Analysis
-
max time kernel
21218s -
max time network
150s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
11-08-2022 06:49
Static task
static1
Behavioral task
behavioral1
Sample
ji6
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
2 signatures
150 seconds
General
-
Target
ji6
-
Size
51KB
-
MD5
ad27e34064088850e9dbbc7ced541e7d
-
SHA1
453802576c9d2a5f748884f1429e5260fc768e74
-
SHA256
104ea5d063f5e689257c29cd9168bfe60010d4a85a7dd28d324d4b81a7b4a5f5
-
SHA512
6324bbbd40791135f1c4928234f1893e333c23cdd555e87267b95f10497998c997ed08a08b2267a94c26304e1ca28dd9da458ce86b14223b079c9d0f4a7b2f59
Score
7/10
Malware Config
Signatures
-
Write file to user bin folder 1 TTPs 1 IoCs
Processes:
servicedescription ioc process /usr/sbin/service /usr/sbin/service service -
Reads runtime system information 14 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemctlsystemctlcpmkdirdescription ioc process /proc/1/sched /proc/1/sched systemctl /proc/cmdline /proc/cmdline systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/environ /proc/1/environ systemctl /proc/self/stat /proc/self/stat systemctl /proc/self/stat /proc/self/stat systemctl /proc/cmdline /proc/cmdline systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/sched /proc/1/sched systemctl /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems systemctl /proc/1/environ /proc/1/environ systemctl /proc/filesystems /proc/filesystems mkdir /proc/filesystems /proc/filesystems systemctl
Processes
-
/tmp/ji6/tmp/ji61⤵
-
/bin/shsh -c "crontab -r"1⤵
-
/usr/bin/crontabcrontab -r2⤵
-
/bin/shsh -c "mkdir ~/.ddir"1⤵
-
/bin/mkdirmkdir "~/.ddir"2⤵
- Reads runtime system information
-
/bin/shsh -c "rm -rf ~/.ddir/dat178"1⤵
-
/bin/rmrm -rf "~/.ddir/dat178"2⤵
-
/bin/shsh -c "cp dat178 ~/.ddir/"1⤵
-
/bin/cpcp dat178 "~/.ddir/"2⤵
- Reads runtime system information
-
/bin/shsh -c "(crontab -l ; echo \"0,5,30,45 * * * * ~/.ddir/dat178 &\") | sort - | uniq - | crontab - && service cron restart"1⤵
-
/usr/bin/sortsort -2⤵
-
/usr/bin/uniquniq -2⤵
-
/usr/bin/crontabcrontab -2⤵
-
/usr/sbin/serviceservice cron restart2⤵
- Write file to user bin folder
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/usr/bin/basenamebasename /usr/sbin/service3⤵
-
/bin/systemctlsystemctl --quiet is-active multi-user.target3⤵
- Reads runtime system information
-
/usr/local/sbin/systemctlsystemctl restart cron.service2⤵
-
/usr/local/bin/systemctlsystemctl restart cron.service2⤵
-
/usr/sbin/systemctlsystemctl restart cron.service2⤵
-
/usr/bin/systemctlsystemctl restart cron.service2⤵
-
/sbin/systemctlsystemctl restart cron.service2⤵
-
/bin/systemctlsystemctl restart cron.service2⤵
- Reads runtime system information
-
/usr/bin/crontabcrontab -l1⤵