9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725

Analysis

max time kernel
0s
max time network
160s
platform
debian-9_mips
resource
debian9-mipsbe-20221111-en
resource tags

arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
05/12/2022, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725
Size

16KB
MD5

48019bb7a5b4dd576b5cb1fc7c7eb496
SHA1

982bb370ec883777d8c1f367257ac02cbaa1256c
SHA256

9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725
SHA512

c5e0f69739a976292e3254fda02c63e05e0b13248ed34ab97b0514c15a34f006e57cf6ccc478f322ba676aff47521357950d11709af8c3b159ddec799ee39f52
SSDEEP

384:F6s55XnJTbdu5DZqOG0ttYHrf5bUD7GIVVM1UnsCK6:F6s5ZnJTw66a0NVG16sj6

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/5/status	/proc/5/status	ps
/proc/5/cmdline	/proc/5/cmdline	ps
/proc/16/cmdline	/proc/16/cmdline	ps
/proc/116/stat	/proc/116/stat	ps
/proc/296/stat	/proc/296/stat	ps
/proc/filesystems	/proc/filesystems	ps
/proc/8/status	/proc/8/status	ps
/proc/21/stat	/proc/21/stat	ps
/proc/37/status	/proc/37/status	ps
/proc/37/cmdline	/proc/37/cmdline	ps
/proc/72/status	/proc/72/status	ps
/proc/74/cmdline	/proc/74/cmdline	ps
/proc/300/status	/proc/300/status	ps
/proc/308/cmdline	/proc/308/cmdline	ps
/proc/332/cmdline	/proc/332/cmdline	ps
/proc/342/cmdline	/proc/342/cmdline	ps
/proc/300/stat	/proc/300/stat	ps
/proc/1/stat	/proc/1/stat	ps
/proc/2/cmdline	/proc/2/cmdline	ps
/proc/3/cmdline	/proc/3/cmdline	ps
/proc/4/status	/proc/4/status	ps
/proc/74/status	/proc/74/status	ps
/proc/81/stat	/proc/81/stat	ps
/proc/116/status	/proc/116/status	ps
/proc/290/stat	/proc/290/stat	ps
/proc/12/status	/proc/12/status	ps
/proc/13/cmdline	/proc/13/cmdline	ps
/proc/15/cmdline	/proc/15/cmdline	ps
/proc/19/stat	/proc/19/stat	ps
/proc/77/cmdline	/proc/77/cmdline	ps
/proc/229/stat	/proc/229/stat	ps
/proc/265/stat	/proc/265/stat	ps
/proc/296/status	/proc/296/status	ps
/proc/340/cmdline	/proc/340/cmdline	ps
/proc/uptime	/proc/uptime	ps
/proc/1/cmdline	/proc/1/cmdline	ps
/proc/2/stat	/proc/2/stat	ps
/proc/76/cmdline	/proc/76/cmdline	ps
/proc/341/cmdline	/proc/341/cmdline	ps
/proc/5/stat	/proc/5/stat	ps
/proc/23/status	/proc/23/status	ps
/proc/36/status	/proc/36/status	ps
/proc/69/status	/proc/69/status	ps
/proc/144/cmdline	/proc/144/cmdline	ps
/proc/342/status	/proc/342/status	ps
/proc/meminfo	/proc/meminfo	ps
/proc/4/cmdline	/proc/4/cmdline	ps
/proc/10/stat	/proc/10/stat	ps
/proc/14/cmdline	/proc/14/cmdline	ps
/proc/218/stat	/proc/218/stat	ps
/proc/247/cmdline	/proc/247/cmdline	ps
/proc/332/status	/proc/332/status	ps
/proc/3/status	/proc/3/status	ps
/proc/36/stat	/proc/36/stat	ps
/proc/342/stat	/proc/342/stat	ps
/proc/73/cmdline	/proc/73/cmdline	ps
/proc/6/cmdline	/proc/6/cmdline	ps
/proc/8/cmdline	/proc/8/cmdline	ps
/proc/16/status	/proc/16/status	ps
/proc/19/cmdline	/proc/19/cmdline	ps
/proc/20/cmdline	/proc/20/cmdline	ps
/proc/21/cmdline	/proc/21/cmdline	ps
/proc/24/stat	/proc/24/stat	ps
/proc/74/stat	/proc/74/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725	/tmp/9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725	9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725

/tmp/9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725
/tmp/9c1351bae87c1f75288de001873f226a329c0313e6d83cbfef808b0df63af725
1⤵
- Writes file to tmp directory
PID:334
- /bin/sh
  sh -c "kill -9 `ps ax |grep /usr/sbin/apache/logs |grep -v grep|awk '{print ;}'`"
  2⤵
  PID:339
- /usr/local/sbin/uname
  uname -sr
  2⤵
  PID:345
- /usr/local/bin/uname
  uname -sr
  2⤵
  PID:345
- /usr/sbin/uname
  uname -sr
  2⤵
  PID:345
- /usr/bin/uname
  uname -sr
  2⤵
  PID:345
- /sbin/uname
  uname -sr
  2⤵
  PID:345
- /bin/uname
  uname -sr
  2⤵
  PID:345

/bin/ps
ps ax
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:341

/bin/grep
grep -v grep
1⤵
PID:343

/bin/grep
grep /usr/sbin/apache/logs
1⤵
PID:342

/usr/bin/awk
awk "{print ;}"
1⤵
PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads