f5750ae6109ca43fc8cf3a3a82f58cb3fd3cdca9efa6616707c5c2e6297b22e9

General

Target

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
Size

46KB
MD5

150dc9ae7c5729552ec2e92a7bc49095
SHA1

2aed6d97f2c3400e1eb7e136e245a6f45ef4ae1f
SHA256

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40
SHA512

13c40ba893a9f7a0f3e674400025f65e041e91f09b6def779078e391e35a3dedaf55742e68ae0b9b6f3c9120c1628266fb16348b674e988d146ed3d7b2c3f9c7
SSDEEP

768:bxlT2wDuWvWi7JFNcuFkc2zq0x3UKnicZuiR/amT8z:8wF+Lc2/FicfSmT8z

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid process

655 iptables

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
655	iptables

Attempts to change immutable files 50 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrxargsxargsxargsgrepchattrxargsxargsxargschattrxargsxargschattrchattrxargschattrchattrxargsxargsxargsxargschattrxargsxargsxargsxargsxargsxargschattrchattrgrepxargschattrxargschattrchattrchattrxargschattrxargsxargsxargschattrxargsxargschattrxargsxargschattrxargs

pid	process
647	chattr
801	xargs
925	xargs
1013	xargs
703	grep
890	chattr
931	xargs
997	xargs
915	xargs
884	chattr
823	xargs
841	xargs
883	chattr
888	chattr
937	xargs
876	chattr
879	chattr
949	xargs
991	xargs
733	xargs
834	xargs
877	chattr
955	xargs
815	xargs
849	xargs
943	xargs
967	xargs
979	xargs
880	chattr
889	chattr
705	grep
855	xargs
886	chattr
1003	xargs
663	chattr
892	chattr
882	chattr
985	xargs
660	chattr
861	xargs
973	xargs
1008	xargs
665	chattr
808	xargs
961	xargs
653	chattr
794	xargs
920	xargs
668	chattr
740	xargs

Disables AppArmor 16 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	process
707	systemctl
714	systemctl
720	systemctl
715	systemctl
715	systemctl
715	systemctl
715	systemctl
707	systemctl
723	systemctl
707	systemctl
707	systemctl
707	systemctl
707	systemctl
715	systemctl
715	systemctl
728	systemctl

Disables SELinux 1 IoCs
Disables SELinux security module.

Processes:

setenforce

pid process

706 setenforce
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
706	setenforce

Write file to user bin folder 1 TTPs 6 IoCs

Hijack Execution Flow

T1574

Processes:

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown

description	ioc	process
File opened for modification	/usr/bin/ip6network	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
File opened for modification	/usr/bin/kswaped	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
File opened for modification	/usr/bin/irqbalanced	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
File opened for modification	/usr/bin/rctlcli	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
File opened for modification	/usr/bin/systemd-network	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
File opened for modification	/usr/bin/pamdicks	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown

Reads CPU attributes 1 TTPs 20 IoCs

System Information Discovery

T1082

Processes:

pspspspspspspspspspspspspspspspspssysctlpsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

description	ioc	process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspspspspspspspsawkpspsxargsmvpspspspsmvmvps

description	ioc	process
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/285/cmdline	ps
File opened for reading	/proc/744/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/858/stat	ps
File opened for reading	/proc/593/stat	ps
File opened for reading	/proc/731/status	ps
File opened for reading	/proc/96/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/733/stat	ps
File opened for reading	/proc/74/cmdline	ps
File opened for reading	/proc/834/status	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/793/status	ps
File opened for reading	/proc/138/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/154/status	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/166/status	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/135/status	ps
File opened for reading	/proc/146/status	ps
File opened for reading	/proc/309/status	ps
File opened for reading	/proc/847/status	ps
File opened for reading	/proc/635/stat	ps
File opened for reading	/proc/747/cmdline	ps
File opened for reading	/proc/283/cmdline	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/267/status	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/832/cmdline	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/267/stat	ps
File opened for reading	/proc/594/stat	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/636/status	ps
File opened for reading	/proc/636/cmdline	ps
File opened for reading	/proc/642/cmdline	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/96/cmdline	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/635/stat	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/309/stat	ps
File opened for reading	/proc/639/status	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/629/stat	ps
File opened for reading	/proc/3/cmdline	ps

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown

description ioc process

File opened for modification /tmp/dev/null 1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown

description	ioc	process
File opened for modification	/tmp/dev/null	1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown

/tmp/1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
/tmp/1bf4fcd6d035805d44b5ae7ec67860911ed4c43f94e827c988992d0587d1ab40.unknown
1⤵
- Write file to user bin folder
- Writes file to tmp directory
PID:642

/bin/chmod
chmod 777 /usr/bin/chattr
2⤵
PID:643

/bin/chmod
chmod 777 /bin/chattr
2⤵
PID:645

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:647

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:653

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:655

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
- Attempts to change immutable files
PID:660

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:663

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:665

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:668

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:671

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:673

/bin/rm
rm -rf /tmp/keys
2⤵
PID:675

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:677

/bin/sync
sync
2⤵
PID:678

/bin/cat
cat /var/spool/cron/
2⤵
PID:681

/bin/cat
cat /root/.ssh/authorized_keys
2⤵
PID:683

/bin/mv
mv /usr/bin/wgettnt /usr/bin/wd1
2⤵
PID:684

/bin/mv
mv /usr/bin/curltnt /usr/bin/cd1
2⤵
- Reads runtime system information
PID:686

/bin/mv
mv /usr/bin/wget1 /usr/bin/wd1
2⤵
PID:688

/bin/mv
mv /usr/bin/curl1 /usr/bin/cd1
2⤵
PID:690

/bin/mv
mv /usr/bin/cur /usr/bin/cd1
2⤵
PID:691

/bin/mv
mv /usr/bin/cdl /usr/bin/cd1
2⤵
- Reads runtime system information
PID:693

/bin/mv
mv /usr/bin/cdt /usr/bin/cd1
2⤵
PID:694

/bin/mv
mv /usr/bin/xget /usr/bin/wd1
2⤵
PID:695

/bin/mv
mv /usr/bin/wge /usr/bin/wd1
2⤵
PID:696

/bin/mv
mv /usr/bin/wdl /usr/bin/wd1
2⤵
PID:698

/bin/mv
mv /usr/bin/wdt /usr/bin/wd1
2⤵
PID:699

/bin/mv
mv /usr/bin/wget /usr/bin/wd1
2⤵
- Reads runtime system information
PID:700

/bin/mv
mv /usr/bin/curl /usr/bin/cd1
2⤵
PID:701

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:702

/bin/grep
grep -i "[a]liyun"
2⤵
- Attempts to change immutable files
PID:703

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:705

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:704

/usr/sbin/setenforce
setenforce 0
2⤵
- Disables SELinux
PID:706

/usr/sbin/service
service apparmor stop
2⤵
PID:707

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:708

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:709

/bin/systemctl
systemctl --quiet is-active multi-user.target
3⤵
- Enumerates kernel/hardware configuration
PID:710

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
3⤵
- Enumerates kernel/hardware configuration
PID:712

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
3⤵
PID:713

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:707

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:707

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:707

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:707

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
PID:707

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop apparmor.service
2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:707

/bin/systemctl
systemctl disable apparmor
2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:714

/usr/sbin/service
service aliyun.service stop
2⤵
PID:715

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:717

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:719

/bin/systemctl
systemctl --quiet is-active multi-user.target
3⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:720

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
3⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:723

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
3⤵
PID:724

/usr/local/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:715

/usr/local/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:715

/usr/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:715

/usr/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:715

/sbin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
PID:715

/bin/systemctl
systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:715

/bin/systemctl
systemctl disable aliyun.service
2⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:728

/bin/grep
grep aegis
2⤵
PID:731

/bin/grep
grep -v grep
2⤵
PID:730

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:729

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:732

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:733

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:740

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:739

/bin/grep
grep Yun
2⤵
PID:738

/bin/grep
grep -v grep
2⤵
PID:737

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:736

/usr/bin/awk
awk "{print \$11}"
2⤵
PID:748

/usr/bin/xargs
xargs dirname
2⤵
PID:749

/usr/local/sbin/dirname
dirname
3⤵
PID:753

/usr/local/bin/dirname
dirname
3⤵
PID:753

/usr/sbin/dirname
dirname
3⤵
PID:753

/usr/bin/dirname
dirname
3⤵
PID:753

/bin/grep
grep aegis
2⤵
PID:747

/usr/bin/xargs
xargs rm -rf
2⤵
PID:750

/usr/local/sbin/rm
rm -rf
3⤵
PID:755

/usr/local/bin/rm
rm -rf
3⤵
PID:755

/usr/sbin/rm
rm -rf
3⤵
PID:755

/usr/bin/rm
rm -rf
3⤵
PID:755

/sbin/rm
rm -rf
3⤵
PID:755

/bin/rm
rm -rf
3⤵
PID:755

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:745

/bin/grep
grep -v grep
2⤵
PID:746

/bin/grep
grep hids
2⤵
PID:759

/bin/grep
grep -v grep
2⤵
PID:758

/usr/bin/awk
awk "{print \$11}"
2⤵
PID:760

/usr/bin/xargs
xargs dirname
2⤵
PID:761

/usr/local/sbin/dirname
dirname
3⤵
PID:765

/usr/local/bin/dirname
dirname
3⤵
PID:765

/usr/sbin/dirname
dirname
3⤵
PID:765

/usr/bin/dirname
dirname
3⤵
PID:765

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:757

/usr/bin/xargs
xargs rm -rf
2⤵
PID:762

/usr/local/sbin/rm
rm -rf
3⤵
PID:766

/usr/local/bin/rm
rm -rf
3⤵
PID:766

/usr/sbin/rm
rm -rf
3⤵
PID:766

/usr/bin/rm
rm -rf
3⤵
PID:766

/sbin/rm
rm -rf
3⤵
PID:766

/bin/rm
rm -rf
3⤵
PID:766

/usr/bin/xargs
xargs dirname
2⤵
PID:771

/usr/local/sbin/dirname
dirname
3⤵
PID:776

/usr/local/bin/dirname
dirname
3⤵
PID:776

/usr/sbin/dirname
dirname
3⤵
PID:776

/usr/bin/dirname
dirname
3⤵
PID:776

/usr/bin/awk
awk "{print \$11}"
2⤵
PID:770

/bin/grep
grep cloudwalker
2⤵
PID:769

/usr/bin/xargs
xargs rm -rf
2⤵
PID:772

/usr/local/sbin/rm
rm -rf
3⤵
PID:778

/usr/local/bin/rm
rm -rf
3⤵
PID:778

/usr/sbin/rm
rm -rf
3⤵
PID:778

/usr/bin/rm
rm -rf
3⤵
PID:778

/sbin/rm
rm -rf
3⤵
PID:778

/bin/rm
rm -rf
3⤵
PID:778

/bin/grep
grep -v grep
2⤵
PID:768

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:767

/usr/bin/awk
awk "{print \$11}"
2⤵
PID:782

/bin/grep
grep titanagent
2⤵
PID:781

/usr/bin/xargs
xargs rm -rf
2⤵
PID:784

/usr/local/sbin/rm
rm -rf
3⤵
PID:788

/usr/local/bin/rm
rm -rf
3⤵
PID:788

/usr/sbin/rm
rm -rf
3⤵
PID:788

/usr/bin/rm
rm -rf
3⤵
PID:788

/sbin/rm
rm -rf
3⤵
PID:788

/bin/rm
rm -rf
3⤵
PID:788

/usr/bin/xargs
xargs dirname
2⤵
PID:783

/usr/local/sbin/dirname
dirname
3⤵
PID:787

/usr/local/bin/dirname
dirname
3⤵
PID:787

/usr/sbin/dirname
dirname
3⤵
PID:787

/usr/bin/dirname
dirname
3⤵
PID:787

/bin/grep
grep -v grep
2⤵
PID:780

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:779

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:794

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:793

/bin/grep
grep edr
2⤵
PID:792

/bin/grep
grep -v grep
2⤵
PID:791

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:790

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:801

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:800

/bin/grep
grep aegis
2⤵
PID:799

/bin/grep
grep -v grep
2⤵
PID:798

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:797

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:807

/bin/grep
grep Yun
2⤵
PID:806

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:808

/bin/grep
grep -v grep
2⤵
PID:805

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:804

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:814

/bin/grep
grep hids
2⤵
PID:813

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:815

/bin/grep
grep -v grep
2⤵
PID:812

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:811

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:823

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:822

/bin/grep
grep edr
2⤵
PID:821

/bin/grep
grep -v grep
2⤵
PID:820

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:819

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:833

/bin/grep
grep cloudwalker
2⤵
PID:832

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:834

/bin/grep
grep -v grep
2⤵
PID:831

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:830

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:841

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:840

/bin/grep
grep titanagent
2⤵
PID:839

/bin/grep
grep -v grep
2⤵
PID:838

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:837

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:849

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:848

/bin/grep
grep sgagent
2⤵
PID:847

/bin/grep
grep -v grep
2⤵
PID:846

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:845

/bin/grep
grep -v grep
2⤵
PID:852

/bin/grep
grep barad_agent
2⤵
PID:853

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:851

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:854

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:855

/usr/bin/xargs
xargs -I "{}" kill -9 "{}"
2⤵
- Attempts to change immutable files
PID:861

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:860

/bin/grep
grep hostguard
2⤵
PID:859

/bin/grep
grep -v grep
2⤵
PID:858

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:857

/bin/rm
rm -rf /usr/local/aegis
2⤵
PID:862

/bin/sleep
sleep 1
2⤵
PID:863

/usr/bin/chattr
chattr -i /usr/bin/ip6network
2⤵
- Attempts to change immutable files
PID:876

/usr/bin/chattr
chattr -i /usr/bin/kswaped
2⤵
- Attempts to change immutable files
PID:877

/usr/bin/chattr
chattr -i /usr/bin/irqbalanced
2⤵
- Attempts to change immutable files
PID:879

/usr/bin/chattr
chattr -i /usr/bin/rctlcli
2⤵
- Attempts to change immutable files
PID:880

/usr/bin/chattr
chattr -i /usr/bin/systemd-network
2⤵
- Attempts to change immutable files
PID:882

/usr/bin/chattr
chattr -i /usr/bin/pamdicks
2⤵
- Attempts to change immutable files
PID:883

/usr/bin/chattr
chattr +i /usr/bin/ip6network
2⤵
- Attempts to change immutable files
PID:884

/usr/bin/chattr
chattr +i /usr/bin/kswaped
2⤵
- Attempts to change immutable files
PID:886

/usr/bin/chattr
chattr +i /usr/bin/irqbalanced
2⤵
- Attempts to change immutable files
PID:888

/usr/bin/chattr
chattr +i /usr/bin/rctlcli
2⤵
- Attempts to change immutable files
PID:889

/usr/bin/chattr
chattr +i /usr/bin/systemd-network
2⤵
- Attempts to change immutable files
PID:890

/usr/bin/chattr
chattr +i /usr/bin/pamdicks
2⤵
- Attempts to change immutable files
PID:892

/bin/sleep
sleep 1
2⤵
PID:893

/bin/rm
rm -f /tmp/.null
2⤵
PID:909

/sbin/sysctl
sysctl -w "vm.nr_hugepages=128"
2⤵
- Reads CPU attributes
PID:910

/bin/grep
grep 194.87.139.103
2⤵
PID:912

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:913

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:915

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:914

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:919

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:918

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:920

/bin/grep
grep 185.71.65.238
2⤵
PID:917

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:924

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:923

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:925

/bin/grep
grep 140.82.52.87
2⤵
PID:922

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:929

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:928

/bin/grep
grep -v -
2⤵
PID:930

/bin/grep
grep :23
2⤵
PID:927

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:931

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:934

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:935

/bin/grep
grep -v -
2⤵
PID:936

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:937

/bin/grep
grep :143
2⤵
PID:933

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:941

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:940

/bin/grep
grep -v -
2⤵
PID:942

/bin/grep
grep :2222
2⤵
PID:939

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:943

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:947

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:946

/bin/grep
grep -v -
2⤵
PID:948

/bin/grep
grep :3333
2⤵
PID:945

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:949

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:952

/bin/grep
grep -v -
2⤵
PID:954

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:953

/bin/grep
grep :3389
2⤵
PID:951

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:955

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:959

/bin/grep
grep -v -
2⤵
PID:960

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:958

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:961

/bin/grep
grep :5555
2⤵
PID:957

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:964

/bin/grep
grep -v -
2⤵
PID:966

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:965

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:967

/bin/grep
grep :6666
2⤵
PID:963

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:970

/bin/grep
grep :6665
2⤵
PID:969

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:971

/bin/grep
grep -v -
2⤵
PID:972

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:973

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:977

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:976

/bin/grep
grep -v -
2⤵
PID:978

/bin/grep
grep :6667
2⤵
PID:975

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:979

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:983

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:982

/bin/grep
grep -v -
2⤵
PID:984

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:985

/bin/grep
grep :7777
2⤵
PID:981

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:989

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:988

/bin/grep
grep -v -
2⤵
PID:990

/bin/grep
grep :8444
2⤵
PID:987

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:991

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:995

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:994

/bin/grep
grep -v -
2⤵
PID:996

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:997

/bin/grep
grep :3347
2⤵
PID:993

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1000

/bin/grep
grep :10008
2⤵
PID:999

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:1001

/bin/grep
grep -v -
2⤵
PID:1002

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1003

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1008

/bin/grep
grep :13531
2⤵
PID:1006

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1007

/bin/grep
grep -v grep
2⤵
PID:1005

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1012

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1013

/bin/grep
grep :3333
2⤵
PID:1011

/bin/grep
grep -v grep
2⤵
PID:1010

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1009

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

1

T1574

Privilege Escalation

Hijack Execution Flow

1

T1574

Defense Evasion

Indicator Removal

1

T1070

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs
Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/irqbalanced
Filesize
2B

MD5
6d7fce9fee471194aa8b5b6e47267f03

SHA1
a3db5c13ff90a36963278c6a39e4ee3c22e2a436

SHA256
1121cfccd5913f0a63fec40a6ffd44ea64f9dc135c66634ba001d10bcf4302a2

SHA512
2b59d179d9815994f687383a886ea34109889756efca5ab27318cc67ce2a21261d12fa6fee6b8c716f72214ead55ee0d789d6c35cff977d40ef5728ba9188a80

Download Submit
/usr/bin/kswaped
Filesize
2B

MD5
26ab0db90d72e28ad0ba1e22ee510510

SHA1
7448d8798a4380162d4b56f9b452e2f6f9e24e7a

SHA256
53c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3

SHA512
63e22ec2fbeebabf005e58fbfb0eee607c4aa417045a68a0cc63767b048e3559268d35e72f367d3b2dbd5dbddf12fc4397762ba149260b3795a0391713bddcd7

Download Submit
/usr/bin/pamdicks
Filesize
2B

MD5
9ae0ea9e3c9c6e1b9b6252c8395efdc1

SHA1
ccf271b7830882da1791852baeca1737fcbe4b90

SHA256
06e9d52c1720fca412803e3b07c4b228ff113e303f4c7ab94665319d832bbfb7

SHA512
f3d08a4bfef201adbe711e8805f96ff13909719107dcac81f4fc9185040d59d8d573344a0707e697f8b4f0212e0d79f3bdd6b86688dd8c54019b9d93c937f3ca

Download Submit
/usr/bin/rctlcli
Filesize
2B

MD5
48a24b70a0b376535542b996af517398

SHA1
9c6b057a2b9d96a4067a749ee3b3b0158d390cf1

SHA256
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d

SHA512
db545c410fd0c8ede533d5b0666cd2798ba380bd25b655619cd5fd3a33a255569b3ccc319bfdef3322d8392d894d15c2e6aa2d53346e6ac54eaf5d627bfe6a9a

Download Submit
/usr/bin/systemd-network
Filesize
2B

MD5
1dcca23355272056f04fe8bf20edfce0

SHA1
5d9474c0309b7ca09a182d888f73b37a8fe1362c

SHA256
f0b5c2c2211c8d67ed15e75e656c7862d086e9245420892a7de62cd9ec582a06

SHA512
29b3573989378848e91465abb8bb12aaad1c40f01ddba6ce5dce4de88d61d49621cd4272bc6f889cd469e9490040b412eb0a237cf2cd49c637da1d5de5903f3d

Download Submit
memory/977-1-0xb6c4c000-0xb6c5d044-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads