Analysis
-
max time kernel
0s -
max time network
96s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
21-01-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
Resource
ubuntu1804-amd64-en-20211208
0 signatures
0 seconds
General
-
Target
f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
-
Size
151KB
-
MD5
83cf481c39ca88dbcf3a5fac359cc9a5
-
SHA1
54c2519606316bc4b4106607a6cbad3c1b437cd8
-
SHA256
f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
-
SHA512
54befac5b059a227aa5a28f4526854907d70f1f33cdb6b9a1b7a59d831583e3017ddbd8658e4dd28cbdd7f32250516c41a9d90b1f4b8c12f234595b54548c6b2
Score
7/10
Malware Config
Signatures
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
description ioc /etc/rc.d/rc.local /etc/rc.d/rc.local -
Reads CPU attributes 1 TTPs 29 IoCs
Processes:
pkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkilldescription ioc Process /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkilldescription ioc Process /proc/81/status /proc/81/status pkill /proc/451/cmdline /proc/451/cmdline pkill /proc/425/cmdline /proc/425/cmdline pkill /proc/156/cmdline /proc/156/cmdline pkill /proc/81/cmdline /proc/81/cmdline pkill /proc/130/cmdline /proc/130/cmdline pkill /proc/154/cmdline /proc/154/cmdline pkill /proc/342/cmdline /proc/342/cmdline pkill /proc/22/status /proc/22/status pkill /proc/24/cmdline /proc/24/cmdline pkill /proc/30/status /proc/30/status pkill /proc/417/cmdline /proc/417/cmdline pkill /proc/625/status /proc/625/status pkill /proc/417/status /proc/417/status pkill /proc/30/status /proc/30/status pkill /proc/79/status /proc/79/status pkill /proc/251/status /proc/251/status pkill /proc/29/cmdline /proc/29/cmdline pkill /proc/165/status /proc/165/status pkill /proc/163/status /proc/163/status pkill /proc/84/cmdline /proc/84/cmdline pkill /proc/158/status /proc/158/status pkill /proc/27/cmdline /proc/27/cmdline pkill /proc/7/cmdline /proc/7/cmdline pkill /proc/35/status /proc/35/status pkill /proc/18/cmdline /proc/18/cmdline pkill /proc/584/status /proc/584/status pkill /proc/25/cmdline /proc/25/cmdline pkill /proc/34/status /proc/34/status pkill /proc/587/status /proc/587/status pkill /proc/9/status /proc/9/status pkill /proc/81/cmdline /proc/81/cmdline pkill /proc/16/status /proc/16/status pkill /proc/153/status /proc/153/status pkill /proc/9/status /proc/9/status pkill /proc/25/cmdline /proc/25/cmdline pkill /proc/161/cmdline /proc/161/cmdline pkill /proc/584/status /proc/584/status pkill /proc/582/cmdline /proc/582/cmdline pkill /proc/85/status /proc/85/status pkill /proc/162/status /proc/162/status pkill /proc/162/status /proc/162/status pkill /proc/4/cmdline /proc/4/cmdline pkill /proc/162/cmdline /proc/162/cmdline pkill /proc/78/cmdline /proc/78/cmdline pkill /proc/24/status /proc/24/status pkill /proc/192/cmdline /proc/192/cmdline pkill /proc/153/cmdline /proc/153/cmdline pkill /proc/160/status /proc/160/status pkill /proc/26/status /proc/26/status pkill /proc/23/status /proc/23/status pkill /proc/165/cmdline /proc/165/cmdline pkill /proc/7/cmdline /proc/7/cmdline pkill /proc/169/cmdline /proc/169/cmdline pkill /proc/425/status /proc/425/status pkill /proc/5/cmdline /proc/5/cmdline pkill /proc/16/status /proc/16/status pkill /proc/36/cmdline /proc/36/cmdline pkill /proc/34/cmdline /proc/34/cmdline pkill /proc/13/status /proc/13/status pkill /proc/130/cmdline /proc/130/cmdline pkill /proc/80/status /proc/80/status pkill /proc/425/status /proc/425/status pkill /proc/252/cmdline /proc/252/cmdline pkill
Processes
-
./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef831⤵PID:581
-
/bin/shsh -c "pkill -9 mirai.* || busybox pkill -9 mirai.*"1⤵PID:585
-
/usr/bin/pkillpkill -9 "mirai.*"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:586
-
-
/bin/busyboxbusybox pkill -9 "mirai.*"2⤵PID:591
-
-
/bin/shsh -c "pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips"1⤵PID:592
-
/usr/bin/pkillpkill -9 "dlr.*mips"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:593
-
-
/bin/busyboxbusybox pkill -9 "dlr.*mips"2⤵PID:594
-
-
/bin/shsh -c "pkill -9 mips64 || busybox pkill -9 mips64"1⤵PID:595
-
/usr/bin/pkillpkill -9 mips642⤵
- Reads CPU attributes
- Reads runtime system information
PID:596
-
-
/bin/busyboxbusybox pkill -9 mips642⤵PID:597
-
-
/bin/shsh -c "pkill -9 mipsel || busybox pkill -9 mipsel"1⤵PID:598
-
/usr/bin/pkillpkill -9 mipsel2⤵
- Reads CPU attributes
- Reads runtime system information
PID:599
-
-
/bin/busyboxbusybox pkill -9 mipsel2⤵PID:600
-
-
/bin/shsh -c "pkill -9 sh2eb || busybox pkill -9 sh2eb"1⤵PID:601
-
/usr/bin/pkillpkill -9 sh2eb2⤵
- Reads CPU attributes
- Reads runtime system information
PID:602
-
-
/bin/busyboxbusybox pkill -9 sh2eb2⤵PID:603
-
-
/bin/shsh -c "pkill -9 sh2elf || busybox pkill -9 sh2elf"1⤵PID:604
-
/usr/bin/pkillpkill -9 sh2elf2⤵
- Reads CPU attributes
- Reads runtime system information
PID:605
-
-
/bin/busyboxbusybox pkill -9 sh2elf2⤵PID:606
-
-
/bin/shsh -c "pkill -9 sh4 || busybox pkill -9 sh4"1⤵PID:607
-
/usr/bin/pkillpkill -9 sh42⤵
- Reads CPU attributes
PID:608
-
-
/bin/busyboxbusybox pkill -9 sh42⤵PID:609
-
-
/bin/shsh -c "pkill -9 x86 || busybox pkill -9 x86"1⤵PID:610
-
/usr/bin/pkillpkill -9 x862⤵
- Reads CPU attributes
- Reads runtime system information
PID:611
-
-
/bin/busyboxbusybox pkill -9 x862⤵PID:612
-
-
/bin/shsh -c "pkill -9 arm || busybox pkill -9 arm"1⤵PID:613
-
/usr/bin/pkillpkill -9 arm2⤵
- Reads CPU attributes
- Reads runtime system information
PID:614
-
-
/bin/busyboxbusybox pkill -9 arm2⤵PID:615
-
-
/bin/shsh -c "pkill -9 armv5 || busybox pkill -9 armv5"1⤵PID:616
-
/usr/bin/pkillpkill -9 armv52⤵
- Reads CPU attributes
- Reads runtime system information
PID:617
-
-
/bin/busyboxbusybox pkill -9 armv52⤵PID:618
-
-
/bin/shsh -c "pkill -9 armv4tl || busybox pkill -9 armv4tl"1⤵PID:619
-
/usr/bin/pkillpkill -9 armv4tl2⤵
- Reads CPU attributes
- Reads runtime system information
PID:620
-
-
/bin/busyboxbusybox pkill -9 armv4tl2⤵PID:621
-
-
/bin/shsh -c "pkill -9 armv4 || busybox pkill -9 armv4"1⤵PID:622
-
/usr/bin/pkillpkill -9 armv42⤵
- Reads CPU attributes
- Reads runtime system information
PID:623
-
-
/bin/busyboxbusybox pkill -9 armv42⤵PID:624
-
-
/bin/shsh -c "pkill -9 armv6 || busybox pkill -9 armv6"1⤵PID:625
-
/usr/bin/pkillpkill -9 armv62⤵
- Reads CPU attributes
- Reads runtime system information
PID:626
-
-
/bin/busyboxbusybox pkill -9 armv62⤵PID:627
-
-
/bin/shsh -c "pkill -9 i686 || busybox pkill -9 i686"1⤵PID:628
-
/usr/bin/pkillpkill -9 i6862⤵
- Reads CPU attributes
- Reads runtime system information
PID:629
-
-
/bin/busyboxbusybox pkill -9 i6862⤵PID:630
-
-
/bin/shsh -c "pkill -9 powerpc || busybox pkill -9 powerpc"1⤵PID:631
-
/usr/bin/pkillpkill -9 powerpc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:632
-
-
/bin/busyboxbusybox pkill -9 powerpc2⤵PID:633
-
-
/bin/shsh -c "pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp"1⤵PID:634
-
/usr/bin/pkillpkill -9 powerpc440fp2⤵
- Reads CPU attributes
- Reads runtime system information
PID:635
-
-
/bin/busyboxbusybox pkill -9 powerpc440fp2⤵PID:636
-
-
/bin/shsh -c "pkill -9 i586 || busybox pkill -9 i586"1⤵PID:637
-
/usr/bin/pkillpkill -9 i5862⤵
- Reads CPU attributes
- Reads runtime system information
PID:638
-
-
/bin/busyboxbusybox pkill -9 i5862⤵PID:639
-
-
/bin/shsh -c "pkill -9 m68k || busybox pkill -9 m68k"1⤵PID:640
-
/usr/bin/pkillpkill -9 m68k2⤵
- Reads CPU attributes
- Reads runtime system information
PID:641
-
-
/bin/busyboxbusybox pkill -9 m68k2⤵PID:642
-
-
/bin/shsh -c "pkill -9 sparc || busybox pkill -9 sparc"1⤵PID:643
-
/usr/bin/pkillpkill -9 sparc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:644
-
-
/bin/busyboxbusybox pkill -9 sparc2⤵PID:645
-
-
/bin/shsh -c "pkill -9 x86_64 || busybox pkill -9 x86_64"1⤵PID:646
-
/usr/bin/pkillpkill -9 x86_642⤵
- Reads CPU attributes
- Reads runtime system information
PID:647
-
-
/bin/busyboxbusybox pkill -9 x86_642⤵PID:648
-
-
/bin/shsh -c "pkill -9 jackmy* || busybox pkill -9 jackmy*"1⤵PID:649
-
/usr/bin/pkillpkill -9 "jackmy*"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:650
-
-
/bin/busyboxbusybox pkill -9 "jackmy*"2⤵PID:651
-
-
/bin/shsh -c "pkill -9 hackmy* || busybox pkill -9 hackmy*"1⤵PID:652
-
/usr/bin/pkillpkill -9 "hackmy*"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:653
-
-
/bin/busyboxbusybox pkill -9 "hackmy*"2⤵PID:654
-
-
/bin/shsh -c "pkill -9 b1 || busybox pkill -9 b1"1⤵PID:655
-
/usr/bin/pkillpkill -9 b12⤵
- Reads CPU attributes
- Reads runtime system information
PID:656
-
-
/bin/busyboxbusybox pkill -9 b12⤵PID:657
-
-
/bin/shsh -c "pkill -9 b2 || busybox pkill -9 b2"1⤵PID:658
-
/usr/bin/pkillpkill -9 b22⤵
- Reads CPU attributes
- Reads runtime system information
PID:659
-
-
/bin/busyboxbusybox pkill -9 b22⤵PID:660
-
-
/bin/shsh -c "pkill -9 b3 || busybox pkill -9 b3"1⤵PID:661
-
/usr/bin/pkillpkill -9 b32⤵
- Reads CPU attributes
- Reads runtime system information
PID:662
-
-
/bin/busyboxbusybox pkill -9 b32⤵PID:663
-
-
/bin/shsh -c "pkill -9 b4 || busybox pkill -9 b4"1⤵PID:664
-
/usr/bin/pkillpkill -9 b42⤵
- Reads CPU attributes
- Reads runtime system information
PID:665
-
-
/bin/busyboxbusybox pkill -9 b42⤵PID:666
-
-
/bin/shsh -c "pkill -9 b5 || busybox pkill -9 b5"1⤵PID:667
-
/usr/bin/pkillpkill -9 b52⤵
- Reads CPU attributes
- Reads runtime system information
PID:668
-
-
/bin/busyboxbusybox pkill -9 b52⤵PID:669
-
-
/bin/shsh -c "pkill -9 b6 || busybox pkill -9 b6"1⤵PID:670
-
/usr/bin/pkillpkill -9 b62⤵
- Reads CPU attributes
- Reads runtime system information
PID:671
-
-
/bin/busyboxbusybox pkill -9 b62⤵PID:672
-
-
/bin/shsh -c "pkill -9 b7 || busybox pkill -9 b7"1⤵PID:673
-
/usr/bin/pkillpkill -9 b72⤵
- Reads CPU attributes
- Reads runtime system information
PID:674
-