c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc

Analysis

max time kernel
0s
max time network
152s
platform
linux_amd64
resource
ubuntu-amd64
submitted
13-04-2021 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
Size

764KB
MD5

7d2595904aa6feb46b3e8f3262963042
SHA1

32f485eece997ee331809e98495641f2bddf8b3f
SHA256

c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
SHA512

77b36c4a46ae236b0e0bf5b839239b742e437d9d1990408165be0096defd6562976a0c4158fd2c9cd61287b785ecb178864ca379437e1304d6664593ca1115c5

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/sbin/init	/sbin/init	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/bin/login	/bin/login	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/etc/crontab	/etc/crontab	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/python3	/usr/bin/python3	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/usr/sbin/rsyslogd	/usr/sbin/rsyslogd	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/usr/bin/dbus-daemon	/usr/bin/dbus-daemon	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/usr/sbin/cron	/usr/sbin/cron	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/usr/sbin/sshd	/usr/sbin/sshd	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	checkip.amazonaws.com
2	checkip.amazonaws.com

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/164/cmdline	/proc/164/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/344/cmdline	/proc/344/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/447/cmdline	/proc/447/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/83/cmdline	/proc/83/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/161/cmdline	/proc/161/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/152/cmdline	/proc/152/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/9/cmdline	/proc/9/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/19/cmdline	/proc/19/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/23/cmdline	/proc/23/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/33/cmdline	/proc/33/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/79/cmdline	/proc/79/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/80/cmdline	/proc/80/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/114/cmdline	/proc/114/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/163/cmdline	/proc/163/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/10/cmdline	/proc/10/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/13/cmdline	/proc/13/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/165/cmdline	/proc/165/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/349/cmdline	/proc/349/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/167/cmdline	/proc/167/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/359/cmdline	/proc/359/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/369/cmdline	/proc/369/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/22/cmdline	/proc/22/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/25/cmdline	/proc/25/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/78/cmdline	/proc/78/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/153/cmdline	/proc/153/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/159/cmdline	/proc/159/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/352/cmdline	/proc/352/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/370/cmdline	/proc/370/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/8/cmdline	/proc/8/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/26/cmdline	/proc/26/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/156/cmdline	/proc/156/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/160/cmdline	/proc/160/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/162/cmdline	/proc/162/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/343/cmdline	/proc/343/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/443/cmdline	/proc/443/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/11/cmdline	/proc/11/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/14/cmdline	/proc/14/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/151/cmdline	/proc/151/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/387/cmdline	/proc/387/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/20/cmdline	/proc/20/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/35/cmdline	/proc/35/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/18/cmdline	/proc/18/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/29/cmdline	/proc/29/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/32/cmdline	/proc/32/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/190/cmdline	/proc/190/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/237/cmdline	/proc/237/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/249/cmdline	/proc/249/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/1/cmdline	/proc/1/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/7/cmdline	/proc/7/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/351/cmdline	/proc/351/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/416/cmdline	/proc/416/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/15/cmdline	/proc/15/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/21/cmdline	/proc/21/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/30/cmdline	/proc/30/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/166/cmdline	/proc/166/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/169/cmdline	/proc/169/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/191/cmdline	/proc/191/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/3/cmdline	/proc/3/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/12/cmdline	/proc/12/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/17/cmdline	/proc/17/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/250/cmdline	/proc/250/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/479/cmdline	/proc/479/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/4/cmdline	/proc/4/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
/proc/5/cmdline	/proc/5/cmdline	c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc

./c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
./c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
1⤵
- Writes file to system bin folder
- Creates/modifies Cron job
- Write file to user bin folder
- Reads runtime system information
PID:562

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task

T1053

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads