin/grep
  grep :3347
  2⤵
  PID:809
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:811
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:813
- /bin/grep
  grep -v -
  2⤵
  PID:812
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:819
- /bin/grep
  grep :3333
  2⤵
  PID:817
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:818
- /bin/grep
  grep -v grep
  2⤵
  PID:816
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:815
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:826
- /bin/grep
  grep :5555
  2⤵
  PID:824
- /bin/grep
  grep -v grep
  2⤵
  PID:823
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:822
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:825
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:833
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:832
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:831
- /bin/grep
  grep -v grep
  2⤵
  PID:830
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:829
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:839
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:840
- /bin/grep
  grep -v grep
  2⤵
  PID:837
- /bin/grep
  grep log_
  2⤵
  PID:838
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:836
- /bin/grep
  grep -v grep
  2⤵
  PID:844
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:843
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:846
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:847
- /bin/grep
  grep systemten
  2⤵
  PID:845
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:854
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:857
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:857
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:857
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:857
- - /sbin/kill
    kill -9 14
    3⤵
    PID:857
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:857
- /bin/grep
  grep netns
  2⤵
  PID:852
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:853
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:850
- /bin/grep
  grep -v grep
  2⤵
  PID:851
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:862
- /bin/grep
  grep -v grep
  2⤵
  PID:860
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:863
- /bin/grep
  grep voltuned
  2⤵
  PID:861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:870
- /bin/grep
  grep darwin
  2⤵
  PID:868
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:869
- /bin/grep
  grep -v grep
  2⤵
  PID:867
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:866
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:877
- /bin/grep
  grep -v grep
  2⤵
  PID:876
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:879
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:875
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:878
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:889
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:887
- /bin/grep
  grep -v grep
  2⤵
  PID:886
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:885
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:888
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:896
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:892
- /bin/grep
  grep -v grep
  2⤵
  PID:893
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:904
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:902
- /bin/grep
  grep -v grep
  2⤵
  PID:901
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:903
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:900
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:908
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:910
- /bin/grep
  grep -v grep
  2⤵
  PID:907
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:906
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:909
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:914
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:912
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:916
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:915
- /bin/grep
  grep -v grep
  2⤵
  PID:913
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:921
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:919
- /bin/grep
  grep -v grep
  2⤵
  PID:918
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:917
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:920
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:926
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:924
- /bin/grep
  grep -v grep
  2⤵
  PID:923
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:922
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:925
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:929
- /bin/grep
  grep -v grep
  2⤵
  PID:928
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:927
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:931
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:930
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:935
- /bin/grep
  grep -v grep
  2⤵
  PID:933
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:934
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:936
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:932
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:943
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:941
- /bin/grep
  grep -v grep
  2⤵
  PID:940
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:939
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:942
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:948
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:947
- /bin/grep
  grep -v grep
  2⤵
  PID:945
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:946
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:944
- /bin/grep
  grep -v grep
  2⤵
  PID:952
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:954
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:955
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:953
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:951
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:962
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:960
- /bin/grep
  grep -v grep
  2⤵
  PID:959
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:958
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:961
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:967
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:969
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:965
- /bin/grep
  grep -v grep
  2⤵
  PID:966
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:968
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:977
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:975
- /bin/grep
  grep -v grep
  2⤵
  PID:974
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:976
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:985
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:983
- /bin/grep
  grep -v grep
  2⤵
  PID:982
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:981
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:984
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:990
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:992
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:988
- /bin/grep
  grep -v grep
  2⤵
  PID:989
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:991
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:999
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:997
- /bin/grep
  grep -v grep
  2⤵
  PID:996
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:995
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:998
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1005
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1007
- /bin/grep
  grep -v grep
  2⤵
  PID:1004
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1003
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1006
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1012
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1013
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1014
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1010
- /bin/grep
  grep -v grep
  2⤵
  PID:1011
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1020
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1021
- /bin/grep
  grep -v grep
  2⤵
  PID:1018
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1017
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1019
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1029
- /bin/grep
  grep -v grep
  2⤵
  PID:1026
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1025
- /bin/grep
  grep svc
  2⤵
  PID:1027
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1028
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1036
- /bin/grep
  grep -v grep
  2⤵
  PID:1033
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1035
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1034
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1032
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:1042
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1041
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1043
- /bin/grep
  grep -v grep
  2⤵
  PID:1040
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1039
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1048
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1046
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1047
- /bin/grep
  grep -v grep
  2⤵
  PID:1045
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1044
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1053
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1051
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1052
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1049
- /bin/grep
  grep -v grep
  2⤵
  PID:1050

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads