kaiji | b8194ca3dd994e7e7a699328b57613c848c6a5704d4ffac44c94c2612c8c4d8e

persistence privilege_escalation defense_evasion

description	ioc	Process
File opened for modification	/etc/crontab	sh

Creates/modifies environment variables 1 TTPs 3 IoCs

Creating/modifying environment variables is a common persistence mechanism.

Path Interception by PATH Environment Variable

description	ioc	Process
File opened for modification	/etc/profile.d/gateway.sh	3448066.bin
File opened for modification	/etc/profile.d/bash_cfg	3448066.bin
File opened for modification	/etc/profile.d/bash_cfg.sh	3448066.bin

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 17 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/dbus	3448066.bin
File opened for modification	/etc/init.d/exim4	3448066.bin
File opened for modification	/etc/init.d/networking	3448066.bin
File opened for modification	/etc/init.d/hwclock.sh	3448066.bin
File opened for modification	/etc/init.d/kmod	3448066.bin
File opened for modification	/etc/init.d/ssh	3448066.bin
File opened for modification	/etc/init.d/udev	3448066.bin
File opened for modification	/etc/init.d/procps	3448066.bin
File opened for modification	/etc/init.d/selinux-autorelabel	3448066.bin
File opened for modification	/etc/init.d/alsa-utils	3448066.bin
File opened for modification	/etc/init.d/auditd	3448066.bin
File opened for modification	/etc/init.d/cron	3448066.bin
File opened for modification	/etc/init.d/keyboard-setup.sh	3448066.bin
File opened for modification	/etc/init.d/sudo	3448066.bin
File opened for modification	/etc/init.d/x11-common	3448066.bin
File opened for modification	/etc/init.d/rsyslog	3448066.bin
File opened for modification	/etc/init.d/console-setup.sh	3448066.bin

Write file to user bin folder 2 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/include/find	3448066.bin
File opened for modification	/usr/bin/find	3448066.bin

Modifies Bash startup script 2 TTPs 3 IoCs

persistence

Boot or Logon Autostart Execution

Unix Shell Configuration Modification

T1546.004

description	ioc	Process
File opened for modification	/etc/profile.d/gateway.sh	3448066.bin
File opened for modification	/etc/profile.d/bash_cfg	3448066.bin
File opened for modification	/etc/profile.d/bash_cfg.sh	3448066.bin

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
696	sh
735	sh

Enumerates kernel/hardware configuration 1 TTPs 37 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	3448066.bin
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	3448066.bin
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/141/stat	3448066.bin
File opened for reading	/proc/674/stat	3448066.bin
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/219/stat	3448066.bin
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/17/stat	3448066.bin
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/41/stat	3448066.bin
File opened for reading	/proc/107/stat	3448066.bin
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/14/stat	3448066.bin
File opened for reading	/proc/42/stat	3448066.bin
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/680/stat	3448066.bin
File opened for reading	/proc/682/stat	3448066.bin
File opened for reading	/proc/686/stat	3448066.bin
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/5/stat	3448066.bin
File opened for reading	/proc/18/stat	3448066.bin
File opened for reading	/proc/26/stat	3448066.bin
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/410/stat	3448066.bin
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/13/stat	3448066.bin
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/8/stat	3448066.bin
File opened for reading	/proc/337/stat	3448066.bin
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/316/stat	3448066.bin
File opened for reading	/proc/667/stat	3448066.bin
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/147/stat	3448066.bin
File opened for reading	/proc/306/stat	3448066.bin

/tmp/3448066.bin
/tmp/3448066.bin
1⤵
- Enumerates kernel/hardware configuration
PID:668
- /tmp/3448066.bin
  /tmp/3448066.bin " "
  2⤵
  - Modifies Watchdog functionality
  - Creates/modifies environment variables
  - Modifies init.d
  - Write file to user bin folder
  - Modifies Bash startup script
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:678
- - /bin/sh
    /bin/sh -c "/etc/32675&"
    3⤵
    - Executes dropped EXE
    - Command and Scripting Interpreter: Unix Shell
    PID:696
- - /usr/sbin/service
    service crond start
    3⤵
    PID:699
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:702
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:704
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:706
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:710
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      PID:709
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:715
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:717
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:719
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:720
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:721
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:722
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:723
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:724
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:725
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:726
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:727
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:728
- - /usr/local/sbin/systemctl
    systemctl start crond.service
    3⤵
    PID:699
- - /usr/local/bin/systemctl
    systemctl start crond.service
    3⤵
    PID:699
- - /usr/sbin/systemctl
    systemctl start crond.service
    3⤵
    PID:699
- - /usr/bin/systemctl
    systemctl start crond.service
    3⤵
    PID:699
- - /sbin/systemctl
    systemctl start crond.service
    3⤵
    PID:699
- - /bin/systemctl
    systemctl start crond.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:699
- - /bin/sh
    /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
    3⤵
    - Creates/modifies Cron job
    - Command and Scripting Interpreter: Unix Shell
    PID:735
- - /usr/bin/renice
    renice -20 678
    3⤵
    PID:746
- - /bin/mount
    mount -o bind /tmp/ /proc/678
    3⤵
    PID:747
- - /usr/sbin/service
    service cron start
    3⤵
    PID:748
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:749
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:750
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:751
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:754
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:753
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:759
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:760
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:761
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:762
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:763
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:764
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:765
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:766
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:767
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:768
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:769
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:770
- - /usr/local/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:748
- - /usr/local/bin/systemctl
    systemctl start cron.service
    3⤵
    PID:748
- - /usr/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:748
- - /usr/bin/systemctl
    systemctl start cron.service
    3⤵
    PID:748
- - /sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:748
- - /bin/systemctl
    systemctl start cron.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:748
- - /bin/systemctl
    systemctl start crond.service
    3⤵
    - Enumerates kernel/hardware configuration
    PID:771

/etc/32675
/etc/32675
1⤵
- Executes dropped EXE
PID:698
- /bin/sleep
  sleep 60
  2⤵
  PID:701
- /etc/opt.services.cfg
  /etc/opt.services.cfg
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:852
- - /etc/opt.services.cfg
    /etc/opt.services.cfg " "
    3⤵
    - Enumerates kernel/hardware configuration
    PID:856
- /bin/sleep
  sleep 60
  2⤵
  PID:857
- /etc/opt.services.cfg
  /etc/opt.services.cfg
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:884
- - /etc/opt.services.cfg
    /etc/opt.services.cfg " "
    3⤵
    - Enumerates kernel/hardware configuration
    PID:888
- /bin/sleep
  sleep 60
  2⤵
  PID:889

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

Persistence

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

Scheduled Task/Job

T1053

Cron

Defense Evasion

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable