ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf | Triage

Analysis

max time kernel
0s
max time network
102s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
18/02/2022, 06:23

Sharing

Report Analysis Logs

General

Target

ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf
Size

1.1MB
MD5

df76bc434765108eecd8cbfb6a8bde76
SHA1

566a6dd2fd0b0352b7b0867ac72817f9a66fda1c
SHA256

ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf
SHA512

8e809ab6686de36c0d670aa5217f346377e4074dc49cb802702ab643fba20b325bc65da0961be6e4b98a237f84f59074953b1b34f7fc60bf0db391661803158d

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 3 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/bin/bsd-port/udevd.lock	/usr/bin/bsd-port/udevd.lock	Process not Found
/usr/bin/bsd-port/getty	/usr/bin/bsd-port/getty	cp
/usr/bin/.swhd	/usr/bin/.swhd	cp

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/cmdline	/proc/cmdline	insmod
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/bill.lock	/tmp/bill.lock	Process not Found
/tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf	/tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf	cp
/tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf	/tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf	cp
/tmp/notify.file	/tmp/notify.file	Process not Found

./ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf
./ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf
1⤵
PID:571

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:577
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:578

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:579
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:580

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:581
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:582

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:583
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:584

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:585
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:586

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:587
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:588

/bin/sh
sh -c "cp -f /tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf /usr/bin/bsd-port/getty"
1⤵
PID:589
- /bin/cp
  cp -f /tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - Writes file to tmp directory
  PID:590

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:592
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  PID:593

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:595
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:596

/bin/sh
sh -c "cp -f /tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf /usr/bin/.swhd"
1⤵
PID:597
- /bin/cp
  cp -f /tmp/ea096e487a5853558cc9f00936a167a915e97375c4892fe8111252da61d7cfbf /usr/bin/.swhd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - Writes file to tmp directory
  PID:598

/bin/sh
sh -c /usr/bin/.swhd
1⤵
PID:600
- /usr/bin/.swhd
  /usr/bin/.swhd
  2⤵
  PID:601

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
1⤵
PID:603
- /sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads