4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2

Resubmissions

20-07-2021 12:54

210720-rc9l4c6m7x 10

12-07-2021 07:08

210712-lgfebklxd6 10

Analysis

max time kernel
20984s
max time network
216s
platform
linux_amd64
resource
ubuntu-amd64
submitted
20-07-2021 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
Size

764KB
MD5

e98cb10437462f3873a6b50d207d287f
SHA1

1e5868157303c0cf825033c465722399b0d36c1f
SHA256

4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2
SHA512

a8e77f9f35b5398d3ea6eed7e307fe6d27cc1b9d7f10e0d8e8482b789dc7a06b18d2f4bc4c6e2157f696e07eb4a140e3d9e44e9d42cbb0d5a229b7e2c2d432b8

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/sbin/init	/sbin/init	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/bin/login	/bin/login	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/etc/crontab	/etc/crontab	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/dbus-daemon	/usr/bin/dbus-daemon	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/usr/sbin/cron	/usr/sbin/cron	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/usr/sbin/sshd	/usr/sbin/sshd	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/usr/bin/python3	/usr/bin/python3	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/usr/sbin/rsyslogd	/usr/sbin/rsyslogd	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.amazonaws.com
5	checkip.amazonaws.com

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/300/cmdline	/proc/300/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/26/cmdline	/proc/26/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/152/cmdline	/proc/152/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/167/cmdline	/proc/167/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/23/cmdline	/proc/23/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/33/cmdline	/proc/33/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/78/cmdline	/proc/78/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/249/cmdline	/proc/249/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/250/cmdline	/proc/250/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/4/cmdline	/proc/4/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/6/cmdline	/proc/6/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/11/cmdline	/proc/11/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/369/cmdline	/proc/369/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/114/cmdline	/proc/114/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/156/cmdline	/proc/156/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/161/cmdline	/proc/161/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/302/cmdline	/proc/302/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/416/cmdline	/proc/416/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/18/cmdline	/proc/18/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/24/cmdline	/proc/24/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/32/cmdline	/proc/32/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/559/cmdline	/proc/559/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/157/cmdline	/proc/157/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/3/cmdline	/proc/3/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/12/cmdline	/proc/12/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/97/cmdline	/proc/97/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/21/cmdline	/proc/21/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/160/cmdline	/proc/160/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/22/cmdline	/proc/22/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/34/cmdline	/proc/34/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/163/cmdline	/proc/163/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/164/cmdline	/proc/164/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/359/cmdline	/proc/359/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/2/cmdline	/proc/2/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/9/cmdline	/proc/9/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/10/cmdline	/proc/10/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/479/cmdline	/proc/479/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/29/cmdline	/proc/29/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/30/cmdline	/proc/30/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/80/cmdline	/proc/80/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/151/cmdline	/proc/151/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/155/cmdline	/proc/155/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/8/cmdline	/proc/8/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/13/cmdline	/proc/13/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/16/cmdline	/proc/16/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/169/cmdline	/proc/169/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/352/cmdline	/proc/352/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/159/cmdline	/proc/159/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/370/cmdline	/proc/370/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/27/cmdline	/proc/27/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/165/cmdline	/proc/165/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/7/cmdline	/proc/7/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/35/cmdline	/proc/35/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/88/cmdline	/proc/88/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/166/cmdline	/proc/166/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/191/cmdline	/proc/191/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/351/cmdline	/proc/351/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/1/cmdline	/proc/1/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/17/cmdline	/proc/17/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/81/cmdline	/proc/81/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/31/cmdline	/proc/31/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/237/cmdline	/proc/237/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/19/cmdline	/proc/19/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
/proc/20/cmdline	/proc/20/cmdline	4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin

./4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
./4655b4b44f6962e4f9641a52c24373390766c50b62fcc222e40511c0f1ed91d2.bin
1⤵
- Writes file to system bin folder
- Creates/modifies Cron job
- Write file to user bin folder
- Reads runtime system information
PID:689

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task

T1053

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads