Overview

overview

10

Static

static

init.sh

linux_amd64

10

init.sh

linux_mipsel

9

init.sh

linux_mips

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    init.sh

  • Size

    39KB

  • Sample

    210507-k6gaa6hb3a

  • MD5

    cbdc3a5c3a3c4bca9d4f71b2f5a285ee

  • SHA1

    d7130c8513e095516e5d5a9d51f5d5c4777151b5

  • SHA256

    fe0816092e006960f2261a3fa919b577aa392291bb0a11149805c651ac633909

  • SHA512

    00d2df9ba288e712bfe2577d9209311d6347e1a0fcf9137938619a8cda3401bd814672f5f9a6691417a5d6c721e9f856463195b1daed164034e677697a4cd890

Score
10/10
dcratinfostealerlinuxpersistencerat

Malware Config

Targets

    • Target

      init.sh

    • Size

      39KB

    • MD5

      cbdc3a5c3a3c4bca9d4f71b2f5a285ee

    • SHA1

      d7130c8513e095516e5d5a9d51f5d5c4777151b5

    • SHA256

      fe0816092e006960f2261a3fa919b577aa392291bb0a11149805c651ac633909

    • SHA512

      00d2df9ba288e712bfe2577d9209311d6347e1a0fcf9137938619a8cda3401bd814672f5f9a6691417a5d6c721e9f856463195b1daed164034e677697a4cd890

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Deletes system logs

    • Writes file to system bin folder

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Write file to user bin folder

    • Reads CPU attributes

    • Enumerates kernel/hardware configuration

      Reads contents of /sys virtual filesystem to enumerate system information.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hijack Execution Flow

2
T1574

Scheduled Task

1
T1053

Boot or Logon Autostart Execution

2
T1547

Privilege Escalation

Hijack Execution Flow

2
T1574

Scheduled Task

1
T1053

Boot or Logon Autostart Execution

2
T1547

Defense Evasion

Indicator Removal on Host

1
T1070

Hijack Execution Flow

2
T1574

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1
T1568

Impact

Tasks