Overview

overview

9

Static

static

f8cc042317...f1c506

ubuntu-18.04-amd64

5

f8cc042317...f1c506

debian-9-armhf

5

f8cc042317...f1c506

debian-9-mips

9

f8cc042317...f1c506

debian-9-mipsel

5

Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    25-11-2022 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506

  • Size

    603B

  • MD5

    cd00bcf841a3eede649d5a1797a03f5c

  • SHA1

    c35f0a6d69f6bfaa044260ed939eef4a93ff7374

  • SHA256

    f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506

  • SHA512

    2a66497bfd183b004f023b46587d930da375147ff5cc6edad3ce26c2584204798d10fa5edc25c0b246978a795c84c8998b0f50ec01d89f8682b400ae7e371706

Score
5/10
persistence

Malware Config

Signatures

  • Creates .desktop file 1 TTPs 3 IoCs

    Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.

    persistence
  • Enumerates kernel/hardware configuration 1 TTPs 22 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506
    /tmp/f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506
    1⤵
    • Writes file to tmp directory
    PID:571
    • /sbin/fdisk
      fdisk /dev/vda
      2⤵
      • Enumerates kernel/hardware configuration
      PID:582
    • /sbin/mkfs.ext2
      mkfs.ext2 /dev/vda1
      2⤵
      • Enumerates kernel/hardware configuration
      • Reads runtime system information
      PID:583
    • /bin/rm
      rm -rf hd
      2⤵
        PID:584
      • /bin/mkdir
        mkdir hd
        2⤵
        • Reads runtime system information
        PID:586
      • /bin/mount
        mount /dev/vda1 hd
        2⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:587
      • /bin/rm
        rm -rf hd/bin hd/boot hd/dev hd/etc hd/home hd/initrd.img hd/initrd.img.old hd/lib hd/lib64 hd/lost+found hd/media hd/mnt hd/opt hd/proc hd/root hd/run hd/sbin hd/srv hd/swapfile hd/sys hd/tmp hd/usr hd/var hd/vmlinuz hd/vmlinuz.old
        2⤵
        • Creates .desktop file
        PID:588
      • /bin/mkdir
        mkdir hd/boot hd/boot/grub
        2⤵
          PID:589
      • /sbin/fdisk
        fdisk -l
        1⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:573
      • /bin/grep
        grep -m 1 Disk
        1⤵
          PID:574
        • /usr/bin/awk
          awk "{print \$2}"
          1⤵
            PID:575
          • /usr/bin/awk
            awk -F: "{print \$1}"
            1⤵
              PID:576

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads