f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506

General

Target

f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506
Size

603B
MD5

cd00bcf841a3eede649d5a1797a03f5c
SHA1

c35f0a6d69f6bfaa044260ed939eef4a93ff7374
SHA256

f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506
SHA512

2a66497bfd183b004f023b46587d930da375147ff5cc6edad3ce26c2584204798d10fa5edc25c0b246978a795c84c8998b0f50ec01d89f8682b400ae7e371706

Score

5^/10

persistence

Malware Config

Signatures

Creates .desktop file 1 TTPs 1 IoCs
Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.
persistence

User Execution
T1204

Processes:

rm

description ioc process

/sys/dev/block/8:1/vim.desktop /sys/dev/block/8:1/vim.desktop rm

description	ioc	process
/sys/dev/block/8:1/vim.desktop	/sys/dev/block/8:1/vim.desktop	rm

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

rm

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

mkdirmkfs.ext2mountfdisk

description	ioc	process
/proc/filesystems	/proc/filesystems	mkdir
/proc/swaps	/proc/swaps	mkfs.ext2
/proc/mounts	/proc/mounts	mkfs.ext2
/proc/filesystems	/proc/filesystems	mount
/proc/partitions	/proc/partitions	fdisk

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506

description	ioc	process
/tmp/f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506	/tmp/f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506	f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506

/tmp/f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506
/tmp/f8cc042317dc129ac5ea4b675139c9d3abf3f4670903b17fe6c5c65b82f1c506
1⤵
- Writes file to tmp directory
PID:394

/sbin/fdisk
fdisk /dev/sda
2⤵
PID:404

/bin/rm
rm -rf hd
2⤵
PID:406

/sbin/mkfs.ext2
mkfs.ext2 /dev/sda1
2⤵
- Reads runtime system information
PID:405

/bin/mkdir
mkdir hd
2⤵
- Reads runtime system information
PID:407

/bin/mount
mount /dev/sda1 hd
2⤵
- Reads runtime system information
PID:408

/bin/rm
rm -rf hd/bin hd/boot hd/dev hd/etc hd/home hd/initrd.img hd/initrd.img.old hd/lib hd/lost+found hd/media hd/mnt hd/opt hd/proc hd/root hd/run hd/sbin hd/srv hd/sys hd/tmp hd/usr hd/var hd/vmlinux hd/vmlinux.old
2⤵
- Creates .desktop file
- Enumerates kernel/hardware configuration
PID:411

/sbin/fdisk
fdisk -l
1⤵
- Reads runtime system information
PID:396

/bin/grep
grep -m 1 Disk
1⤵
PID:397

/usr/bin/awk
awk -F: "{print \$1}"
1⤵
PID:399

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:398

MITRE ATT&CK Enterprise v6

Initial Access

Execution

User Execution

1

T1204

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	process
/sys/dev/block/8:1/start/wae_CH	/sys/dev/block/8:1/start/wae_CH	rm
/sys/dev/block/8:1/start/semctl.2.gz	/sys/dev/block/8:1/start/semctl.2.gz	rm
/sys/dev/block/8:1/start/getcontext.2.gz	/sys/dev/block/8:1/start/getcontext.2.gz	rm
/sys/dev/block/8:1/start/rt_sigprocmask.2.gz	/sys/dev/block/8:1/start/rt_sigprocmask.2.gz	rm
/sys/dev/block/8:1/start/ftok.3.gz	/sys/dev/block/8:1/start/ftok.3.gz	rm
/sys/dev/block/8:1/from.1.gz	/sys/dev/block/8:1/from.1.gz	rm
/sys/dev/block/8:1/start/ntconsole-w	/sys/dev/block/8:1/start/ntconsole-w	rm
/sys/dev/block/8:1/start/dku7102	/sys/dev/block/8:1/start/dku7102	rm
/sys/dev/block/8:1/start/systemd-tty-ask-password-agent.1.gz	/sys/dev/block/8:1/start/systemd-tty-ask-password-agent.1.gz	rm
/sys/dev/block/8:1/start/link.2.gz	/sys/dev/block/8:1/start/link.2.gz	rm
/sys/dev/block/8:1/start/linux-version.1.gz	/sys/dev/block/8:1/start/linux-version.1.gz	rm
/sys/dev/block/8:1/start/rtnetlink.7.gz	/sys/dev/block/8:1/start/rtnetlink.7.gz	rm
/sys/dev/block/8:1/start/libffi.so.6.0.4	/sys/dev/block/8:1/start/libffi.so.6.0.4	rm
/sys/dev/block/8:1/compat.h	/sys/dev/block/8:1/compat.h	rm
/sys/dev/block/8:1/start/sony-btf-mpx.ko	/sys/dev/block/8:1/start/sony-btf-mpx.ko	rm
/sys/dev/block/8:1/start/lsb-base	/sys/dev/block/8:1/start/lsb-base	rm
/sys/dev/block/8:1/start/gd_GB	/sys/dev/block/8:1/start/gd_GB	rm
/sys/dev/block/8:1/start/DIN_66003.gz	/sys/dev/block/8:1/start/DIN_66003.gz	rm
/sys/dev/block/8:1/irda	/sys/dev/block/8:1/irda	rm
/sys/dev/block/8:1/start/i400	/sys/dev/block/8:1/start/i400	rm
/sys/dev/block/8:1/start/putty+fnkeys+xterm	/sys/dev/block/8:1/start/putty+fnkeys+xterm	rm
/sys/dev/block/8:1/start/50dictionaries-common.el	/sys/dev/block/8:1/start/50dictionaries-common.el	rm
/sys/dev/block/8:1/start/mono-emx	/sys/dev/block/8:1/start/mono-emx	rm
/sys/dev/block/8:1/update-default-aspell	/sys/dev/block/8:1/update-default-aspell	rm
/sys/dev/block/8:1/start/systemd-journald.service.8.gz	/sys/dev/block/8:1/start/systemd-journald.service.8.gz	rm
/sys/dev/ODBM_File.so	/sys/dev/ODBM_File.so	rm
/sys/dev/block/8:1/start/system-update.target	/sys/dev/block/8:1/start/system-update.target	rm
/sys/dev/block/8:1/start/att5620-24	/sys/dev/block/8:1/start/att5620-24	rm
/sys/dev/block/8:1/start/wcwidth.3.gz	/sys/dev/block/8:1/start/wcwidth.3.gz	rm
/sys/dev/block/8:1/start/tdestroy.3.gz	/sys/dev/block/8:1/start/tdestroy.3.gz	rm
/sys/dev/block/8:1/start/tc-flow.8.gz	/sys/dev/block/8:1/start/tc-flow.8.gz	rm
/sys/dev/block/8:1/start/wyse50-w	/sys/dev/block/8:1/start/wyse50-w	rm
/sys/dev/block/8:1/start/debian-startup.el	/sys/dev/block/8:1/start/debian-startup.el	rm
/sys/dev/block/8:1/start/Marigot	/sys/dev/block/8:1/start/Marigot	rm
/sys/dev/block/8:1/start/perl5.24-mipsel-linux-gnu.1.gz	/sys/dev/block/8:1/start/perl5.24-mipsel-linux-gnu.1.gz	rm
/sys/dev/block/8:1/cdrom.ko	/sys/dev/block/8:1/cdrom.ko	rm
/sys/dev/block/8:1/start/stv090x.ko	/sys/dev/block/8:1/start/stv090x.ko	rm
/sys/dev/block/8:1/InPC.pl	/sys/dev/block/8:1/InPC.pl	rm
/sys/dev/block/8:1/start/wy160-25	/sys/dev/block/8:1/start/wy160-25	rm
/sys/dev/block/8:1/start/ln03-w	/sys/dev/block/8:1/start/ln03-w	rm
/sys/dev/block/8:1/start/swtp	/sys/dev/block/8:1/start/swtp	rm
/sys/dev/block/8:1/start/tek4112	/sys/dev/block/8:1/start/tek4112	rm
/sys/dev/block/8:1/CalcEmu.pm	/sys/dev/block/8:1/CalcEmu.pm	rm
/sys/dev/block/8:1/uio_cif.ko	/sys/dev/block/8:1/uio_cif.ko	rm
/sys/dev/block/8:1/start/stb6000.ko	/sys/dev/block/8:1/start/stb6000.ko	rm
/sys/dev/block/8:1/systemd-binfmt	/sys/dev/block/8:1/systemd-binfmt	rm
/sys/dev/block/8:1/NZ	/sys/dev/block/8:1/NZ	rm
/sys/dev/block/8:1/start/pam-auth-update.8.gz	/sys/dev/block/8:1/start/pam-auth-update.8.gz	rm
/sys/dev/block/8:1/start/jrand48_r.3.gz	/sys/dev/block/8:1/start/jrand48_r.3.gz	rm
/sys/dev/block/8:1/Lc.pl	/sys/dev/block/8:1/Lc.pl	rm
/sys/dev/block/8:1/start/Honolulu	/sys/dev/block/8:1/start/Honolulu	rm
/sys/dev/block/8:1/start/svc_unregister.3.gz	/sys/dev/block/8:1/start/svc_unregister.3.gz	rm
/sys/dev/block/8:1/start/ncr260wy350wpp	/sys/dev/block/8:1/start/ncr260wy350wpp	rm
/sys/dev/block/8:1/start/Baku	/sys/dev/block/8:1/start/Baku	rm
/sys/dev/block/8:1/start/Dakar	/sys/dev/block/8:1/start/Dakar	rm
/sys/dev/block/8:1/snd-mia.ko	/sys/dev/block/8:1/snd-mia.ko	rm
/sys/dev/block/8:1/start/ansi77	/sys/dev/block/8:1/start/ansi77	rm
/sys/dev/block/8:1/start/ansi-generic	/sys/dev/block/8:1/start/ansi-generic	rm
/sys/dev/block/8:1/start/ynf.3.gz	/sys/dev/block/8:1/start/ynf.3.gz	rm
/sys/dev/block/8:1/linkage.h	/sys/dev/block/8:1/linkage.h	rm
/sys/dev/block/8:1/libkmod.so.2.3.1	/sys/dev/block/8:1/libkmod.so.2.3.1	rm
/sys/dev/block/8:1/start/klone+sgr	/sys/dev/block/8:1/start/klone+sgr	rm
/sys/dev/block/8:1/start/pty	/sys/dev/block/8:1/start/pty	rm
/sys/dev/block/8:1/start/darwin-160x64-m	/sys/dev/block/8:1/start/darwin-160x64-m	rm

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads