af736d0466d0c88fe66666676ca09462fddedbbe8befe49dd2dc691053c293c6

General

Target

pty
Size

43KB
MD5

4828b6dfe2f542f5763109c015a1fc57
SHA1

08b0e90b15ef106b1a67273788ab42763b728e0a
SHA256

af736d0466d0c88fe66666676ca09462fddedbbe8befe49dd2dc691053c293c6
SHA512

242cb978a8dff0857bd83618b68b07834794a67a86a9421fc55934db220254e20395825b089b9be6fda577cee9451d3d9eaa66de2835932591ccd2d681481796

Score

8^/10

Malware Config

Signatures

Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

sudo

description ioc process

/etc/hosts /etc/hosts sudo
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

sudo

description ioc process

/etc/resolv.conf /etc/resolv.conf sudo
Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

serviceservice

description ioc process

/usr/sbin/service /usr/sbin/service service
/usr/sbin/service /usr/sbin/service service

description	ioc	process
/etc/hosts	/etc/hosts	sudo

description	ioc	process
/etc/resolv.conf	/etc/resolv.conf	sudo

description	ioc	process
/usr/sbin/service	/usr/sbin/service	service
/usr/sbin/service	/usr/sbin/service	service

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

killallkillallkillallsystemctlkillallkillallkillallsystemctlsystemctlkillallkillallkillallsystemctlkillallsystemctlsystemctlsystemctlsystemctl

description	ioc	process
/proc/347/cmdline	/proc/347/cmdline	killall
/proc/599/stat	/proc/599/stat	killall
/proc/339/stat	/proc/339/stat	killall
/proc/cmdline	/proc/cmdline	systemctl
/proc/17/stat	/proc/17/stat	killall
/proc/286/cmdline	/proc/286/cmdline	killall
/proc/78/stat	/proc/78/stat	killall
/proc/578/stat	/proc/578/stat	killall
/proc/193/stat	/proc/193/stat	killall
/proc/251/stat	/proc/251/stat	killall
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/28/stat	/proc/28/stat	killall
/proc/31/stat	/proc/31/stat	killall
/proc/34/stat	/proc/34/stat	killall
/proc/27/stat	/proc/27/stat	killall
/proc/169/stat	/proc/169/stat	killall
/proc/83/stat	/proc/83/stat	killall
/proc/356/stat	/proc/356/stat	killall
/proc/161/stat	/proc/161/stat	killall
/proc/223/stat	/proc/223/stat	killall
/proc/32/stat	/proc/32/stat	killall
/proc/1/sched	/proc/1/sched	systemctl
/proc/192/stat	/proc/192/stat	killall
/proc/333/stat	/proc/333/stat	killall
/proc/22/stat	/proc/22/stat	killall
/proc/155/stat	/proc/155/stat	killall
/proc/161/stat	/proc/161/stat	killall
/proc/420/stat	/proc/420/stat	killall
/proc/1/environ	/proc/1/environ	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/28/stat	/proc/28/stat	killall
/proc/153/stat	/proc/153/stat	killall
/proc/1/stat	/proc/1/stat	killall
/proc/16/stat	/proc/16/stat	killall
/proc/352/stat	/proc/352/stat	killall
/proc/418/stat	/proc/418/stat	killall
/proc/filesystems	/proc/filesystems	systemctl
/proc/164/stat	/proc/164/stat	killall
/proc/85/stat	/proc/85/stat	killall
/proc/8/stat	/proc/8/stat	killall
/proc/1/environ	/proc/1/environ	systemctl
/proc/17/stat	/proc/17/stat	killall
/proc/286/stat	/proc/286/stat	killall
/proc/8/stat	/proc/8/stat	killall
/proc/575/stat	/proc/575/stat	killall
/proc/36/stat	/proc/36/stat	killall
/proc/341/stat	/proc/341/stat	killall
/proc/347/cmdline	/proc/347/cmdline	killall
/proc/223/stat	/proc/223/stat	killall
/proc/356/stat	/proc/356/stat	killall
/proc/193/cmdline	/proc/193/cmdline	killall
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/14/stat	/proc/14/stat	killall
/proc/169/stat	/proc/169/stat	killall
/proc/169/stat	/proc/169/stat	killall
/proc/159/stat	/proc/159/stat	killall
/proc/4/stat	/proc/4/stat	killall
/proc/15/stat	/proc/15/stat	killall
/proc/3/stat	/proc/3/stat	killall
/proc/159/stat	/proc/159/stat	killall
/proc/81/stat	/proc/81/stat	killall
/proc/25/stat	/proc/25/stat	killall

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

catrm

description ioc

/tmp/.xs /tmp/.xs
/tmp/.xs/*.pid /tmp/.xs/*.pid cat
/tmp/.xs/* /tmp/.xs/* rm

description	ioc
/tmp/.xs	/tmp/.xs
/tmp/.xs/*.pid	/tmp/.xs/*.pid	cat
/tmp/.xs/*	/tmp/.xs/*	rm

/tmp/pty
/tmp/pty
1⤵
PID:577

/bin/sh
sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
1⤵
PID:579

/bin/rm
rm -rf /var/run/wgsh
2⤵
PID:580

/bin/sh
sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
1⤵
PID:581

/bin/rm
rm -rf /var/run/bbsh
2⤵
PID:582

/bin/sh
sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
1⤵
PID:583

/bin/rm
rm -rf /var/run/pty
2⤵
PID:584

/bin/sh
sh -c "killall -9 arm > /dev/null 2>&1 &"
1⤵
PID:585

/usr/bin/killall
killall -9 arm
2⤵
- Reads runtime system information
PID:586

/bin/sh
sh -c "killall -9 mips > /dev/null 2>&1 &"
1⤵
PID:587

/usr/bin/killall
killall -9 mips
2⤵
- Reads runtime system information
PID:588

/bin/sh
sh -c "killall -9 mipsel > /dev/null 2>&1 &"
1⤵
PID:589

/usr/bin/killall
killall -9 mipsel
2⤵
- Reads runtime system information
PID:590

/bin/sh
sh -c "killall -9 powerpc > /dev/null 2>&1 &"
1⤵
PID:591

/usr/bin/killall
killall -9 powerpc
2⤵
- Reads runtime system information
PID:592

/bin/sh
sh -c "killall -9 ppc > /dev/null 2>&1 &"
1⤵
PID:593

/usr/bin/killall
killall -9 ppc
2⤵
- Reads runtime system information
PID:594

/bin/sh
sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
1⤵
PID:595

/usr/bin/killall
killall -9 daemon.armv4l.mod
2⤵
- Reads runtime system information
PID:596

/bin/sh
sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
1⤵
PID:597

/usr/bin/killall
killall -9 daemon.i686.mod
2⤵
- Reads runtime system information
PID:598

/bin/sh
sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
1⤵
PID:599

/usr/bin/killall
killall -9 daemon.mips.mod
2⤵
- Reads runtime system information
PID:600

/bin/sh
sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
1⤵
PID:601

/usr/bin/killall
killall -9 daemon.mipsel.mod
2⤵
- Reads runtime system information
PID:602

/bin/sh
sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
1⤵
PID:603

/bin/sh
sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
1⤵
PID:605

/bin/rm
rm -rf "/tmp/.xs/*"
2⤵
- Writes file to tmp directory
PID:607

/bin/cat
cat "/tmp/.xs/*.pid"
1⤵
- Writes file to tmp directory
PID:606

/bin/sh
sh -c "touch -acmr /bin/ls /tmp/pty"
1⤵
PID:608

/usr/bin/touch
touch -acmr /bin/ls /tmp/pty
2⤵
PID:613

/bin/sh
sh -c "(crontab -l | grep -v \"/tmp/pty\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
1⤵
PID:614

/bin/grep
grep -v /tmp/pty
1⤵
PID:617

/usr/bin/crontab
crontab -l
1⤵
PID:616

/bin/grep
grep -v "no cron"
1⤵
PID:618

/bin/grep
grep -v lesshts/run.sh
1⤵
PID:619

/bin/sh
sh -c "echo \"* * * * * /tmp/pty > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
1⤵
PID:620

/bin/sh
sh -c "crontab /var/run/.x001804289383"
1⤵
PID:621

/usr/bin/crontab
crontab /var/run/.x001804289383
2⤵
PID:622

/bin/sh
sh -c "rm -rf /var/run/.x001804289383"
1⤵
PID:623

/bin/rm
rm -rf /var/run/.x001804289383
2⤵
PID:624

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:625

/bin/uname
/bin/uname -n
2⤵
PID:626

/bin/sh
sh -c "/bin/uname -n"
1⤵
PID:627

/bin/uname
/bin/uname -n
2⤵
PID:628

/bin/sh
sh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; service sshd stop ; sudo service sshd stop ; killall -9 sshd dropbear ; kill -9 `pidof sshd` `pidof dropbear` )>/dev/null 2>&1 & "
1⤵
PID:631

/bin/cat
cat /var/run/dropbear.pid
1⤵
PID:633

/bin/cat
cat /var/run/sshd.pid
1⤵
PID:634

/usr/sbin/service
service sshd stop
1⤵
- Write file to user bin folder
PID:635

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:636

/usr/bin/basename
basename /usr/sbin/service
2⤵
PID:637

/bin/systemctl
systemctl --quiet is-active multi-user.target
2⤵
PID:638

/bin/systemctl
systemctl -p Triggers show dbus.socket
2⤵
PID:642

/bin/systemctl
systemctl -p Triggers show ssh.socket
2⤵
PID:644

/bin/systemctl
systemctl -p Triggers show syslog.socket
2⤵
- Reads runtime system information
PID:646

/bin/systemctl
systemctl -p Triggers show systemd-fsckd.socket
2⤵
PID:647

/bin/systemctl
systemctl -p Triggers show systemd-initctl.socket
2⤵
PID:648

/bin/systemctl
systemctl -p Triggers show systemd-journald-audit.socket
2⤵
PID:649

/bin/systemctl
systemctl -p Triggers show systemd-journald-dev-log.socket
2⤵
PID:650

/bin/systemctl
systemctl -p Triggers show systemd-journald.socket
2⤵
PID:651

/bin/systemctl
systemctl -p Triggers show systemd-networkd.socket
2⤵
PID:652

/bin/systemctl
systemctl -p Triggers show systemd-rfkill.socket
2⤵
PID:653

/bin/systemctl
systemctl -p Triggers show systemd-udevd-control.socket
2⤵
PID:654

/bin/systemctl
systemctl -p Triggers show systemd-udevd-kernel.socket
2⤵
PID:655

/bin/systemctl
systemctl -p Triggers show uuidd.socket
2⤵
- Reads runtime system information
PID:656

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:640

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:641

/bin/systemctl
systemctl stop sshd.service
1⤵
- Reads runtime system information
PID:635

/usr/bin/sudo
sudo service sshd stop
1⤵
- Modifies hosts file
- Writes DNS configuration
PID:657

/usr/sbin/service
service sshd stop
2⤵
- Write file to user bin folder
PID:658

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:659

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:660

/bin/systemctl
systemctl --quiet is-active multi-user.target
3⤵
- Reads runtime system information
PID:661

/bin/systemctl
systemctl -p Triggers show dbus.socket
3⤵
PID:665

/bin/systemctl
systemctl -p Triggers show ssh.socket
3⤵
PID:666

/bin/systemctl
systemctl -p Triggers show syslog.socket
3⤵
PID:667

/bin/systemctl
systemctl -p Triggers show systemd-fsckd.socket
3⤵
PID:668

/bin/systemctl
systemctl -p Triggers show systemd-initctl.socket
3⤵
PID:669

/bin/systemctl
systemctl -p Triggers show systemd-journald-audit.socket
3⤵
- Reads runtime system information
PID:670

/bin/systemctl
systemctl -p Triggers show systemd-journald-dev-log.socket
3⤵
PID:671

/bin/systemctl
systemctl -p Triggers show systemd-journald.socket
3⤵
- Reads runtime system information
PID:672

/bin/systemctl
systemctl -p Triggers show systemd-networkd.socket
3⤵
PID:676

/bin/systemctl
systemctl -p Triggers show systemd-rfkill.socket
3⤵
- Reads runtime system information
PID:677

/bin/systemctl
systemctl -p Triggers show systemd-udevd-control.socket
3⤵
PID:678

/bin/systemctl
systemctl -p Triggers show systemd-udevd-kernel.socket
3⤵
PID:679

/bin/systemctl
systemctl -p Triggers show uuidd.socket
3⤵
PID:680

/usr/local/sbin/systemctl
systemctl stop sshd.service
2⤵
PID:658

/usr/local/bin/systemctl
systemctl stop sshd.service
2⤵
PID:658

/usr/sbin/systemctl
systemctl stop sshd.service
2⤵
PID:658

/usr/bin/systemctl
systemctl stop sshd.service
2⤵
PID:658

/sbin/systemctl
systemctl stop sshd.service
2⤵
PID:658

/bin/systemctl
systemctl stop sshd.service
2⤵
- Reads runtime system information
PID:658

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:663

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:664

/usr/bin/killall
killall -9 sshd dropbear
1⤵
- Reads runtime system information
PID:681

/bin/pidof
pidof sshd
1⤵
PID:682

/bin/pidof
pidof dropbear
1⤵
PID:683

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

1

T1574

Privilege Escalation

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1

T1568

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads