Resubmissions
11/04/2025, 21:31
250411-1cz7lazpx8 10Analysis
-
max time kernel
29s -
max time network
2s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20250410-en -
resource tags
-
submitted
11/04/2025, 21:31
General
-
Target
The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
-
Size
8.6MB
-
MD5
ae747bc7fff9bc23f06635ef60ea0e8d
-
SHA1
64315e834f67905ed4e47f36155362a78ac23462
-
SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
-
SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2
-
SSDEEP
98304:rDSceJ/GqDu6P0ypQ0Qv5knSTH20ejwBcHjI7Xk:rDSceJ/GqD18RZv5knS720e7s
Score
8/10
Malware Config
Signatures
-
Adds new SSH keys 1 TTPs 1 IoCs
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
Deletes itself 1 IoCs
-
OS Credential Dumping 1 TTPs 64 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 64 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 3 IoCs
Adversaries may detect and evade virtualized environments and sandboxes.
-
Checks CPU configuration 1 TTPs 29 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 52 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 52 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 12 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c0461⤵
- Adds new SSH keys
- Deletes itself
- Deletes log files
- Writes file to tmp directory
-
/usr/bin/unameuname -a2⤵
-
-
/usr/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
-
/usr/bin/catcat /etc/issue2⤵
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/usr/bin/journalctljournalctl -S "@0" -u sshd2⤵
-
-
/usr/bin/catcat "/var/log/auth*"2⤵
-
-
/usr/bin/zcatzcat "/var/log/auth*"2⤵
-
-
/usr/local/sbin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/usr/local/bin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/usr/sbin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/usr/bin/gzipgzip -cd "/var/log/auth*"2⤵
- System Network Configuration Discovery
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/whichwhich sudo3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
-
/usr/bin/sudosudo -S touch .local_31083⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/touchtouch .local_31084⤵
- Writes file to tmp directory
-
-
-
/usr/bin/lsls -l .local_31083⤵
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/sudosudo rm .local_31083⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm .local_31084⤵
-
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/sudosudo ps auxff3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxff4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill test.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/sudosudo -S touch .local_113363⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/touchtouch .local_113364⤵
- Writes file to tmp directory
-
-
-
/usr/bin/lsls -l .local_113363⤵
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/sudosudo rm .local_113363⤵
-
/usr/bin/rmrm .local_113364⤵
-
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 bssh4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill test.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[atd]"4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
- Reads runtime system information
-
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/sudosudo -S touch .local_14433⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/touchtouch .local_14434⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_14433⤵
-
-
/usr/bin/sudosudo rm .local_14433⤵
-
/usr/bin/rmrm .local_14434⤵
-
-
-
/usr/bin/sudosudo ps auxff3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxff4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 bssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 tsm4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
-
/usr/bin/pkillpkill test.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
- OS Credential Dumping
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
-
-
-
/usr/bin/freefree -m2⤵
-
-
/usr/bin/uptimeuptime2⤵
- Virtualization/Sandbox Evasion: Time Based Evasion
-
-
/bin/bash/bin/bash -2⤵
-
/usr/bin/whichwhich sudo3⤵
-
-
/usr/bin/wcwc -l3⤵
-
-
/usr/bin/sudosudo -S touch .local_168933⤵
-
/usr/bin/touchtouch .local_168934⤵
- Writes file to tmp directory
-
-
-
/usr/bin/grepgrep -c root3⤵
-
-
/usr/bin/lsls -l .local_168933⤵
-
-
/usr/bin/sudosudo rm .local_168933⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm .local_168934⤵
-
-
-
/usr/bin/sudosudo ps auxff3⤵
-
/usr/bin/psps auxff4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep "./crond -t=all"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 bssh3⤵
-
/usr/bin/killallkillall -9 bssh4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.an3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/.an4⤵
-
-
-
/usr/bin/sudosudo killall -9 xm643⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 xm644⤵
-
-
-
/usr/bin/sudosudo killall -9 rpc.idmapd3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 rpc.idmapd4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.m23⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.m24⤵
-
-
-
/usr/bin/sudosudo killall -9 xorgg3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 xorgg4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/seconfig3⤵
- OS Credential Dumping
-
/usr/bin/rmrm -rf /tmp/seconfig4⤵
-
-
-
/usr/bin/sudosudo killall -9 crond643⤵
-
/usr/bin/killallkillall -9 crond644⤵
-
-
-
/usr/bin/sudosudo killall -9 tsm3⤵
-
/usr/bin/killallkillall -9 tsm4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.ssh3⤵
-
/usr/bin/rmrm -rf /tmp/.ssh4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.java3⤵
-
/usr/bin/rmrm -rf /tmp/.java4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.iolanda3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.iolanda4⤵
-
-
-
/usr/bin/sudosudo pkill test.mod3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill test.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.i686.mod3⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill daemon.i686.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/sudosudo pkill daemon.armv4l.mod3⤵
- OS Credential Dumping
-
/usr/bin/pkillpkill daemon.armv4l.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/sudosudo pkill daemon.mips.mod3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/pkillpkill daemon.mips.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo pkill daemon.mipsel.mod3⤵
-
/usr/bin/pkillpkill daemon.mipsel.mod4⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.xs3⤵
-
/usr/bin/rmrm -rf /tmp/.xs4⤵
-
-
-
/usr/bin/sudosudo pkill ld-linux-x86-643⤵
-
/usr/bin/pkillpkill ld-linux-x86-644⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/rmrm -rf "/var/tmp/. *"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/grepgrep xmr3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep cryptonight3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep stratum3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/grepgrep dbus-daemon--system3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep "\\[\\]"3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/sudosudo ps auxf3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/psps auxf4⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
-
/usr/bin/grepgrep xm643⤵
-
-
/usr/bin/grepgrep -v grep3⤵
-
-
/usr/bin/awkawk "{ print \$2 }"3⤵
-
-
/usr/bin/sudosudo killall -9 "[atd]"3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[atd]"4⤵
-
-
-
/usr/bin/sudosudo rm -rf /tmp/.jk3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf /tmp/.jk4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ntpd]"3⤵
-
/usr/bin/killallkillall -9 "[ntpd]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[rpciod]"3⤵
-
/usr/bin/killallkillall -9 "[rpciod]"4⤵
-
-
-
/usr/bin/sudosudo killall -9 "[ext4-dio-unwrit]"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/killallkillall -9 "[ext4-dio-unwrit]"4⤵
- Reads runtime system information
-
-
-
/usr/bin/sudosudo rm -rf "/tmp/.xm*"3⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
-
/usr/bin/rmrm -rf "/tmp/.xm*"4⤵
-
-
-
/usr/bin/pidofpidof libexec3⤵
- Reads runtime system information
-
-
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Account Manipulation
1SSH Authorized Keys
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
2System Checks
1Time Based Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.6MB
MD5ae747bc7fff9bc23f06635ef60ea0e8d
SHA164315e834f67905ed4e47f36155362a78ac23462
SHA256103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
SHA512e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2