Analysis
-
max time kernel
0s -
max time network
103s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-mipsel-20221111-en
General
-
Target
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
-
Size
1KB
-
MD5
6acfc27bf16bf39d7cd6618fc2b57137
-
SHA1
3a3759c509e8ca578c504f162d2e1ee336193f3c
-
SHA256
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
-
SHA512
4d4ce060047d41364fd0a7a4c6e615af6657c46347abafe6e93bf8363dfa2648185c229699525397938c77ca4b802893cbffe39b572f534ddb5f7b9402f34bda
Malware Config
Signatures
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
grepdescription ioc process /etc/rc.local /etc/rc.local grep -
Reads CPU attributes 1 TTPs 2 IoCs
Processes:
pspsdescription ioc process /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspsmkdirdescription ioc process /proc/28/cmdline /proc/28/cmdline ps /proc/250/status /proc/250/status ps /proc/meminfo /proc/meminfo ps /proc/166/cmdline /proc/166/cmdline ps /proc/331/cmdline /proc/331/cmdline ps /proc/599/status /proc/599/status ps /proc/177/status /proc/177/status ps /proc/176/cmdline /proc/176/cmdline ps /proc/16/cmdline /proc/16/cmdline ps /proc/36/status /proc/36/status ps /proc/357/cmdline /proc/357/cmdline ps /proc/382/cmdline /proc/382/cmdline ps /proc/17/cmdline /proc/17/cmdline ps /proc/7/stat /proc/7/stat ps /proc/84/status /proc/84/status ps /proc/169/cmdline /proc/169/cmdline ps /proc/383/cmdline /proc/383/cmdline ps /proc/593/cmdline /proc/593/cmdline ps /proc/5/stat /proc/5/stat ps /proc/8/status /proc/8/status ps /proc/29/cmdline /proc/29/cmdline ps /proc/352/stat /proc/352/stat ps /proc/3/status /proc/3/status ps /proc/13/stat /proc/13/stat ps /proc/202/status /proc/202/status ps /proc/355/stat /proc/355/stat ps /proc/1/cmdline /proc/1/cmdline ps /proc/601/status /proc/601/status ps /proc/366/status /proc/366/status ps /proc/32/stat /proc/32/stat ps /proc/175/status /proc/175/status ps /proc/31/cmdline /proc/31/cmdline ps /proc/81/stat /proc/81/stat ps /proc/168/stat /proc/168/stat ps /proc/20/cmdline /proc/20/cmdline ps /proc/36/stat /proc/36/stat ps /proc/352/stat /proc/352/stat ps /proc/355/cmdline /proc/355/cmdline ps /proc/604/status /proc/604/status ps /proc/9/status /proc/9/status ps /proc/23/stat /proc/23/stat ps /proc/29/stat /proc/29/stat ps /proc/80/cmdline /proc/80/cmdline ps /proc/98/status /proc/98/status ps /proc/172/status /proc/172/status ps /proc/262/status /proc/262/status ps /proc/355/cmdline /proc/355/cmdline ps /proc/7/status /proc/7/status ps /proc/17/status /proc/17/status ps /proc/460/stat /proc/460/stat ps /proc/366/stat /proc/366/stat ps /proc/174/cmdline /proc/174/cmdline ps /proc/79/cmdline /proc/79/cmdline ps /proc/602/stat /proc/602/stat ps /proc/30/cmdline /proc/30/cmdline ps /proc/19/stat /proc/19/stat ps /proc/20/stat /proc/20/stat ps /proc/27/cmdline /proc/27/cmdline ps /proc/180/stat /proc/180/stat ps /proc/366/stat /proc/366/stat ps /proc/603/status /proc/603/status ps /proc/filesystems /proc/filesystems mkdir /proc/26/status /proc/26/status ps /proc/202/cmdline /proc/202/cmdline ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556edescription ioc process /tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e /tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e 6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Processes
-
/tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e/tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e1⤵
- Writes file to tmp directory
PID:593 -
/bin/cpcp -f /tmp/combinebmp.sh /apps/bzw/bin/kit/2⤵PID:595
-
/bin/rmrm -rf /apps/www/htdocs/nm/xDown.sh2⤵PID:610
-
/bin/rmrm -rf /apps/www/htdocs/nm/xDown_mon.sh2⤵PID:611
-
/bin/mkdirmkdir -p /apps/www/htdocs/nm2⤵
- Reads runtime system information
PID:612 -
/bin/cpcp -f /tmp/xDown.sh /apps/www/htdocs/nm2⤵PID:614
-
/bin/cpcp -f /tmp/xDown_mon.sh /apps/www/htdocs/nm2⤵PID:616
-
/bin/chmodchmod +x /apps/www/htdocs/nm/xDown.sh2⤵PID:617
-
/bin/chmodchmod +x /apps/www/htdocs/nm/xDown_mon.sh2⤵PID:618
-
/bin/grepgrep -c /apps/www/htdocs/nm/xDown_mon.sh /etc/rc.local2⤵
- Modifies rc script
PID:619 -
/apps/www/htdocs/nm/xDown_mon.sh/apps/www/htdocs/nm/xDown_mon.sh2⤵PID:620
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
PID:597
-
/bin/grepgrep xDown_mon.sh1⤵PID:598
-
/bin/grepgrep -v grep1⤵PID:599
-
/usr/bin/awkawk "{print \$2}"1⤵PID:600
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
PID:602
-
/bin/grepgrep xDown.sh1⤵PID:603
-
/bin/grepgrep -v grep1⤵PID:604
-
/usr/bin/awkawk "{print \$2}"1⤵PID:605