690691d9e648f0a9cff8adc34b2abe0b816005ac5c57dc2f64a8355061457046

Resubmissions

11-11-2022 05:27

221111-f5mfzsbddr 10

11-11-2022 05:26

11-11-2022 05:23

11-11-2022 01:46

11-11-2022 01:45

11-11-2022 01:45

11-11-2022 01:43

Analysis

max time kernel
0s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11-11-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
Size

1.8MB
MD5

92ed8739cfb9132c8b57016e3c071a28
SHA1

362aa21546904629b28a56c9d5c4bfd3b53296f5
SHA256

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
SHA512

755cab9f92d9bb39b1afc890e6d220f1e9ff884bb5c9ab9a526dd7af204fa88c21d88fb2c153c28eb577a5730548dca3ad8ffa20d3b31ed3fb550fce98f7c3d3
SSDEEP

49152:IqeL+lTdKGwpizjdRVdjezCFvw9b28vXUG3ao3tGbK:Iqe0/FdjezChlbK

Score

9^/10

persistence

Malware Config

Signatures

Deletes system logs 1 TTPs 64 IoCs

Indicator Removal on Host

T1070

description	ioc
/var/log/installer/cdebconf/RECOVER-nnvjxgy-FILES.txt	/var/log/installer/cdebconf/RECOVER-nnvjxgy-FILES.txt
/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/RECOVER-nnvjxgy-FILES.txt	/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/RECOVER-nnvjxgy-FILES.txt
/var/log/alternatives.log	/var/log/alternatives.log
/var/log/dist-upgrade	/var/log/dist-upgrade
/var/log/installer	/var/log/installer
/var/log/installer/checkpoints-hardware-summary.nnvjxgy	/var/log/installer/checkpoints-hardware-summary.nnvjxgy
/var/log/checkpoints-faillog.nnvjxgy	/var/log/checkpoints-faillog.nnvjxgy
/var/log/tallylog.nnvjxgy	/var/log/tallylog.nnvjxgy
/var/log/installer/initial-status.gz	/var/log/installer/initial-status.gz
/var/log/apt/eipp.log.xz.nnvjxgy	/var/log/apt/eipp.log.xz.nnvjxgy
/var/log/kern.log	/var/log/kern.log
/var/log/checkpoints-kern.log.nnvjxgy	/var/log/checkpoints-kern.log.nnvjxgy
/var/log/btmp	/var/log/btmp
/var/log/faillog.nnvjxgy	/var/log/faillog.nnvjxgy
/var/log/journal/40aaf6fa720047dbb97c78c09debbef3	/var/log/journal/40aaf6fa720047dbb97c78c09debbef3
/var/log/installer/cdebconf/questions.dat	/var/log/installer/cdebconf/questions.dat
/var/log/installer/cdebconf/questions.dat.nnvjxgy	/var/log/installer/cdebconf/questions.dat.nnvjxgy
/var/log/lastlog	/var/log/lastlog
/var/log/apt	/var/log/apt
/var/log/apt/term.log	/var/log/apt/term.log
/var/log/apt/checkpoints-history.log.nnvjxgy	/var/log/apt/checkpoints-history.log.nnvjxgy
/var/log/installer/initial-status.gz.nnvjxgy	/var/log/installer/initial-status.gz.nnvjxgy
/var/log/installer/checkpoints-initial-status.gz.nnvjxgy	/var/log/installer/checkpoints-initial-status.gz.nnvjxgy
/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/system.journal	/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/system.journal
/var/log/alternatives.log.nnvjxgy	/var/log/alternatives.log.nnvjxgy
/var/log/checkpoints-alternatives.log.nnvjxgy	/var/log/checkpoints-alternatives.log.nnvjxgy
/var/log/installer/lsb-release	/var/log/installer/lsb-release
/var/log/installer/checkpoints-lsb-release.nnvjxgy	/var/log/installer/checkpoints-lsb-release.nnvjxgy
/var/log/tallylog	/var/log/tallylog
/var/log/checkpoints-syslog.nnvjxgy	/var/log/checkpoints-syslog.nnvjxgy
/var/log/installer/cdebconf/templates.dat	/var/log/installer/cdebconf/templates.dat
/var/log/installer/cdebconf/checkpoints-templates.dat.nnvjxgy	/var/log/installer/cdebconf/checkpoints-templates.dat.nnvjxgy
/var/log/ubuntu-advantage.log	/var/log/ubuntu-advantage.log
/var/log/installer/cdebconf/checkpoints-questions.dat.nnvjxgy	/var/log/installer/cdebconf/checkpoints-questions.dat.nnvjxgy
/var/log/auth.log	/var/log/auth.log
/var/log/RECOVER-nnvjxgy-FILES.txt	/var/log/RECOVER-nnvjxgy-FILES.txt
/var/log/checkpoints-auth.log.nnvjxgy	/var/log/checkpoints-auth.log.nnvjxgy
/var/log/wtmp	/var/log/wtmp
/var/log/apt/eipp.log.xz	/var/log/apt/eipp.log.xz
/var/log/installer/lsb-release.nnvjxgy	/var/log/installer/lsb-release.nnvjxgy
/var/log/installer/syslog.nnvjxgy	/var/log/installer/syslog.nnvjxgy
/var/log/apt/history.log.nnvjxgy	/var/log/apt/history.log.nnvjxgy
/var/log/installer/RECOVER-nnvjxgy-FILES.txt	/var/log/installer/RECOVER-nnvjxgy-FILES.txt
/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/system.journal.nnvjxgy	/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/system.journal.nnvjxgy
/var/log/checkpoints-lastlog.nnvjxgy	/var/log/checkpoints-lastlog.nnvjxgy
/var/log/installer/hardware-summary	/var/log/installer/hardware-summary
/var/log/apt/checkpoints-eipp.log.xz.nnvjxgy	/var/log/apt/checkpoints-eipp.log.xz.nnvjxgy
/var/log/installer/partman.nnvjxgy	/var/log/installer/partman.nnvjxgy
/var/log/faillog	/var/log/faillog
/var/log/lastlog.nnvjxgy	/var/log/lastlog.nnvjxgy
/var/log/installer/partman	/var/log/installer/partman
/var/log/apt/checkpoints-term.log.nnvjxgy	/var/log/apt/checkpoints-term.log.nnvjxgy
/var/log/checkpoints-wtmp.nnvjxgy	/var/log/checkpoints-wtmp.nnvjxgy
/var/log/dpkg.log	/var/log/dpkg.log
/var/log/apt/term.log.nnvjxgy	/var/log/apt/term.log.nnvjxgy
/var/log/installer/cdebconf	/var/log/installer/cdebconf
/var/log/syslog	/var/log/syslog
/var/log/installer/checkpoints-partman.nnvjxgy	/var/log/installer/checkpoints-partman.nnvjxgy
/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/checkpoints-system.journal.nnvjxgy	/var/log/journal/40aaf6fa720047dbb97c78c09debbef3/checkpoints-system.journal.nnvjxgy
/var/log/auth.log.nnvjxgy	/var/log/auth.log.nnvjxgy
/var/log/kern.log.nnvjxgy	/var/log/kern.log.nnvjxgy
/var/log/dpkg.log.nnvjxgy	/var/log/dpkg.log.nnvjxgy
/var/log/installer/cdebconf/templates.dat.nnvjxgy	/var/log/installer/cdebconf/templates.dat.nnvjxgy
/var/log/journal	/var/log/journal

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc
/var/spool/cron/crontabs	/var/spool/cron/crontabs

Modifies Bash startup script 1 TTPs 2 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/home/user/.profile	/home/user/.profile
/home/user/.bashrc	/home/user/.bashrc

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/self/cgroup	/proc/self/cgroup	3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
/proc/self/mountinfo	/proc/self/mountinfo	3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
/proc/self/maps	/proc/self/maps	3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

/tmp/3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
/tmp/3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1 --child --access-token 12345 -v
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:581