104ea5d063f5e689257c29cd9168bfe60010d4a85a7dd28d324d4b81a7b4a5f5

Analysis

max time kernel
21218s
max time network
150s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11-08-2022 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ji6
Size

51KB
MD5

ad27e34064088850e9dbbc7ced541e7d
SHA1

453802576c9d2a5f748884f1429e5260fc768e74
SHA256

104ea5d063f5e689257c29cd9168bfe60010d4a85a7dd28d324d4b81a7b4a5f5
SHA512

6324bbbd40791135f1c4928234f1893e333c23cdd555e87267b95f10497998c997ed08a08b2267a94c26304e1ca28dd9da458ce86b14223b079c9d0f4a7b2f59

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

service

description ioc process

/usr/sbin/service /usr/sbin/service service

description	ioc	process
/usr/sbin/service	/usr/sbin/service	service

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsystemctlcpmkdir

description	ioc	process
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	systemctl

/tmp/ji6
/tmp/ji6
1⤵
PID:577

/bin/sh
sh -c "crontab -r"
1⤵
PID:578

/usr/bin/crontab
crontab -r
2⤵
PID:579

/bin/sh
sh -c "mkdir ~/.ddir"
1⤵
PID:580

/bin/mkdir
mkdir "~/.ddir"
2⤵
- Reads runtime system information
PID:581

/bin/sh
sh -c "rm -rf ~/.ddir/dat178"
1⤵
PID:582

/bin/rm
rm -rf "~/.ddir/dat178"
2⤵
PID:583

/bin/sh
sh -c "cp dat178 ~/.ddir/"
1⤵
PID:584

/bin/cp
cp dat178 "~/.ddir/"
2⤵
- Reads runtime system information
PID:585

/bin/sh
sh -c "(crontab -l ; echo \"0,5,30,45 * * * * ~/.ddir/dat178 &\") | sort - | uniq - | crontab - && service cron restart"
1⤵
PID:586

/usr/bin/sort
sort -
2⤵
PID:588

/usr/bin/uniq
uniq -
2⤵
PID:589

/usr/bin/crontab
crontab -
2⤵
PID:590

/usr/sbin/service
service cron restart
2⤵
- Write file to user bin folder
PID:592

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:593

/usr/bin/basename
basename /usr/sbin/service
3⤵
PID:594

/bin/systemctl
systemctl --quiet is-active multi-user.target
3⤵
- Reads runtime system information
PID:595

/usr/local/sbin/systemctl
systemctl restart cron.service
2⤵
PID:592

/usr/local/bin/systemctl
systemctl restart cron.service
2⤵
PID:592

/usr/sbin/systemctl
systemctl restart cron.service
2⤵
PID:592

/usr/bin/systemctl
systemctl restart cron.service
2⤵
PID:592

/sbin/systemctl
systemctl restart cron.service
2⤵
PID:592

/bin/systemctl
systemctl restart cron.service
2⤵
- Reads runtime system information
PID:592

/usr/bin/crontab
crontab -l
1⤵
PID:591

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads